HyBi Working Group                                         L. Stout, Ed.
Internet-Draft                                                      &yet
Intended status: Standards Track                              J. Moffitt
Expires: February 20, 2014                                    E. Cestari
                                                        cstar industries
                                                         August 19, 2013


                   An XMPP Sub-protocol for WebSocket
                  draft-moffitt-xmpp-over-websocket-04

Abstract

   This document defines a binding for the XMPP protocol over a
   WebSocket transport layer.  A WebSocket binding for XMPP provides
   higher performance than the current HTTP binding for XMPP.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 20, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Stout, et al.          Expires February 20, 2014                [Page 1]


Internet-Draft            XMPP over WebSocket                August 2013


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  XMPP Sub-Protocol . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Handshake . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Messages  . . . . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  XMPP Stream Setup . . . . . . . . . . . . . . . . . . . .   4
     3.4.  Stream Errors . . . . . . . . . . . . . . . . . . . . . .   4
     3.5.  Closing the Connection  . . . . . . . . . . . . . . . . .   5
     3.6.  Stanzas . . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.7.  Stream Restarts . . . . . . . . . . . . . . . . . . . . .   6
     3.8.  Pings and Keepalives  . . . . . . . . . . . . . . . . . .   6
     3.9.  Use of TLS  . . . . . . . . . . . . . . . . . . . . . . .   6
     3.10. Stream Management . . . . . . . . . . . . . . . . . . . .   7
   4.  Discovering Connection Method . . . . . . . . . . . . . . . .   7
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   7.  Informative References  . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9


1.  Introduction

   Applications using XMPP (see [RFC6120] and [RFC6121]) on the Web
   currently make use of BOSH (see [XEP-0124] and [XEP-0206]), an XMPP
   binding to HTTP.  BOSH is based on the HTTP long polling technique,
   and it suffers from high transport overhead compared to XMPP's native
   binding to TCP.  In addition, there are a number of other known
   issues with long polling [RFC6202], which have an impact on BOSH-
   based systems.

   It would be much better in most circumstances to avoid tunneling XMPP
   over HTTP long polled connections and instead use the XMPP protocol
   directly.  However, the APIs and sandbox that browsers have provided
   do not allow this.  The WebSocket protocol [RFC6455] now exists to
   solve these kinds of problems.  The WebSocket protocol is a bi-
   directional protocol that provides a simple message-based framing
   layer over raw sockets and allows for more robust and efficient
   communication in web applications.

   The WebSocket protocol enables two-way communication between a client
   and a server, effectively emulating TCP at the application layer and
   therefore overcoming many of the problems with existing long-polling
   techniques for bidirectional HTTP.  This document defines a WebSocket
   sub-protocol for the Extensible Messaging and Presence Protocol
   (XMPP).




Stout, et al.          Expires February 20, 2014                [Page 2]


Internet-Draft            XMPP over WebSocket                August 2013


2.  Terminology

   The basic unit of framing in the WebSocket protocol is called a
   message.  In XMPP, the basic unit is the stanza, which is a subset of
   the first-level children of each document in an XMPP stream (see
   Section 9 of [RFC6120]).  XMPP also has a concept of messages, which
   are stanzas whose top-level element name is message.  In this
   document, the word "message" will mean a WebSocket message, not an
   XMPP message stanza (see Section 3.2).

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  XMPP Sub-Protocol

3.1.  Handshake

   The XMPP sub-protocol is used to transport XMPP over a WebSocket
   connection.  The client and server agree to this protocol during the
   WebSocket handshake (see Section 1.3 of [RFC6455]).

   During the WebSocket handshake, the client MUST include the |Sec-
   WebSocket-Protocol| header in its handshake, and the value |xmpp|
   MUST be included in the list of protocols.  The reply from the server
   MUST also contain |xmpp| in its own |Sec-WebSocket-Protocol| header
   in order for an XMPP sub-protocol connection to be established.

   Once the handshake is complete, WebSocket messages sent or received
   will conform to the protocol defined in the rest of this document.

   C:  GET /xmpp-websocket HTTP/1.1
       Host: example.com
       Upgrade: websocket
       Connection: Upgrade
       Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
       Origin: http://example.com
       ...
       Sec-WebSocket-Protocol: xmpp
       Sec-WebSocket-Version: 13


   S:  HTTP/1.1 101 Switching Protocols
       Upgrade: websocket
       Connection: Upgrade
       ...
       Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
       Sec-WebSocket-Protocol: xmpp



Stout, et al.          Expires February 20, 2014                [Page 3]


Internet-Draft            XMPP over WebSocket                August 2013


   [WebSocket connection established]

   C:  <stream:stream xmlns:stream="http://etherx.jabber.org/streams"
                      xmlns="jabber:client"
                      to="example.com"
                      version="1.0">


3.2.  Messages

   Data frame messages in the XMPP sub-protocol MUST be of the text type
   and contain UTF-8 encoded data.  The close control frame's contents
   are specified in Section 3.5.  Control frames other than close are
   not restricted.

   Unless noted in text, the word "message" will mean a WebSocket
   message composed of text data frames.

3.3.  XMPP Stream Setup

   The first message sent after the handshake is complete MUST be an
   XMPP opening stream tag as defined in XMPP [RFC6120] or an XML text
   declaration (see Section 4.3.1 of [W3C.REC-xml-20081126]) followed by
   an XMPP opening stream tag.  The stream tag MUST NOT be closed (i.e.
   the closing </stream:stream> tag should not appear in the message) as
   it is the start of the client's outgoing XML.  The '<' character of
   the tag or text declaration MUST be the first character of the text
   payload.

   The server MUST respond with a message containing an error (see
   Section 3.4), its own opening stream tag, or an XML text declaration
   followed by an opening stream tag.

   Except in the case of certain stream errors (see Section 3.4), the
   opening stream tag, <stream:stream>, MUST appear in a message by
   itself.

3.4.  Stream Errors

   Stream level errors in XMPP are terminal.  Should such an error
   occur, the server MUST send the stream error as a complete element in
   a message to the client.

   If the error occurs during the opening of a stream, the stream error
   message MUST start with an opening stream tag (see Section 4.7.1 of
   [RFC6120]) and end with a closing stream tag.





Stout, et al.          Expires February 20, 2014                [Page 4]


Internet-Draft            XMPP over WebSocket                August 2013


   After the stream error and closing stream tag have been sent, the
   server MUST close the connection as in Section 3.5.

3.5.  Closing the Connection

   Either the server or the client may close the connection at any time.
   Before closing the connection, the closing party SHOULD close the
   XMPP stream, if it has been established, by sending a message with
   the closing </stream:stream> tag.  The XMPP stream is considered
   closed when a corresponding </stream:stream> tag is received from the
   other party.

   If a client closes the WebSocket connection without closing the XMPP
   stream after having enabled stream management (see Section 3.10), the
   server SHOULD keep the XMPP session alive for a period of time based
   on server policy, as specified in [XEP-0198].

   To initiate closing the WebSocket connection, the closing party MUST
   send a normal WebSocket close message with an empty body.  The
   connection is considered closed when a matching close message is
   received (see Section 1.4 of [RFC6455]).

   Except in the case of certain stream errors (see Section 3.4), the
   closing stream tag, </stream:stream>, MUST appear in a message by
   itself.

   An example of ending an XMPP over WebSocket session by first closing
   the XMPP stream layer and then the WebSocket connection layer:

   Client           (XMPP WSS)            Server
   |  |                                     |  |
   |  | </stream:stream>                    |  |
   |  |------------------------------------>|  |
   |  |                    </stream:stream> |  |
   |  |<------------------------------------|  |
   |  |                                     |  |
   |  |        (XMPP Stream Closed)         |  |
   |  +-------------------------------------+  |
   |                                           |
   | WS CLOSE FRAME                            |
   |------------------------------------------>|
   |                            WS CLOSE FRAME |
   |<------------------------------------------|
   |                                           |
   |            (Connection Closed)            |
   +-------------------------------------------+





Stout, et al.          Expires February 20, 2014                [Page 5]


Internet-Draft            XMPP over WebSocket                August 2013


3.6.  Stanzas

   Each XMPP stanza MUST be sent in its own message.  A stanza MUST NOT
   be split over multiple messages.  All first level children of the
   <stream:stream> element MUST be treated the same as stanzas (e.g.
   <stream:features> and <stream:error>).

3.7.  Stream Restarts

   After successful SASL authentication, an XMPP stream needs to be
   restarted.  In these cases, as soon as the message is sent (or
   received) containing the success indication, both the server and
   client streams are implicitly closed, and new streams need to be
   opened.  The client MUST open a new stream as in Section 3.3 and MUST
   NOT send a closing stream tag.

   S:  <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl" />

   [Streams implicitly closed]

   C:  <stream:stream xmlns:stream="http://etherx.jabber.org/streams"
                      xmlns="jabber:client"
                      to="example.com"
                      version="1.0">


3.8.  Pings and Keepalives

   XMPP servers send whitespace pings as keepalives between stanzas, and
   XMPP clients can do the same as these extra whitespace characters are
   not significant in the protocol.  Servers and clients SHOULD use
   WebSocket ping control frames instead for this purpose.

   In some cases, the WebSocket connection might be served by an
   intermediary connection manager and not the XMPP server.  In these
   situations, the use of WebSocket ping messages are insufficient to
   test that the XMPP stream is still alive.  Both the XMPP Ping
   extension [XEP-0199] and the XMPP Stream Management extension
   [XEP-0198] provide mechanisms to ping the XMPP server, and either
   extension (or both) MAY be used to determine the state of the
   connection.

3.9.  Use of TLS








Stout, et al.          Expires February 20, 2014                [Page 6]


Internet-Draft            XMPP over WebSocket                August 2013


   TLS cannot be used at the XMPP sub-protocol layer because the sub-
   protocol does not allow for raw binary data to be sent.  Instead,
   enabling TLS SHOULD be done at the WebSocket layer using secure
   WebSocket connections via the |wss| URI scheme.  (See Section 10.6 of
   [RFC6455]).

   Because TLS is to be provided outside of the XMPP sub-protocol layer,
   a server MUST NOT advertise TLS as a stream feature (see Section 4.6
   of [RFC6120]), and a client MUST ignore any advertised TLS stream
   feature, when using the XMPP sub-protocol.

3.10.  Stream Management

   In order to alleviate the problems of temporary disconnections, the
   XMPP Stream Management extension [XEP-0198] MAY be used to confirm
   when stanzas have been received by the server.

   In particular, the use of session resumption in [XEP-0198] MAY be
   used to allow for recreating the same stream session state after a
   temporary network unavailability or after navigating to a new URL in
   a browser.

4.  Discovering Connection Method

   The XMPP extension Discovering Alternate XMPP Connection Methods
   [XEP-0156] provides a mechanism to discover the additional
   information needed to connect to an XMPP server outside of the
   procedure defined in in Section 3 of [RFC6120].

   For the XMPP over Websocket connection type, the connection method
   name "_xmpp-client-websocket" is used to specify a URI for the
   server's WebSocket connection endpoint.

   An example entry advertising that the URI "wss://example.com/xmpp" is
   an XMPP over WebSocket endpoint, using a DNS TXT record as specified
   in [XEP-0156]:

   _xmppconnect IN TXT "_xmpp-client-websocket=wss://example.com/xmpp"


   Implementation Note: A server is able to expose both BOSH [XEP-0206]
   and WebSocket endpoints over the registered port 5280, using the URI
   path and connection upgrade headers to determine which transport to
   serve.

5.  Security Considerations





Stout, et al.          Expires February 20, 2014                [Page 7]


Internet-Draft            XMPP over WebSocket                August 2013


   Since application level TLS cannot be used (see Section 3.9),
   applications which need to protect the privacy of the XMPP traffic
   need to do so at the WebSocket or other appropriate layer.

   The Security Considerations for both WebSocket (See Section 10 of
   [RFC6455] and XMPP (See Section 13 of [RFC6120]) apply to the
   WebSocket XMPP sub-protocol.

6.  IANA Considerations

   This specification requests IANA to register the WebSocket XMPP sub-
   protocol under the "WebSocket Subprotocol Name" Registry with the
   following data:

   Subprotocol Identifier:  xmpp

   Subprotocol Common Name:  WebSocket Transport for the Extensible
      Messaging and Presence Protocol (XMPP)

   Subprotocol Definition:  RFC XXXX

   [[NOTE TO RFC EDITOR: Please change XXXX to the number assigned to
   this document upon publication.]]

7.  Informative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6120]  Saint-Andre, P., "Extensible Messaging and Presence
              Protocol (XMPP): Core", RFC 6120, March 2011.

   [RFC6121]  Saint-Andre, P., "Extensible Messaging and Presence
              Protocol (XMPP): Instant Messaging and Presence", RFC
              6121, March 2011.

   [RFC6202]  Loreto, S., Saint-Andre, P., Salsano, S., and G. Wilkins,
              "Known Issues and Best Practices for the Use of Long
              Polling and Streaming in Bidirectional HTTP", RFC 6202,
              April 2011.

   [RFC6455]  Fette, I. and A. Melnikov, "The WebSocket Protocol", RFC
              6455, December 2011.

   [W3C.REC-xml-20081126]
              Sperberg-McQueen, C., Yergeau, F., Paoli, J., Bray, T.,
              and E. Maler, "Extensible Markup Language (XML) 1.0 (Fifth
              Edition)", World Wide Web Consortium Recommendation REC-



Stout, et al.          Expires February 20, 2014                [Page 8]


Internet-Draft            XMPP over WebSocket                August 2013


              xml-20081126, November 2008,
              <http://www.w3.org/TR/2008/REC-xml-20081126>.

   [XEP-0124]
              Paterson, I., Smith, D., Saint-Andre, P., and J. Moffitt,
              "Bidirectional-streams Over Synchronous HTTP (BOSH)", XSF
              XEP 0124, July 2010.

   [XEP-0156]
              Hildebrand, J. and P. Saint-Andre, "Discovering
              Alternative XMPP Connection Methods", XSF XEP 0156, June
              2007.

   [XEP-0198]
              Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F.,
              Cridland, D., and M. Wild, "Stream Management", XSF XEP
              0198, June 2011.

   [XEP-0199]
              Saint-Andre, P., "XMPP Ping", XSF XEP 0199, June 2009.

   [XEP-0206]
              Paterson, I. and P. Saint-Andre, "XMPP Over BOSH", XSF XEP
              0206, July 2010.

Authors' Addresses

   Lance Stout (editor)
   &yet

   Email: lance@andyet.net


   Jack Moffitt

   Email: jack@metajack.im


   Eric Cestari
   cstar industries

   Email: eric@cestari.info








Stout, et al.          Expires February 20, 2014                [Page 9]