8. Examples
IP proxying in HTTP enables many different use cases that can benefit from IP packet proxying and tunnelling. These examples are provided to help illustrate some of the ways in which IP proxying in HTTP can be used.
8.1. Remote Access VPN
The following example shows a point-to-network VPN setup, where a client receives a set of local addresses and can send to any remote host through the IP proxy. Such VPN setups can be either full-tunnel or split-tunnel.
+--------+ IP A IP B +--------+ +---> IP D
| +--------------------+ IP | IP C |
| Client | IP Subnet C <--> ? | Proxy +-----------+---> IP E
| +--------------------+ | |
+--------+ +--------+ +---> IP ...
Figure 14: VPN Tunnel Setup
In this case, the client does not specify any scope in its request. The IP proxy assigns the client an IPv4 address (192.0.2.11) and a full-tunnel route of all IPv4 addresses (0.0.0.0/0). The client can then send to any IPv4 host using its assigned address as its source address.
[[ From Client ]] [[ From IP Proxy ]]
SETTINGS
H3_DATAGRAM = 1
SETTINGS
ENABLE_CONNECT_PROTOCOL = 1
H3_DATAGRAM = 1
STREAM(44): HEADERS
:method = CONNECT
:protocol = connect-ip
:scheme = https
:path = /vpn
:authority = proxy.example.com
capsule-protocol = ?1
STREAM(44): HEADERS
:status = 200
capsule-protocol = ?1
STREAM(44): DATA
Capsule Type = ADDRESS_REQUEST
(Request ID = 1
IP Version = 4
IP Address = 0.0.0.0
IP Prefix Length = 32)
STREAM(44): DATA
Capsule Type = ADDRESS_ASSIGN
(Request ID = 1
IP Version = 4
IP Address = 192.0.2.11
IP Prefix Length = 32)
STREAM(44): DATA
Capsule Type = ROUTE_ADVERTISEMENT
(IP Version = 4
Start IP Address = 0.0.0.0
End IP Address = 255.255.255.255
IP Protocol = 0) // Any
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated IP Packet
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated IP Packet
Figure 15: VPN Full-Tunnel Example
A setup for a split-tunnel VPN (the case where the client can only access a specific set of private subnets) is quite similar. In this case, the advertised route is restricted to 192.0.2.0/24, rather than 0.0.0.0/0.
[[ From Client ]] [[ From IP Proxy ]]
STREAM(44): DATA
Capsule Type = ADDRESS_ASSIGN
(Request ID = 0
IP Version = 4
IP Address = 192.0.2.42
IP Prefix Length = 32)
STREAM(44): DATA
Capsule Type = ROUTE_ADVERTISEMENT
(IP Version = 4
Start IP Address = 192.0.2.0
End IP Address = 192.0.2.41
IP Protocol = 0) // Any
(IP Version = 4
Start IP Address = 192.0.2.43
End IP Address = 192.0.2.255
IP Protocol = 0) // Any
Figure 16: VPN Split-Tunnel Example
8.2. Site-to-Site VPN
The following example shows how to connect a branch office network to a corporate network such that all machines on those networks can communicate. In this example, the IP proxying client is attached to the branch office network 192.0.2.0/24, and the IP proxy is attached to the corporate network 203.0.113.0/24. There are legacy clients on the branch office network that only allow maintenance requests from machines on their subnet, so the IP proxy is provisioned with an IP address from that subnet.
192.0.2.1 <--+ +--------+ +-------+ +---> 203.0.113.9
| | +-------------+ IP | |
192.0.2.2 <--+---+ Client | IP Proxying | Proxy +---+---> 203.0.113.8
| | +-------------+ | |
192.0.2.3 <--+ +--------+ +-------+ +---> 203.0.113.7
Figure 17: Site-to-Site VPN Example
In this case, the client does not specify any scope in its request. The IP proxy assigns the client an IPv4 address (203.0.113.100) and a split-tunnel route to the corporate network (203.0.113.0/24). The client assigns the IP proxy an IPv4 address (192.0.2.200) and a split-tunnel route to the branch office network (192.0.2.0/24). This allows hosts on both networks to communicate with each other and allows the IP proxy to perform maintenance on legacy hosts in the branch office. Note that IP proxying endpoints will decrement the IP Hop Count (or TTL) when encapsulating forwarded packets, so protocols that require that field be set to 255 will not function.
[[ From Client ]] [[ From IP Proxy ]]
SETTINGS
H3_DATAGRAM = 1
SETTINGS
ENABLE_CONNECT_PROTOCOL = 1
H3_DATAGRAM = 1
STREAM(44): HEADERS
:method = CONNECT
:protocol = connect-ip
:scheme = https
:path = /corp
:authority = proxy.example.com
capsule-protocol = ?1
STREAM(44): HEADERS
:status = 200
capsule-protocol = ?1
STREAM(44): DATA
Capsule Type = ADDRESS_ASSIGN
(Request ID = 0
IP Version = 4
IP Address = 192.0.2.200
IP Prefix Length = 32)
STREAM(44): DATA
Capsule Type = ROUTE_ADVERTISEMENT
(IP Version = 4
Start IP Address = 192.0.2.0
End IP Address = 192.0.2.255
IP Protocol = 0) // Any
STREAM(44): DATA
Capsule Type = ADDRESS_ASSIGN
(Request ID = 0
IP Version = 4
IP Address = 203.0.113.100
IP Prefix Length = 32)
STREAM(44): DATA
Capsule Type = ROUTE_ADVERTISEMENT
(IP Version = 4
Start IP Address = 203.0.113.0
End IP Address = 203.0.113.255
IP Protocol = 0) // Any
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated IP Packet
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated IP Packet
Figure 18: Site-to-Site VPN Capsule Example
8.3. IP Flow Forwarding
The following example shows an IP flow forwarding setup, where a client requests to establish a forwarding tunnel to target.example.com using the Stream Control Transmission Protocol (SCTP) (IP protocol 132) and receives a single local address and remote address it can use for transmitting packets. A similar approach could be used for any other IP protocol that isn't easily proxied with existing HTTP methods, such as ICMP, Encapsulating Security Payload (ESP), etc.
+--------+ IP A IP B +--------+
| +-------------------+ IP | IP C
| Client | IP C <--> D | Proxy +---------> IP D
| +-------------------+ |
+--------+ +--------+
Figure 19: Proxied Flow Setup
In this case, the client specifies both a target hostname and an Internet Protocol Number in the scope of its request, indicating that it only needs to communicate with a single host. The IP proxy is able to perform DNS resolution on behalf of the client and allocate a specific outbound socket for the client instead of allocating an entire IP address to the client. In this regard, the request is similar to a regular CONNECT proxy request.
The IP proxy assigns a single IPv6 address to the client (2001:db8🔢:a) and a route to a single IPv6 host (2001:db8:3456::b) scoped to SCTP. The client can send and receive SCTP IP packets to the remote host.
[[ From Client ]] [[ From IP Proxy ]]
SETTINGS
H3_DATAGRAM = 1
SETTINGS
ENABLE_CONNECT_PROTOCOL = 1
H3_DATAGRAM = 1
STREAM(44): HEADERS
:method = CONNECT
:protocol = connect-ip
:scheme = https
:path = /proxy?target=target.example.com&ipproto=132
:authority = proxy.example.com
capsule-protocol = ?1
STREAM(44): HEADERS
:status = 200
capsule-protocol = ?1
STREAM(44): DATA
Capsule Type = ADDRESS_ASSIGN
(Request ID = 0
IP Version = 6
IP Address = 2001:db8:1234::a
IP Prefix Length = 128)
STREAM(44): DATA
Capsule Type = ROUTE_ADVERTISEMENT
(IP Version = 6
Start IP Address = 2001:db8:3456::b
End IP Address = 2001:db8:3456::b
IP Protocol = 132)
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated SCTP/IP Packet
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated SCTP/IP Packet
Figure 20: Proxied SCTP Flow Example
8.4. Proxied Connection Racing
The following example shows a setup where a client is proxying UDP packets through an IP proxy in order to control connection establishment racing through an IP proxy, as defined in Happy Eyeballs [HEv2]. This example is a variant of the proxied flow but highlights how IP-level proxying can enable new capabilities, even for TCP and UDP.
+--------+ IP A IP B +--------+ IP C
| +-------------------+ |<------------> IP E
| Client | IP C <--> E | IP |
| | D <--> F | Proxy |
| +-------------------+ |<------------> IP F
+--------+ +--------+ IP D
Figure 21: Proxied Connection Racing Setup
As with proxied flows, the client specifies both a target hostname and an Internet Protocol Number in the scope of its request. When the IP proxy performs DNS resolution on behalf of the client, it can send the various remote address options to the client as separate routes. It can also ensure that the client has both IPv4 and IPv6 addresses assigned.
The IP proxy assigns both an IPv4 address (192.0.2.3) and an IPv6 address (2001:db8🔢:a) to the client, as well as an IPv4 route (198.51.100.2) and an IPv6 route (2001:db8:3456::b), which represent the resolved addresses of the target hostname, scoped to UDP. The client can send and receive UDP IP packets to either one of the IP proxy addresses to enable Happy Eyeballs through the IP proxy.
[[ From Client ]] [[ From IP Proxy ]]
SETTINGS
H3_DATAGRAM = 1
SETTINGS
ENABLE_CONNECT_PROTOCOL = 1
H3_DATAGRAM = 1
STREAM(44): HEADERS
:method = CONNECT
:protocol = connect-ip
:scheme = https
:path = /proxy?target=target.example.com&ipproto=17
:authority = proxy.example.com
capsule-protocol = ?1
STREAM(44): HEADERS
:status = 200
capsule-protocol = ?1
STREAM(44): DATA
Capsule Type = ADDRESS_ASSIGN
(Request ID = 0
IP Version = 4
IP Address = 192.0.2.3
IP Prefix Length = 32),
(Request ID = 0
IP Version = 6
IP Address = 2001:db8::1234:1234
IP Prefix Length = 128)
STREAM(44): DATA
Capsule Type = ROUTE_ADVERTISEMENT
(IP Version = 4
Start IP Address = 198.51.100.2
End IP Address = 198.51.100.2
IP Protocol = 17),
(IP Version = 6
Start IP Address = 2001:db8:3456::b
End IP Address = 2001:db8:3456::b
IP Protocol = 17)
...
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated IPv6 Packet
DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated IPv4 Packet
Figure 22: Proxied Connection Racing Example