document transparent proxy interaction (Closes #2)

79d65724 · dkg · 61574f48 · 79d65724
Commit 79d65724 authored 8 years ago by dkg
--- a/draft-dkg-dprive-demux-dns-http.md
+++ b/draft-dkg-dprive-demux-dns-http.md
@@ -109,8 +109,11 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "OPTIONAL" in this document are to be interpreted as described in
 {{RFC2119}}.

+Scoping
+=======
+
 Distinguish only at the start of a stream
-=========================================
+-----------------------------------------

 A server which attempts to distinguish DNS queries from HTTP requests
 individually might consider using these guidelines in the middle of a
@@ -131,6 +134,16 @@ If being able to interleave DNS queries with HTTP requests on a single
 stream is desired, a strategy like
 {{I-D.ietf-dnsop-dns-wireformat-http}} is recommended instead.

+Avoid multiplexing in the clear
+-------------------------------
+
+The widespread deployment of transparent HTTP proxies makes it likely
+that any attempt to do this kind of multiplexing/demultiplexing on a
+cleartext channel that normally carries HTTP (e.g. TCP port 80) will
+fail or trigger other "interesting" behaviors.  This approach should
+be done only in channels sufficiently obscured that a transparent
+proxy would not try to interpret the resultant stream.
+
 Why not ALPN?
 -------------