Network Working Group J. Butler
Internet-Draft
Intended status: Informational W. Lee
Expires: May 1, 2017
B. McQuade
K. Mixter
October 28, 2016
A Proposal for Shared Dictionary Compression over HTTP
draft-lee-sdch-spec-00
Abstract
This paper proposes an HTTP/1.1-compatible extension that supports
inter-response data compression by means of a reference dictionary
shared between user agent and server.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 1, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Butler, et al. Expires May 1, 2017 [Page 1]
Internet-Draft sdch-spec October 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1. Introduction
In order to reduce payload size, HTTP/1.1 supports response
compression via the Accept-Encoding and Content-Encoding headers.
The most commonly used HTTP response compression encoding is gzip,
which compresses data that is repeated within a given response.
However, HTTP/1.1 does not provide a mechanism for compressing data
that is repeated between responses. A different class of encoding
technique, known as delta encoding, has proven effective at
compressing inter-response data.
Previous efforts to extend HTTP/1.1 to support delta compression have
focused on encoding an HTTP response as a delta of a previous version
of that response. One such approach is discussed in RFC 3229 "Delta
encoding in HTTP" [RFC3229]. While RFC 3229 is effective at reducing
payload size for many types of resources, it may not be suitable for
certain classes of responses.
Specifically, under RFC 3229, deltas can only be applied to responses
originating from the same URL, and the means of identifying the
instance to delta "from" is by a Last-Modified timestamp or entity-
tag. This makes RFC 3229 unsuitable for compressing dynamically
generated responses to a given URL with varying query parameters
(e.g. a search results page), since these types of responses are
difficult to identify uniquely using entity tags or last modified
timestamps. Content hashes can be used, but false positives are
possible. Also, storing all previous responses on the server may not
be practical.
2. Proposal: Shared Dictionary Compression over HTTP
Existing techniques compress each response in isolation, and so
cannot take advantage of cross-payload redundancy. For example,
retrieving a set of HTML pages with the same header, footer, inlined
JavaScript and CSS requires the retransmission of the same data
multiple times. This paper proposes a compression technique that
leverages this cross-payload redundancy.
In this proposal, a dictionary is a file downloaded by the user agent
from the server that contains strings which are likely to appear in
subsequent HTTP responses. In the case described above, if the
header, footer, JavaScript and CSS are stored in a dictionary
possessed by both user agent and server, the server can substitute
these elements with references to the dictionary, and the user agent
can reconstruct the original page from these references. By
Butler, et al. Expires May 1, 2017 [Page 2]
Internet-Draft sdch-spec October 2016
substituting dictionary references for repeated elements in HTTP
responses, the payload size can be reduced.
If either the user agent or the server does not support the
extension, then ordinary HTTP responses are served.
If both the user agent and the server support the extension but the
user agent does not have an applicable dictionary (as described in
detail below), the server responds with an ordinary HTTP response
that includes a header advertising the location of a relevant
dictionary. This dictionary can be retrieved out-of-band by the user
agent.
If both the user agent and the server support the extension and the
user agent has an applicable dictionary, then each HTTP response
includes references to strings in the dictionary, rather than
repeating those strings in the response. The references require
fewer bytes to encode than the strings themselves, reducing the
payload size.
The HTTP header-based protocol for negotiating the presence of
dictionaries on user agent and server is referred to in this proposal
as the SDCH protocol. The compression scheme based on a particular
dictionary shared between user agent and server is referred to as the
SDCH encoding, and is built upon the VCDIFF compression data format
[RFC3284].
3. Syntax
The grammar descriptions in the sections that follow depend on the
following syntax: DIGIT (decimal digit), BASE64URLDIGIT (alphanumeric
digit or "-" or "_"), PAYLOADBYTE (a byte), token (informally, a
sequence of non-special, non-white space characters), rest-of-line
(informally, a sequence of characters not including carriage return
or line-feed). In the grammar below, HTTP_url, abs_path, and query
are defined in RFC 7230 [RFC7230].
header = attr ":" value "\n"
attr = token
value = rest-of-line
dictionary-client-id = 1*BASE64URLDIGIT
dictionary-server-id = 1*BASE64URLDIGIT
payload = 1*PAYLOADBYTE
vcdiff-payload = 1*PAYLOADBYTE
partial-url = HTTP_url | abs_path [ "?" query ]
The attribute names (attr) are case-insensitive. White space is
permitted between tokens.
Butler, et al. Expires May 1, 2017 [Page 3]
Internet-Draft sdch-spec October 2016
4. Dictionary Description
4.1. General
In the proposed protocol, a dictionary can only be used with a
limited set of URLs and for a limited duration of time, referred to
as its scope and lifetime, respectively. A dictionary is composed of
the data used by the compression algorithm, known as the payload, as
well as metadata describing its scope and lifetime. The scope is
specified by a domain attribute and path attribute that are patterned
after the same named attributes from the HTTP State Management
Specification [RFC2965].
4.2. Syntax of Dictionary Metadata
The syntax of dictionary metadata is as follows:
dictionary-metadata = 1*dictionary-header "\n"
dictionary-header = "domain" ":" value "\n"
| "path" ":" value "\n"
| "path-equals" ":" value "\n"
| "format-version" ":" value "\n"
| "max-age" ":" value "\n"
| "port" ":" <"> portlist <"> "\n"
portlist = 1#portnum
portnum = 1*DIGIT
A complete dictionary definition then has this format: n dictionary-
definition = dictionary-metadata payload
Informally, the metadata for a dictionary is a series of headers,
similar in form to HTTP headers, terminated by an empty line. The
dictionary payload begins immediately after this blank line.
The valid dictionary header identifiers are described below:
o Domain: domain.
Required. Indicates the domain to which the dictionary applies. The
domain specification must explicitly start with a dot. For example,
a dictionary with the domain specification ".google.com" may be used
to compress a response served from the host name www.google.com, but
not used to compress a response served from the host name
www.gmail.com. Only printable ASCII characters are permitted in the
domain value. International Domain Names must be specified using
IDNA.
o Path: path.
Butler, et al. Expires May 1, 2017 [Page 4]
Internet-Draft sdch-spec October 2016
Optional. Indicates the set of URL paths for which this dictionary
is valid. If unspecified, the dictionary applies to all paths within
the given domain.
o Path-equals: path.
Optional. Indicates the exact URL path for which this dictionary is
valid. If both "path" and "path-equals" are specified, the
dictionary applies only to those URLs which satisfy both criteria.
o Format-version: version.
Optional. Indicates the version of the dictionary payload. If
unspecified, the format version defaults to "1.0". Currently, the
only acceptable value is "1.0".
o Max-age: delta-seconds.
Optional. Indicates the amount of time that a dictionary can be
advertised to the server by the user agent, relative to the time it
was downloaded. If unspecified, the default is 30 days from the time
the dictionary was downloaded by the user agent. * Port: port list.
Optional. Indicates the comma-separated list of ports to which this
dictionary applies. If unspecified, the dictionary applies to all
ports.
Like HTTP headers, dictionary header identifiers are case-
insensitive. Unknown headers will be ignored by the user agent,
allowing other headers to be added in the future.
4.3. Dictionary Scope
The specific rules of when a dictionary can be applied to a URL, i.e.
that define its scope, are modeled after the rules for cookie
scoping. The term "domain-match" is defined in RFC 2965. We define
path-matching as follows For two strings that represent paths, P1 and
P2, P1 path-matches P2 if either:
1. P2 is equal to P1
2. P2 is a prefix of P1 and either the final character in P2 is "/"
or the character following P2 in P1 is "/".
For example, "/tec/waldo" path-matches "/tec", "/tec/", and "/tec/
waldo", but does not path-match "/tec/wal".
Butler, et al. Expires May 1, 2017 [Page 5]
Internet-Draft sdch-spec October 2016
Given these definitions of domain-match and path-match, a request URL
falls within a dictionary's scope exactly when all of the following
are true:
1. The request URL's host name domain-matches the Domain attribute
of the dictionary.
2. If the dictionary has a Port attribute, the request port is one
of the ports listed in the Port attribute.
3. The request URL path-matches the path attribute of the
dictionary.
4. The request URL's scheme matches the scheme of the dictionary.
If a URL falls within a dictionary's scope, the dictionary is said to
"apply" to the URL.
4.4. Dictionary Identifier
In communications between user agent and server, a dictionary is
identified by the first 96 bits of the SHA-256 digest [RFC6234] of a
dictionary's metadata and payload (see dictionary-definition above)
exactly as it is received by the user agent from the server. Both
user agent and server compute this identifier independently, based on
the metadata and the payload of the dictionary. This digest should
be unique within a dictionary's scope (domain and path) in order to
prevent dictionary identifier collisions.
The digest serves not only as an identifier but also as a safeguard
against attempts to maliciously intercept or otherwise modify
dictionary contents, since a compromised dictionary will hash to a
different identifier and the server will not recognize it. The user
agent identifier for a dictionary is defined as the URL-safe base64
encoding (as described in RFC 3548, section 4 [RFC3548] of the first
48 bits (bits 0..47) of the dictionary's SHA-256 digest. The server
identifier for a dictionary is the URL-safe base64 encoding of the
second 48 bits (bits 48..95). When identifying a dictionary to the
server, the user agent uses the user agent identifier, and similarly,
when identifying a dictionary to the user agent, the server uses the
server identifier. Note that both user agent and server have the
entire dictionary and can thus compute both identifiers for the
dictionary.
As a consequence of this scheme, dictionaries do not need to be
explicitly named by site maintainers, as the protocol avoids
identifying them in any way other than the above digest-generated
identifiers.
Butler, et al. Expires May 1, 2017 [Page 6]
Internet-Draft sdch-spec October 2016
4.5. Differences between Dictionaries and Cookies
Dictionaries are similar to cookies in that they allow sharing of
state over HTTP. Thus, we have modeled dictionaries after cookies,
as described in RFC 2965. However, because dictionaries are
typically larger than cookies, embedding a dictionary in the response
would increase latency of the response. Thus a dictionary is always
sent as a separate HTTP response (unlike a cookie which is included
in a Set-Cookie header of any HTTP response). The Get-Dictionary
HTTP response header is used to tell the user agent that it should
fetch a dictionary separately for use in future requests.
Likewise, rather than including the dictionary contents in the HTTP
request headers (like a cookie in the Cookie header), dictionary
identifiers (described above) are used to advertise available
dictionaries in HTTP requests from the user agent to the server.
5. User Agent / Server Interaction Description
5.1. User Agent Role in HTTP Request Generation
The user agent:
1. Advertises support for the proposed protocol by adding the "sdch"
token to the Accept-Encoding header of HTTP requests.
2. Advertises any dictionaries it possesses that apply to the URL
being requested (per the scoping rules above) in the Avail-
Dictionary request header.
The Avail-Dictionary header syntax is as follows: avail-dictionary-
header = "Avail-Dictionary" ":" 1#dictionary-client where dictionary-
client-id is the user agent identifier part for the dictionary based
on the SHA-256 digest as described above. The value of this header
is informally a comma separated list of user agent dictionary
identifiers.
The user agent must advertise every dictionary it has cached that
applies to the requested URL. It is only the presence of the
dictionary identifier in this header that indicates to the server
that the user agent possesses and therefore does not need to download
the dictionary. Since the user agent must advertise every dictionary
it has, it is the site maintainer's responsibility to avoid making
too many dictionaries available at a given time. Advertising many
dictionaries in this header can counteract the benefits of
compression.
Butler, et al. Expires May 1, 2017 [Page 7]
Internet-Draft sdch-spec October 2016
Note that for each individual request the user agent has discretion
over whether or not to add "sdch" Accept-Encoding token and the
Avail-Dictionary header. Since some responses, such as image data,
are unlikely to benefit from dictionary compression, the user agent
can reduce the size of its requests by not sending this token and
header. The user agent may decide whether or not to add these
headers based on file extensions in URLs or the context of the
request. For instance, the user agent may choose to not advertise
SDCH for URLs referenced in IMG elements.
5.2. Server Role in HTTP Response Generation
When a server that supports the extension receives a request that
indicates that the user agent supports the protocol (e.g. the "sdch"
token is present in the Accept-Encoding request header), two
independent decisions must be made. The server must decide: 1. if it
wants to send an encoded response. 2. if it wants to inform the user
agent about additional dictionaries it can download and use in the
future.
The server may return an encoded response only if all of the
following are true: 1. The Accept-Encoding request header contains
the "sdch" token. 2. The server can send a response compressed with
a dictionary whose dictionary-client-id is in the Avail-Dictionary
request header.
A server may return a response that is not encoded even if it
recognizes a dictionary advertised by the user agent. If the server
decides to not use SDCH encoding when a Avail-Dictionary header is
present, it must include a specific HTTP header X-SDCH-Encoding with
value "0" in the response. The syntax of the X-SDCH-Encoding header
is:
sdch-not-used-header = "X-SDCH-Encoding" ":" "0"
The server indicates that an HTTP response is encoded by inserting
the token "sdch" into the Content-Encoding header of the HTTP
response.
A compatible server may instruct a compatible user agent to download
one or more new dictionaries by including the Get-Dictionary header
in the HTTP response. The server may advertise a Get-Dictionary
header even if the response is not encoded. The syntax of the Get-
Dictionary header is: get-dictionary-header = "Get-Dictionary" ":"
1#partial-url where partial-url is either a complete URL, or just the
absolute URL path (in which case the scheme, host, and port of the
originating server would be used when requesting the dictionary). If
a complete URL is provided, it must have the same scheme, host, and
Butler, et al. Expires May 1, 2017 [Page 8]
Internet-Draft sdch-spec October 2016
port as the originating server. The Content-Type header of
dictionary responses must be application/x-sdch-dictionary. The
value in the get dictionary header is a comma-separated list of
partial-url elements.
The server must not advertise a dictionary with a dictionary-client-
id that the user agent has listed in the Avail-Dictionary header.
The server may use SDCH compression with a dictionary that the user
agent has advertised and also include a Get-Dictionary header for a
different dictionary that the user agent has not advertised.
The server must prevent SDCH-encoded responses from being cached by
intermediate proxies. See the section below on proxy caching for
additional details.
The server should limit the number of active dictionaries at any one
time, by using well-scoped dictionaries. A server that has many
active dictionaries with overlapping scope will cause user agents to
generate a very long Avail-Dictionary header, the overhead of which
can counteract the benefits of SDCH compression.
The server may decide to precompute and cache SDCH-encoded responses
if a given SDCH-encoded response will be served multiple times (e.g.
for static content).
The server may apply multiple Content-Encodings to the response,
(e.g. sdch and gzip) in which case subsequent encoding tokens are
appended to the Content-Encoding header, per the HTTP/1.1 RFC section
14.11.
5.3. User Agent Role in HTTP Response Handling
An SDCH-compatible user agent must inspect the Content-Encoding HTTP
response header to determine if the response is SDCH-encoded. If the
Content-Encoding includes the "sdch" token, the user agent must
perform SDCH decompression on the response.
If the HTTP response includes a Get-Dictionary header, the user agent
must verify that the partial-url specified refers to the same server
that generated the response. If so, the user agent may download the
dictionary at the given URL.
There are two different URLs to consider when downloading and storing
a dictionary. The referer URL is the URL of the request that
resulted in the server responding with a Get-Dictionary header.
The dictionary URL is defined as follows:
Butler, et al. Expires May 1, 2017 [Page 9]
Internet-Draft sdch-spec October 2016
1. If the partial-url is a complete URL, the dictionary URL is the
partial-url.
2. If the partial-url is just a path URL, the dictionary URL is
generated from the scheme and host name of the referrer URL and
the path in the partial-url.
The user agent may retrieve a dictionary if the origin of the
dictionary matches the origin of the referrer. HTTP redirects may
only be followed if the origin matches as well.
Upon retrieving the dictionary, the user agent must validate the
dictionary. Here again, the validation rules are modeled after the
rules for when a user agent can accept an HTTP cookie. A dictionary
is invalid and must not be stored if any of the following are true:
1. The dictionary has no Domain attribute.
2. The effective host name that derives from the referrer URL host
name does not domain-match the Domain attribute.
3. The Domain attribute is a top level domain.
4. The referrer URL host is a host domain name (not IP address) and
has the form HD, where D is the value of the Domain attribute,
and H is a string that contains one or more dots.
5. If the dictionary has a Port attribute and the referrer URL's
port was not in the list.
If the dictionary is valid and user agent decides to store the
dictionary, the scheme of the dictionary URL should also be stored
along with dictionary.
5.4. SDCH-Encoded Response Body
An SDCH-encoded response starts with the dictionary-server-id used to
compress the response. The syntax of the SDCH-encoded response is:
dictionary-compression-response = dictionary-server-id "\0" vcdiff-
payload
6. Examples
For the purpose of these examples, assume the following dictionaries
exist on the server and can be downloaded from the following URLs:
"Search results" dictionary
Butler, et al. Expires May 1, 2017 [Page 10]
Internet-Draft sdch-spec October 2016
o domain: .google.com
o path: /search
o user agent ID: TWFuIGlz
o server ID: JOWk0d2N
o download location: /dictionaries/search_dict
"Help pages" dictionary
o domain: .google.com
o path: /
o user agent ID: GVhc3V48
o server ID: O9d2_m3-
o download location: /dictionaries/help_dict
Note that the dictionary identifier consists of two parts: user agent
ID and the server ID. Most of the detail of the request and response
headers has been omitted.
6.1. Example 1: Initial Interaction, User Agent has No Dictionaries
1. user agent's request
GET /search?q=sprouts HTTP/1.1
Host: www.google.com
Accept-Encoding: sdch, gzip
1. server's response
HTTP/1.1 200 OK
Content-type: text/html
Content-Encoding: gzip
Get-Dictionary: /dictionaries/search_dict, /dictionaries/help_dict
Cache-Control: private
Note that the response returned by the server does NOT use SDCH
encoding, since the user agent does not have a dictionary. The
server simply provides the locations of the dictionaries for future
use. The user agent may choose to retrieve one or both dictionaries
separately.
Butler, et al. Expires May 1, 2017 [Page 11]
Internet-Draft sdch-spec October 2016
6.2. Example 2: User Agent Requests the Dictionary
1. user agent's request
GET /dictionaries/search_dict HTTP/1.1
Host: www.google.com
Accept-Encoding: sdch, gzip
1. server's response
HTTP/1.1 200 OK
Content-type: application/x-sdch-dictionary
Content-Encoding: gzip
Domain: .google.com
Path: /search
Format-version: 1.0
...dictionary contents...
Upon receiving this response, the user agent computes the digest of
the dictionary and determines the user agent ID is TWFuIGlz and the
server ID is JOWk0d2N.
6.3. Example 3: User Requests Page AND User Agent Has Already
Downloaded
the Dictionary
1. user agent's request
GET /search&q=brussel+sprouts HTTP/1.1
Host: www.google.com
Accept-Encoding: sdch, gzip
Avail-Dictionary: TWFuIGlz
1. server's response
HTTP/1.1 200 OK
Content-type: text/html
Content-Encoding: sdch, gzip
Get-Dictionary: /dictionaries/help_dict
Cache-Control: private
JOWk0d2N<NUL>...VCDIFFed response...
(note that the response shown to the left the result of gzip
decompression)
Butler, et al. Expires May 1, 2017 [Page 12]
Internet-Draft sdch-spec October 2016
The server has properly identified the dictionary using its server ID
and the user agent can confirm that the second 48 bits of the SHA-256
digest of the dictionary match its computation. It can then
decompress the VCDIFF response using this dictionary. Even though
the "search results" dictionary was used to decompress the response,
the server has chosen to indicate another dictionary could be
requested by the user agent from http://www.google.com/dictionaries/
help_dict. This dictionary must be different than the "search
results" dictionary as the server must never request the user agent
download a dictionary it knows the user agent already has. Let's
assume the user agent decides to download this dictionary.
6.4. Example 4: User Requests with Multiple Dictionaries
1. user agent's request
GET /search&q=brussels HTTP/1.1
Host: www.google.com
Accept-Encoding: sdch, gzip
Avail-Dictionary: GVhc3V48,TWFuIGlz
1. server's response
HTTP/1.1 200 OK
Content-type: text/html
Content-Encoding: sdch, gzip
Cache-Control: private
JOWk0d2N<NUL>...VCDIFFed response... (note that the response shown
to the left the result of gzip decompression)
The user agent advertises that it has already downloaded two
dictionaries that apply. The server may compress the response with
either dictionary. As the server has no other dictionaries that
apply to the request, it does not advertise any dictionaries in its
response.
7. Implementation Considerations
7.1. Implementation Limits
There are practical limitations to the number and size of the
dictionaries a user agent can store. It is suggested that general
use, non-mobile user agents should have the following minimum
capabilities:
o At least 300 dictionaries stored
Butler, et al. Expires May 1, 2017 [Page 13]
Internet-Draft sdch-spec October 2016
o At least 100KB of payload per dictionary
o At least 10MB of total dictionary contents
o At least 20 dictionaries stored per domain
7.2. Dictionary Downloading
The user agent always has the choice of whether or not to download a
dictionary. It is recommended that the user agent be implemented
with sufficient state to avoid downloading too many dictionaries from
the same server. A malfunctioning server may also request the user
agent continually download the same dictionary. One simple method to
avoid both of these possibilities is for the user agent to rate-limit
downloading dictionaries from the same domain.
When the user agent receives a response with a Get-Dictionary header
with dictionary download URLs that it may fetch, it should perform
the dictionary downloads in the background. This is possible as the
dictionary to be downloaded is guaranteed to not be needed to
decompress the response with the Get-Dictionary header. The user
agent should be careful to abort background dictionary downloads that
do not complete in a reasonable amount of time.
7.3. Data Integrity
If the dictionaries are tied to individual users or specific user
actions, HTTP may leak this information to passive attacker by
allowing the Get-Dictionary info to be seen. When using HTTPS, the
same risk is prevented in the design document since Get-Dictionary
URLs are required to be same-origin as the response.
However, Downloading dictionaries over HTTPS or advertising
dictionaries over HTTPS might introduce new security risks.
TODO: add some examples. For example, SDCH-over-HTTPS subject to
compression oracle attacks similar to CRIME/BREACH with the
difference that the compression context is not supplied by the
attacker. If an attacker had the contents of a dictionary, there is
a theoretical possibility where a server sends a static response
XOR'ed with user-provided data. The Attacker can provide data which
reduced the size of the response when XOR'ed with the static
response, the attacker may then be able to determine the contents of
the static response.
The protocol needs to ensure that the content as decompressed by the
user agent with a given dictionary is identical to the server's
Butler, et al. Expires May 1, 2017 [Page 14]
Internet-Draft sdch-spec October 2016
originally intended content. The three areas that can cause a data
integrity problem are discussed below.
7.3.1. Data tampered by Proxy
We have found incorrectly implemented proxies which tamper with an
SDCH response and make the response unable to be decompressed to the
server's originally intended content. The tampering may not be
detected in the SDCH encoding itself if the proxy makes SDCH content
look like non-SDCH content, for instance, by stripping the 'sdch'
token from the content-encoding header of the response or by adding
additional encodings (like gzip) on top of the SDCH and gzipped
response without making the Content-Encoding header match. In order
to detect when this occurs, the HTTP header X-SDCH-Encoding must be
added to the response by the server to inform the client that the
response was originally not SDCH encoded by the server. Should the
user agent advertise SDCH capability in the request but receive a
non-SDCH encoded response without the X-SDCH-Encoding header, it
suggests that the response was tampered by a proxy. The user agent
may then take action to avoid using SDCH in the future.
7.3.2. Dictionary mismatch
When a dictionary information is exchanged between user agent and
server, it is necessary to ensure that the dictionary identifiers are
completely unambiguous, or the decompressed result may differ from
the original content. To address this issue, SDCH uses the first 96
bits of the SHA-256 digest of a dictionary's metadata and payload to
create the dictionary identifiers used by the user agent and server
to avoid ambiguity. (Please refer to the section "Dictionaries
description" above for details.)
7.3.3. Data corruption / malicious attacks
While this issue is not specific to SDCH, it can be exacerbated due
to the nature of the stateful compression. For example, if the
dictionary is corrupted or maliciously modified in a persistent on-
disk cache, all subsequent responses decoded by using this dictionary
will be corrupt. For this reason, the user agent and server should
revalidate the dictionaries' integrity when they are loaded from non-
volatile storage.
Other issues like data corruption during transmission in the encoded
payload could have much bigger adverse effect than that in the plain
text. TCP provides a checksum, but it cannot detect some errors like
swapped bytes. To address this issue, SDCH includes an Adler32
checksum [RFC1950] in the encoded data shards. (Please refer to
appendix "VCDIFF Encoding Format and SDCH" for details.)
Butler, et al. Expires May 1, 2017 [Page 15]
Internet-Draft sdch-spec October 2016
8. Response Caching
8.1. User Agent Cache
The user agent should honor HTTP caching directives (Cache-Control,
Expires,...) for caching responses, whether or not the responses are
SDCH-encoded. When caching the SDCH-encoded responses, the SDCH-
encoded responses should be decoded before being written to the
cache. If this is not possible, the user agent may cache SDCH-
encoded responses, unless the HTTP response headers indicate that the
response is not cacheable. In this case, an SDCH-encoded cache entry
should be invalidated when (1) the dictionary used to encode that
response is deleted from the dictionary store, (2) the SDCH
decompression user agent is uninstalled (if it is implemented as a
browser add-on), or (3) the SDCH capable user agent is disabled.
Intermediate Caches
The server should use HTTP cache headers that prevent non-SDCH-aware
intermediate cache servers from storing the encoded contents. The
cache directive "Cache-Control: private" can be used for this
purpose.
If the compressed response can be cached by proxy caches, the server
must include the HTTP header "Vary: Accept-Encoding, Avail-
Dictionary" to alert proxies about sending the cached content only to
the user agents who can decode it. Note that some proxies may not
respect the Vary header, in which case non-SDCH-capable user agents
would end up downloading SDCH-encoded responses. Thus, we recommend
that SDCH-encoded responses not be cacheable by intermediate proxies
unless there is a very compelling reason. Further, "Vary: Accept-
Encoding, Avail-Dictionary" will not match requests unless these
headers match exactly.
A proxy cache may provide one of three levels of support for caching
SDCH-encoded objects.
1. No support - Never cache any response if the header Vary is
present.
2. Basic support - The proxy cache only serves cached SDCH-encoded
content if all cache serving conditions are satisfied and the
values of the HTTP headers specified in the Vary header of the
cached content exactly match the corresponding headers in the
HTTP request.
3. Full support - The proxy should understand the SDCH protocol,
should know what dictionary is used to encode/decode the
Butler, et al. Expires May 1, 2017 [Page 16]
Internet-Draft sdch-spec October 2016
response, and should be able to download advertised dictionaries.
The cache needs to have both SDCH user agent and server logic in
it. The server should store the SDCH decoded responses in its
cache.
Dictionary Caching User Agent Cache
As dictionary payloads may be large compared to the size of
individual HTTP responses, in order to maximize latency improvements
and minimize the bandwidth overhead of downloading dictionaries, it
is recommended that the user agent persistently store dictionaries in
a dictionary cache (e.g. on disk). It is suggested that the user
agent implement a maximum limit on number of dictionaries stored per
domain in order to avoid allowing one domain to force dictionaries
for other domains out of the user agent's dictionary cache. To
implement a fixed maximum size cache it is recommended that the cache
manager first evict the dictionaries that were least recently used
for decoding.
Ideally dictionaries will be stored in the same cache as HTTP
responses and may be inspected and cleared by the user using existing
user interfaces. However, new support may be created to fulfill the
need for the user agent to be able to quickly determine which
dictionaries should be advertised for a given request.
The user agent should be careful to validate that a dictionary
matches its original identifier before being used for decompression
to prevent malicious attacks on the dictionary cache. The user agent
may implicitly handle this by always recomputing the hash before
advertising the dictionary. However, to improve efficiency, the user
agent may cache the original digest of the dictionary, advertise the
dictionary with that digest, and then only for the dictionary
selected by the server to encode the response, verify that the cached
dictionary digest still matches the digest computed from the cached
dictionary.
The user agent must not evict dictionaries from its dictionary store
that have been advertised in the Avail-Dictionary header of a HTTP
request for which a response has not yet been returned.
If a user agent downloads a dictionary which has the same identifier
as another previously downloaded dictionary which are applicable to
the same hosts, the user agent must be careful to either ignore the
new dictionary or evict the old dictionary. If the two dictionaries
with the same identifier have exactly the same contents the choice is
not important, however this indicates a server error as a server must
never instruct the user agent to download a dictionary that was
advertised by the user agent. The user agent may want to avoid
Butler, et al. Expires May 1, 2017 [Page 17]
Internet-Draft sdch-spec October 2016
downloading dictionaries from this server in the future as they may
not be new and downloading unnecessary dictionaries can increase
latency.
Intermediate Caches
The dictionary should be treated as a regular HTTP response by
intermediate proxies. Thus, the normal HTTP caching consideration
for intermediate proxies should apply to the dictionary as well.
9. Future Directions
=====================
As currently proposed, SDCH is not applicable to another case where
differential compression would be beneficial: large files that change
infrequently and in small ways, such as JavaScript and CSS files
referenced by other HTML documents.
TODO: Re-evaluate dictionary scoping rules, current approach that
patterned after the same named attributes from the HTTP State
Management Specification [RFC2965] may not be the best choice.
10. Current Status and Updates
For current information about the status of this proposal:
https://groups.google.com/group/SDCH
11. IANA Considerations
This document makes no requests of IANA.
12. Security Considerations
Some security considerations are discussed in the data integrity
section above, but the author anticipates further work to describe
these.
13. Acknowledgements
The authors would like to acknowledge the support of Google, Inc. for
the development of this work. Technical editor: Harriett Hardman.
Feedback and comments: Greg Badros, Chandra Chereddi, Darren Fisher,
Ted Hardie, Ashu Jain, Ian Hickson, Othman Laraki, Jim Roskind, Ryan
Sleevi, Lincoln Smith, Randy Smith, and Linus Upson.
Butler, et al. Expires May 1, 2017 [Page 18]
Internet-Draft sdch-spec October 2016
14. Appendix: VCDIFF Encoding Format and SDCH
Although the SDCH protocol is proposed so that it could be adapted
for use with any differential-encoding format, it currently uses the
VCDIFF encoding format. This format was chosen because its
definition is publicly available as the RFC 3284 draft standard. The
VCDIFF format is independent of the method used for finding the
longest possible matches between the dictionary (source) data and the
payload (target) data.
An encoder and decoder for the VCDIFF format, intended for use with
SDCH, has been released as open-source under the Apache license.
This package is called "open-vcdiff". It uses the Bentley/McIlroy
technique for finding matches between the dictionary and target data.
It conforms to the VCDIFF draft standard, with the following
exceptions:
Interleaved format
The VCDIFF draft standard format divides each encoded delta window
into three sections (data, instructions, and addresses), with the aim
of improving compressibility of the encoded file using a secondary
compressor such as gzip. The drawback to this approach is that none
of the target data can be reconstructed unless the entire delta
window is available. The delta window is received in packets over
the network and it is desirable to be able to process its contents as
they arrive. In order to facilitate decoding a stream of packets
from the network, we have modified the VCDIFF format so that it
interleaves the data, instructions, and addresses instead of placing
them in three separate sections. Each instruction is followed by its
size and then by an address or literal data.
Adler32 checksum
The format can be modified to include an Adler32 checksum [RFC1950]
of the target window data. If the checksum format is used, then bit
2 (0x04, defined as VCD_CHECKSUM) of the Win_Indicator byte will be
set, and the checksum will appear just after the "Length of addresses
for COPYs" field and before the "Data section for ADDs and RUNs"
section in the encoding.
Version header byte (Header4)
If either of the two enhancements described above is used, then the
resulting format will not conform to the VCDIFF draft standard as
described in RFC 3284. In order to indicate this deviation from the
standard, the fourth byte in the encoding (Header4, reserved for the
VCDIFF version code) will be set to 0x53 (a capital "S" character in
Butler, et al. Expires May 1, 2017 [Page 19]
Internet-Draft sdch-spec October 2016
ASCII.) If neither enhancement is used, the fourth byte may be 0x00
(a null character), the default value described in the standard.
VCD_TARGET flag and target COPY instructions not allowed for SDCH
The SDCH protocol is intended to produce a delta between static
dictionary data and target data. Secondary compression with gzip
will be used to eliminate redundancy within the target data. For
this reason, when using VCDIFF for SDCH, the Win_Indicator flag
should always include the VCD_SOURCE flag, never the VCD_TARGET flag.
COPY instructions should only reference addresses within the source
data, never within the previously decoded target.
The Xdelta package (http://xdelta.org) produces a format based on
VCDIFF, though not 100% compatible with the RFC draft standard. That
package has been released under the GNU General Public License.
15. References
15.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<http://www.rfc-editor.org/info/rfc7230>.
15.2. Informative References
[RFC3284] Korn, D., MacDonald, J., Mogul, J., and K. Vo, "The VCDIFF
Generic Differencing and Compression Data Format",
RFC 3284, DOI 10.17487/RFC3284, June 2002,
<http://www.rfc-editor.org/info/rfc3284>.
[RFC3229] Mogul, J., Krishnamurthy, B., Douglis, F., Feldmann, A.,
Goland, Y., van Hoff, A., and D. Hellerstein, "Delta
encoding in HTTP", RFC 3229, DOI 10.17487/RFC3229, January
2002, <http://www.rfc-editor.org/info/rfc3229>.
[RFC3929] Hardie, T., "Alternative Decision Making Processes for
Consensus-Blocked Decisions in the IETF", RFC 3929,
DOI 10.17487/RFC3929, October 2004,
<http://www.rfc-editor.org/info/rfc3929>.
Butler, et al. Expires May 1, 2017 [Page 20]
Internet-Draft sdch-spec October 2016
[RFC3548] Josefsson, S., Ed., "The Base16, Base32, and Base64 Data
Encodings", RFC 3548, DOI 10.17487/RFC3548, July 2003,
<http://www.rfc-editor.org/info/rfc3548>.
[RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2965, DOI 10.17487/RFC2965, October 2000,
<http://www.rfc-editor.org/info/rfc2965>.
[RFC1950] Deutsch, P. and J-L. Gailly, "ZLIB Compressed Data Format
Specification version 3.3", RFC 1950,
DOI 10.17487/RFC1950, May 1996,
<http://www.rfc-editor.org/info/rfc1950>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<http://www.rfc-editor.org/info/rfc6234>.
Authors' Addresses
Jon Butler
Email: jkbutler@google.com
Wei-Hsin Lee
Email: weihsinl@google.com
Bryan McQuade
Email: mcquade@google.com
Kenneth Mixter
Email: kmixter@google.com
Butler, et al. Expires May 1, 2017 [Page 21]