IETF Logo Mail Archive

Re: [Int-dir] [Last-Call] Intdir telechat review of draft-ietf-masque-connect-ip-10

Behcet Sarikaya <sarikaya2012@gmail.com> Mon, 17 April 2023 15:49 UTC

Return-Path: <sarikaya2012@gmail.com>
X-Original-To: int-dir@ietfa.amsl.com
Delivered-To: int-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B313AC14CF09; Mon, 17 Apr 2023 08:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DDvCQCzZL9N; Mon, 17 Apr 2023 08:49:32 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24745C14EB17; Mon, 17 Apr 2023 08:49:32 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id y21so7926664ual.3; Mon, 17 Apr 2023 08:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681746571; x=1684338571; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H1DQu1rAy6vkdfBBpgXT40plbzP8g8uoM/f2v95BMGI=; b=fLhVjRscGA2SJbGkpPqgUArUeTc4KTG8E9LGNN3WopIuj1BpZwIQm3K9vmnIA9Xiby ZoaTCiKYOu3DMYK6329caX1axO4P5b4NbJLFGUHB2LRvKVaqFKoTGxCwuhcPAiWuQVFE bqTlQQLRjqlj1m1i3OxAZSNk2h4osPnVqoCvj8mh2cTvMqWFPqNQ6QZHmPSeEs/txOp8 0unK6+rteWt45jah2S+0SnUz1eu+AcRvEHTT7WF1mS51YHkNcPrsMtsTTQDxLt+jlAwM FZy0p2/XlaK0o0T+XB/IpIAaGO56mjxLmNAzJyDJ/166f7ZWdjxusAbAD0Xt8+zcyROs ybHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681746571; x=1684338571; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H1DQu1rAy6vkdfBBpgXT40plbzP8g8uoM/f2v95BMGI=; b=ltL77W/SPpM5g/KVB/6n1snnpPMFvjtseINCkqB/j9DUTLdEDzR+0WT3CTYrrnVoHs ZKAtb3sDZg3Xr8WWjR2wgHSO0qEna3qnOOOYdcnuhuvPA1udTvYY/hbGi7XOqD4dvoiq y5GgtRc9MmvbSRjSam3L8XXCYSmrF6xo47ojRggNmP16O0SmNIk8550pWLcnzEOC22JU E0a58DbQJVNJX6fCShlA63QcxMvd5sPlCPsdgvab7bzRbyb/lMRCSdZSVxF9MQIFtplO QrMrtkvwF2DWET7s4iz2CwMyYVu7kjG59cnoFuS31o2iCvWsZWFJRJ9TJsKS9eJuSVrn cRww==
X-Gm-Message-State: AAQBX9eJ+5E6gE2KWqbqVjlWcnAilBaX4CkF0YGlQJEiBDEo03vxUmPb h/m5TTdcOqp6Wz/x+CYbdoiZBGoPAqbAYfKs6tuTus5/yRM=
X-Google-Smtp-Source: AKy350aVhTqx5uv0AOr2h8XU2DcOhpCq9wZ7bfo/45NDxlE+wcReEMquTdt5XOIBfJikr0ayT+19pYmwG6nK2/r2IS8=
X-Received: by 2002:ab0:53d8:0:b0:73f:f15b:d9e3 with SMTP id l24-20020ab053d8000000b0073ff15bd9e3mr10919183uaa.0.1681746571035; Mon, 17 Apr 2023 08:49:31 -0700 (PDT)
MIME-Version: 1.0
References: <168152936276.58402.12408511926010382248@ietfa.amsl.com>
In-Reply-To: <168152936276.58402.12408511926010382248@ietfa.amsl.com>
Reply-To: sarikaya@ieee.org
From: Behcet Sarikaya <sarikaya2012@gmail.com>
Date: Mon, 17 Apr 2023 10:49:19 -0500
Message-ID: <CAC8QAccAvR-G7UYDWtj+SKaMDdP_rAjgDW27wHM+qm7h9D5yFg@mail.gmail.com>
To: Joseph Touch <touch@strayalpha.com>
Cc: int-dir@ietf.org, draft-ietf-masque-connect-ip.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f8073805f98a222c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-dir/w1ORdamcgd8ufSf-s_bjls6rKxM>
Subject: Re: [Int-dir] [Last-Call] Intdir telechat review of draft-ietf-masque-connect-ip-10
X-BeenThere: int-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-dir>, <mailto:int-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir/>
List-Post: <mailto:int-dir@ietf.org>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-dir>, <mailto:int-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2023 15:49:36 -0000

Hi Joe,
Note. This message is directed to intarea.
As a tunneling expert you are the right person to review this document, at
least I believe so.

On Fri, Apr 14, 2023 at 10:29 PM Joseph Touch via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Joseph Touch
> Review result: Not Ready
>
> This review focuses on the behavior of the tunnel from an IP perspective.
> The
> HTTP aspects are not considered.
>
> In summary, the document presents a method for tunneling IP packets over an
> HTTP connection. Its terminology and discussion is confusing, being
> presented
> largely from the perspective of the HTTP mechanism and not sufficiently
> from
> the perspective of the resulting IP tunnel that is provided. Details are
> provided below.
>
> --
>
> The terminology is confusing. Because HTTP is a client/server protocol, it
> makes sense to refer to a web (or HTTP) proxy, a single entity that acts as
> both server and client, relaying requests received on the server side and
> initiating them on the client side. An IP proxy would relay datagrams
> received
> on one IP address and issue them with at least some new addressing. What
> appears to be described here is way to create an IP tunnel over a web
> connection, which is not a proxy. It is (and should be called) just an IP
> tunnel. The web client and server are not co-located as they are in a
> proxy;
> the term proxy is nonsensical in this context.
>
> Sec 4.6 indicates that ipproto can be any number in [IANA-PN]; this is not
> consistent with the document title or remainder of the document
> description.
> That list is of protocols that can be payloads of IP packets, not of IP
> protocols - e.g., IPv6 is not 6 but 41, and when it is 41 it describes
> IPv6 as
> a payload of an outer IP packet, not an IPv6 packet. There does not appear
> to
> be a way to indicate the outermost IP packet protocol version, e.g.,
> https://www.iana.org/assignments/version-numbers/version-numbers.xhtml.
> The
> claim that implementations MUST walk the chain of extensions to find the
> protocol is unboundeded as stated; it needs to be limited, e.g., it needs
> to
> stop at the first non-IP protocol (e.g., it should not “find” TCP in IP in
> UDP
> in IP, if limited to protocol=6).
>
> Note that this also raises a further concern, that of the utility of an IP
> tunnel. The Internet is composed of links and tunnels emulate links. This
> document appears to describe tunnels that can be limited to specific types
> of
> IP packets, but it overlooks the outermost IP packet version. It also
> overlooks
> support for non-IP protocols that are critical to IP operation, e.g., for
> IPv4,
> these include ICMP and ARP. If an “IP proxy” were limited to protocol 6
> (TCP),
> it would block ICMP (which protocol 1) and ARP (which isn’t an IP packet at
> all). Note that this is also inconsistent with the ROUTE_ADVERTISEMENT
> capsule
> as described in Sec 4.7.3, which asserts that ICMPs are exceptions to the
> indicated protocol (at a minimum, this needs to be noted here as well).
>
> Sec 4.7, although defining new capsules, is really about tunnel
> configuration.
> It should be moved to a top-level section and presented as such.
>
> Except for Sec 4.7, which explains how IP addresses and routing can be
> obtained
> over the HTTP connection, the document views the necessary behavior from
> only
> the perspective of the tunnel ingress as an HTTP client and the tunnel
> egress
> as an HTTP server. It is missing the way in which these ingress/egress
> components are viewed a their endpoints, e.g., to be useful as an IP
> tunnel,
> these need to appear as attached to (possibly virtual) network interfaces,
> i.e., to appear as a link, which allows them to then be used for local
> processes (via sockets), packet forwarding, etc. E.g., the mechanism in
> Sec 4.7
> is only one way that endpoints may be configured; others should be
> discussed –
> including using DHCP or IPv6 RAs over the tunnel itself.
>
> Sec 7 explains many aspects of IP packet handling that are already
> sufficiently
> described in RFCs 1122 and 1812 (for IPv4) and 8200 (for IPv6).  That
> section
> unnecessarily repeats that detail and is also vague as to where particular
> behaviors are to be realized. I.e., parsing the IP header, hopcount
> processing,
> and packet forwarding. The document should just clearly state that tunnels
> behave as links




> (as explained in draft-ietf-intarea-tunnels)


But the draft-intarea-tunnels doesn't talk about the type of tunnel
described in this draft, i.e. tunnels over an HTTP connection.
Maybe you can add it before it becomes an RFC.

Behcet


> and the rest of
> processing happens *outside* the HTTP server as defined for a host or
> router.
>
> It seems incorrect to design these tunnels as something less than a
> typical IP
> interface, esp. for IPv6 (autoconfig, neighbor discovery). Doing so only
> serves
> to invite incompatibility and/or undermine existing mechanisms that are
> useful
> in detecting misconfiguration (e.g., duplicate address detection). If
> there is
> believed to be a technical justification for this limitation, the argument
> needs to be presented and its implications reviewed (e.g., an IPv6 tunnel
> that
> isn’t a true IPv6 interface may not be useful as an IPv6 tunnel).
>
> The end of section 7 on link MTUs needs to address the additional
> requirement
> of IPv6 EMTU_R of 1500 bytes. Source fragmentation and reassembly need to
> be
> addressed for both IPv4 and IPv6, and path-fragmentation for IPv4 (unless
> it is
> not supported, which needs to be noted).
>
> Sec 8 should be clear on what entity is responsible for ICMP packet
> generation
> and receipt. This presumably should be the HTTP endpoint device, not the
> HTTP
> client or server. I.e., the tunnel transits ICMP packets but tunnel
> endpoints
> should neither generate nor consume them, just like any other link.
>
> As other reviewers have noted, Sec 10 on nested congestion control is quite
> thin. The current statement is equivalent to “if you KNOW congestion is
> nested,
> turn it off” – it should be the opposite, i.e., “turn congestion ON only
> if you
> KNOW congestion is NOT nested”.
>
> Section 11.1 refers to fragmented packets; it should refer to them as not
> being
> able to be “re-fragmented”; source-generated fragments are still
> fragmented and
> can cross the tunnel subject to the tunnel MTU.
>
> Section 11.1 should require that the IP tunnel be created with a given MTU
> and
> to indicate that to the endpoint where the client/servers reside; issuing
> ICMP
> PTBs is the responsibility of those endpoints when they are seeking to use
> those tunnel endpoints, NOT of the tunnel endpoint itself. Tunnels are
> links;
> links do not issue ICMPs.
>
> Sec 12 should indicate how access to the HTTP proxy itself should be access
> limited, i.e., to avoid presenting an arbitrary traffic injection point. It
> should also address the potential use of HTTP-level encryption (e.g., TLS,
> DTLS) to protect the tunnel contents and tunnel configuration exchanges.
>
> --
>
>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>

v2.23.0 | Report a Bug | By Email