Skip to content

Latest commit

 

History

History
86 lines (70 loc) · 4.8 KB

File metadata and controls

86 lines (70 loc) · 4.8 KB

Protocol Coverage

Purpose

Document what the current method is expected to handle, what passes through directly, what may behave inconsistently, and what is not supported. Use this matrix to turn vague "site broken" reports into protocol-specific diagnostics.

Protocol matrix

Protocol / technology Current expected state Main edge cases Test requirement
TCP/443 HTTPS Core supported path for targeted browser flows Certificate trust, ALPN, SNI/ECH, provider drift Browser test plus route-tag check
HTTP/1.1 over TLS Supported through h11 local tunnel WebSocket upgrades, keepalive, redirects Test normal page + WebSocket endpoint
HTTP/2 over TLS Supported through h2/h1 local tunnel gRPC, stream resets, multiplexing Test HTTP/2 page + gRPC-like h2 endpoint
HTTP/3 / QUIC / UDP/443 Profile-defined UDP/443 policy Strict/debug block QUIC; balanced/compatibility direct-route with warning Test UDP/443 behavior explicitly
DNS UDP/TCP/53 Routed through DNS handling Resolver timeout, hijack, private domains Resolver tests
DoH Depends on configured resolver route Resolver reachability, TLS behavior DNS check script
DoT Not explicitly modeled unless user adds it Port 853 behavior Document unsupported unless tested
DoQ Not explicitly modeled UDP/QUIC-based DNS Document unsupported unless tested
WebSocket May work when HTTP/1.1 path works Upgrade headers and proxy behavior Run WebSocket smoke probe
gRPC May work when HTTP/2 path works h2 stream handling Run h2/gRPC ALPN smoke probe
WebRTC/STUN/TURN App/browser-dependent, UDP-heavy UDP route, IP leak risk, app pinning Mark as degraded/experimental
IPv6 Catch-all may direct-route IPv6 IPv6-only/NAT64 differences IPv6 route test
NAT64/DNS64 Not guaranteed IPv4-only assumptions IPv6-only lab test
Captive portal HTTP Environment-specific DNS/HTTP hijack Captive portal procedure
Private LAN Should remain direct Printers, router UI, local domains LAN direct-route test
Enterprise TLS inspection Competing MITM CA conflicts Document conflict behavior
Antivirus HTTPS scanning Competing local TLS interception Broken trust chain Detection note

Simple classification labels

Use these labels in issues and compatibility files:

supported       Expected to work in current config.
degraded        May require browser/app settings or behave inconsistently.
pass_through    Not handled by method; direct behavior expected.
unsupported     Known not to work reliably.
unknown         Not tested yet.

Protocol test checklist

  • TCP/443 HTTPS targeted domain loads.
  • HTTP/1.1-only endpoint loads.
  • HTTP/2 endpoint loads.
  • WebSocket endpoint connects or failure is documented.
  • gRPC/h2 endpoint connects or failure is documented.
  • UDP/443 behavior is known.
  • DNS UDP/TCP works.
  • DoH resolver path works.
  • IPv6 behavior is known.
  • Private LAN destination remains reachable.
  • Captive portal behavior is documented.
  • Android browser behavior is documented separately from Android app behavior.

Issue triage mapping

User symptom Likely protocol issue What to ask for
Page loads but video fails QUIC, media domain, provider route, or DNS Browser, domain category, route tag, DNS result
Login page loops cookies, third-party domains, ad-block false positive, pinned endpoint route tag, ad-block rule, browser console category only
Works in Chrome but not Firefox browser trust store or HTTP/2 behavior CA install scope and browser version
Works on desktop but not Android app Android user CA / pinning / app trust app name, browser vs app, Android version
Works on Wi-Fi but not mobile DNS64/NAT64, IPv6, provider region network type, IPv6 status, resolver status
Fails after disabling tool FakeDNS stale cache run FakeDNS recovery steps

Smoke Probe

Use scripts/protocol_smoke.py for local, redacted protocol evidence:

python scripts/protocol_smoke.py --scenario udp443-policy
python scripts/protocol_smoke.py --scenario websocket-handshake --host example.com --path /
python scripts/protocol_smoke.py --scenario http2-alpn --host example.com
python scripts/protocol_smoke.py --scenario grpc-alpn --host example.com
python scripts/protocol_smoke.py --scenario ipv6-connect --host ipv6.google.com --port 443

Related documents

Document Topic
transport-profiles.md Transport handling summary
operating-profiles.md UDP/443 policy by profile
android-trust-model.md App vs browser protocol scope
routing-correctness.md Route tags for protocol paths