Internet-Draft | EPP over HTTP | March 2022 |
Loffredo, et al. | Expires 8 September 2022 | [Page] |
This document describes how the Extensible Provisioning Protocol (EPP) is mapped over the Hypertext Transfer Protocol (HTTP). This mapping requires the use of the Transport Layer Security (TLS) protocol to protect information exchanged between an EPP client and an EPP server.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 September 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Although the Extensible Provisioning Protocol (EPP) core specification [RFC5730] does not state the transport protocol, only the mapping over TCP [RFC5734] has been standardized thus far. Nevertheless, some EPP implementations leverage HTTP due to its ease of use and simplicity. This document describes the reasons behind using HTTP as the transport protocol for EPP and how EPP is mapped over HTTP preserving the semantics of commands.¶
HTTP is defined in some IETF documents according to the versions currently in use: HTTP/1.1 [RFC7230], HTTP/2 [RFC7540], HTTP/3 [I-D.ietf-quic-http]. As the differences among such versions do not affect the EPP mapping, hereinafter the version number is omitted except for presenting the special features in the underlying layers of the HTTP stack.¶
Security services beyond those defined in EPP are provided by the Transport Layer Security (TLS) protocol [RFC8446].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Unlike TCP, HTTP is loosely coupled with the network and provides client-server cross-platform technology communication. Indeed, since an HTTP connection is a higher-level abstraction of a network connection, there is no need to take over all of the lower-level details of TCP. For example, while in TCP the data transmission between a client and a server starts only after having established a connection through a 3-way handshake (i.e. SYN, SYN-ACK, ACK), HTTP uses a one-way communication so that a client can directly issue a request to a server and then receive a response.¶
All the burden needed to manage the HTTP connections is usually performed by an application server, which a service can be deployed on. Service implementors are only required to process the requests and return the responses. Definitively, HTTP ease of use and simplicity reduces the development time.¶
While TCP is connection-oriented, HTTP is stateless but not session less. This means that, by making an EPP session untied from the network connection, the EPP communication over HTTP is more flexible and efficient than over TCP.¶
The main reason supporting the usage of TCP has always been its speed. TCP has been significantly faster than HTTP as HTTP was initially built on top of TCP so that every HTTP request should be issued on a new TCP connection. However, subsequent HTTP versions have been defined over time to increase the protocol speed and reduce the gap with TCP:¶
Compared to the original HTTP specification, HTTP/1.1 introduced the "keep-alive" connection by default to enable a request-response sequence on a single TCP connection without repeating the connection handshake at each request;¶
As opposed to HTTP/1.1, which keeps all requests and responses in plain text format, HTTP/2 defined the binary framing layer to encapsulate all messages in binary format;¶
In the perspective of moving to the cloud to achieve scalability and cost reduction, it should be further noted that application protocols that aren't based on HTTP can be hardly migrated by using cloud-native features, both on client side and server side. In addition, from the security point of view, registries would be limited in terms of the third-party security services available to protect their EPP servers.¶
Finally, some considerations should be done about load balancing which is generally used by EPP operators to distribute the requests across a pool of servers and, consequently, provide an efficient domains registration and maintenance service. While HTTP load balancers are very common and are quite often software, TCP load balancers are usually implemented in dedicated hardware. In addition, HTTP load balancers don't merely forward the traffic but can make high-level routing decisions based on the message content. With regard to the performance, although HTTP load balancers do more work, their throughput is evaluated considerably fast.¶
Additional notes on how EPP sessions can be managed in HTTP load balancing are included in Appendix A.¶
EPP describes client-server interaction as a command-response exchange where the client sends one command to the server and the server returns one response to the client. A client MUST use the POST method (Section 3.3 of [RFC7231]) to issue an EPP command through the request body. A server receiving a request MUST return an EPP message in the response body using the "Content-Length" entity-header field to indicate the length in decimal number of OCTETs of the entity-body. No EPP message information MUST be issued through any other part of the request or the response. If the HTTP connection is closed after a server receives and successfully processes a command but before the response can be returned to the client, the server MAY attempt to undo the effects of the command to ensure a consistent state between the client and the server.¶
Commands MUST be processed independently and in the same order as received from the server. An EPP client MAY issue multiple EPP commands to an EPP server on an HTTP connection by relying on the HTTP keep-alive capability. A server SHOULD limit a client to a maximum number of HTTP connections based on server capabilities and operational load.¶
A client might be able to realize a slight performance gain by pipelining the requests, but this feature does not change the basic single command, single response operating mode of the EPP protocol. A server SHOULD limit the amount of time required for a client to issue a well-formed EPP command and, consequently close an open HTTP connection.¶
The EPP session is implemented by using the mechanism described in [RFC6265]. An EPP session is started by the client issuing an EPP <login> command. A server receiving an EPP <login> command MUST use the "Set-Cookie" response header to send the client a token that the client will return in future requests within the scope of the EPP session. For example (Figure 1), the server can send the client a "session identifier" (a.k.a "session ID") named SID. The client then returns the session ID in the "Cookie" header of the subsequent requests.¶
The name of the cookie attribute identifying the session ID is not relevant and depends on the implementations. Examples of the names that some programming languages use to represent the session ID include JSESSIONID (Java EE), PHPSESSID (PHP), and ASPSESSIONID (Microsoft ASP).¶
An EPP session is ended by the client issuing an EPP <logout> command. A server receiving an EPP <logout> command MUST end the EPP session invalidating it after having issued the <logout> response.¶
A client MAY open multiple EPP sessions and distribute commands from a single EPP session over multiple HTTP connections. A server SHOULD limit a client to a maximum number of EPP sessions based on server capabilities and operational load.¶
EPP sessions that are inactive for more than a server-defined period MAY be ended by a server invalidating the session.¶
Clients MAY issue the <hello> command outside an EPP session. In such a case, servers MUST return the <greeting> response without starting a session. To accomplish this, a server MAY return no cookie at all or provide the client with an expired cookie so that it cannot be used for further communication with the server. Clients MAY also issue the <hello> command within an EPP session to keep it alive.¶
The mechanism implemented by a server to maintain the relationship between a session and the EPP information negotiated with the client through the <login> command (e.g. the language, the namespace URIs representing both the objects and the extensions to be managed during the session) is out of the scope of this document.¶
The state machine described in Section 2 of [RFC5730] is updated as shown in Figure 2.¶
Servers MUST NOT use HTTP return codes to signal clients about the failure of the EPP commands. The HTTP code 200 MUST be used for both successful and unsuccessful EPP requests. Servers MUST use HTTP codes to signal clients about the failure of the HTTP requests.¶
Servers MUST return a 2002 response (i.e. Command use error) if the client issues an EPP command other than the <hello> and the <login> commands through HTTP requests including either an empty or an invalid session ID. Servers receiving a <login> command through an HTTP request including a session ID MAY return a 2002 response (i.e. Command use error) or simply ignore the incoming session ID.¶
NOTE: Please remove this section and the reference to RFC 7942 prior to publication as an RFC.¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.¶
According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".¶
Section 2.1 of the EPP core specification [RFC5730] describes considerations to be addressed by protocol transport mappings. This document addresses each of the considerations using a combination of features described in this document and features provided by HTTP as follows:¶
Sections 3.3.3 and 3.9.3 of [RFC8095] includes features to provide reliability, flow control, ordered delivery, and congestion control of, respectively, UDP and HTTP over TCP as Pseudotransport.¶
Section 3 and Section 4 of this document describe how the stateful nature of EPP is preserved through controlled message exchanges and managed sessions.¶
This document has no actions for IANA.¶
Servers MUST use the "charset" attribute in the HTTP "Content-Type" response header field to specify the UTF-8 character encoding (e.g. Content-Type: application/epp+xml; charset=UTF-8).¶
Since clients credentials are included in the EPP <login> command, the HTTP over TLS [RFC8740] MUST be used to protect them from disclosure while in transit. As well, the transfer over TLS prevents from sniffing the session ID and, consequently, impersonating a client to perform actions on registrars' objects.¶
Anyway, servers are RECOMMENDED to implement additional measures to verify the client. These measures include IP whitelisting and locking the session ID to the client's IP address.¶
As a further measure to enforce the security, servers MAY require clients to present a digital certificate. Clients who possess and present a valid X.509 digital certificate, issued by a recognized Certification Authority (CA), could be identified and authenticated by a server who trusts the corresponding CA. This certificate-based mechanism is supported by HTTPS and can be used with EPP over HTTP. The TLS protocol describes the specification of a client certificate in Section 7.4.6 of [RFC8446].¶
With regard to sessions, session IDs SHOULD be randomly generated to mitigate the risk of obtaining a valid one through a brute-force search. A session ID SHOULD be at least 128 bits or 16 bytes long. An example of a reliable session ID is the Universally Unique Identifier (UUID). Servers MAY limit the lifetime of active sessions to avoid them being exchanged for a long time.¶
The following measures MAY also be taken to control cookies usage:¶
Other attributes that are normally used to secure the cookies and prevent them to be accessed from unintended parties or scripts, such as "HttpOnly" and "Secure", are meaningless in this context.¶
Finally, servers are RECOMMENDED to perform additional checks to limit the rate of open EPP sessions and HTTP connections to mitigate the risk of congestion of requests. Here again, IP whitelisting could also be implemented to prevent DDoS attacks.¶
If the EPP server is configured as a load balancer routing the requests to a pool of backend servers, some of the aforementioned checks SHOULD be implemented on the load balancer side.¶
The authors would like to acknowledge the following individuals for their contributions to this document: Cristian Lucchesi, Stefano Ruberti, Luca Vasarelli, Roberto Ravazzolo from IIT-CNR/Registro.it and Adrian Prokop, Sławomir Mateuszczyk from NASK/.pl Registry.¶
An EPP server should be able to serve a large number of concurrent requests from clients and return the responses in a fast and reliable manner. In addition, since EPP is extensible, EPP servers might be updated and the replacement of an EPP server with a new version should take place in accordance with the service level agreement negotiated between the registry and the registrars. To cost‑effectively scale high volumes of requests and redeploy a server without affecting its functioning, best practice in providing a software service generally requires using load balancing. This section presents two possible approaches to the implementation of a HTTP load balancing solution for an EPP server.¶
An EPP server made up of a server pool must always operate with respect to the constraint that, once an EPP session is established, all the requests related to that session should be processed by the servers in the pool as long as the session is alive.¶
One possible approach is using sticky sessions. In this case, the load balancer assigns an identifier to each client issuing a request. Then, according to such identifier, the load balancer can route all of the requests of a given client to the backend server that started the session for its entire duration. This approach requires each backend server to maintain the EPP information connected to the sessions opened by that server. This means that when a backend server is stopped and then restarted after its update, all the sessions currently active and managed by that server are lost.¶
A more efficient solution consists in releasing the sessions from the server pool. According to this approach, every session is stored somewhere outside the server pool. The load balancer distributes the request based on the load of each backend server and according to a specific algorithm. When a server receives a request, it first retrieves the session information by the session ID and, if any, processes the request. Sessions are normally stored in a cluster of NO-SQL databases so that performance and efficiency requirements are fulfilled. In this approach, only the ongoing requests are lost when a backend server is stopped and restarted. Moreover, maintaining the sessions on a persistent data storage results in supporting a virtually unlimited number of concurrent sessions.¶