Re: [Int-dir] [Last-Call] Intdir telechat review of draft-ietf-masque-connect-ip-10
Behcet Sarikaya <sarikaya2012@gmail.com> Mon, 17 April 2023 15:49 UTC
Return-Path: <sarikaya2012@gmail.com>
X-Original-To: int-dir@ietfa.amsl.com
Delivered-To: int-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B313AC14CF09; Mon, 17 Apr 2023 08:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DDvCQCzZL9N; Mon, 17 Apr 2023 08:49:32 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24745C14EB17; Mon, 17 Apr 2023 08:49:32 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id y21so7926664ual.3; Mon, 17 Apr 2023 08:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681746571; x=1684338571; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H1DQu1rAy6vkdfBBpgXT40plbzP8g8uoM/f2v95BMGI=; b=fLhVjRscGA2SJbGkpPqgUArUeTc4KTG8E9LGNN3WopIuj1BpZwIQm3K9vmnIA9Xiby ZoaTCiKYOu3DMYK6329caX1axO4P5b4NbJLFGUHB2LRvKVaqFKoTGxCwuhcPAiWuQVFE bqTlQQLRjqlj1m1i3OxAZSNk2h4osPnVqoCvj8mh2cTvMqWFPqNQ6QZHmPSeEs/txOp8 0unK6+rteWt45jah2S+0SnUz1eu+AcRvEHTT7WF1mS51YHkNcPrsMtsTTQDxLt+jlAwM FZy0p2/XlaK0o0T+XB/IpIAaGO56mjxLmNAzJyDJ/166f7ZWdjxusAbAD0Xt8+zcyROs ybHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681746571; x=1684338571; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H1DQu1rAy6vkdfBBpgXT40plbzP8g8uoM/f2v95BMGI=; b=ltL77W/SPpM5g/KVB/6n1snnpPMFvjtseINCkqB/j9DUTLdEDzR+0WT3CTYrrnVoHs ZKAtb3sDZg3Xr8WWjR2wgHSO0qEna3qnOOOYdcnuhuvPA1udTvYY/hbGi7XOqD4dvoiq y5GgtRc9MmvbSRjSam3L8XXCYSmrF6xo47ojRggNmP16O0SmNIk8550pWLcnzEOC22JU E0a58DbQJVNJX6fCShlA63QcxMvd5sPlCPsdgvab7bzRbyb/lMRCSdZSVxF9MQIFtplO QrMrtkvwF2DWET7s4iz2CwMyYVu7kjG59cnoFuS31o2iCvWsZWFJRJ9TJsKS9eJuSVrn cRww==
X-Gm-Message-State: AAQBX9eJ+5E6gE2KWqbqVjlWcnAilBaX4CkF0YGlQJEiBDEo03vxUmPb h/m5TTdcOqp6Wz/x+CYbdoiZBGoPAqbAYfKs6tuTus5/yRM=
X-Google-Smtp-Source: AKy350aVhTqx5uv0AOr2h8XU2DcOhpCq9wZ7bfo/45NDxlE+wcReEMquTdt5XOIBfJikr0ayT+19pYmwG6nK2/r2IS8=
X-Received: by 2002:ab0:53d8:0:b0:73f:f15b:d9e3 with SMTP id l24-20020ab053d8000000b0073ff15bd9e3mr10919183uaa.0.1681746571035; Mon, 17 Apr 2023 08:49:31 -0700 (PDT)
MIME-Version: 1.0
References: <168152936276.58402.12408511926010382248@ietfa.amsl.com>
In-Reply-To: <168152936276.58402.12408511926010382248@ietfa.amsl.com>
Reply-To: sarikaya@ieee.org
From: Behcet Sarikaya <sarikaya2012@gmail.com>
Date: Mon, 17 Apr 2023 10:49:19 -0500
Message-ID: <CAC8QAccAvR-G7UYDWtj+SKaMDdP_rAjgDW27wHM+qm7h9D5yFg@mail.gmail.com>
To: Joseph Touch <touch@strayalpha.com>
Cc: int-dir@ietf.org, draft-ietf-masque-connect-ip.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f8073805f98a222c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-dir/w1ORdamcgd8ufSf-s_bjls6rKxM>
Subject: Re: [Int-dir] [Last-Call] Intdir telechat review of draft-ietf-masque-connect-ip-10
X-BeenThere: int-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-dir>, <mailto:int-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir/>
List-Post: <mailto:int-dir@ietf.org>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-dir>, <mailto:int-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2023 15:49:36 -0000
Hi Joe, Note. This message is directed to intarea. As a tunneling expert you are the right person to review this document, at least I believe so. On Fri, Apr 14, 2023 at 10:29 PM Joseph Touch via Datatracker < noreply@ietf.org> wrote: > Reviewer: Joseph Touch > Review result: Not Ready > > This review focuses on the behavior of the tunnel from an IP perspective. > The > HTTP aspects are not considered. > > In summary, the document presents a method for tunneling IP packets over an > HTTP connection. Its terminology and discussion is confusing, being > presented > largely from the perspective of the HTTP mechanism and not sufficiently > from > the perspective of the resulting IP tunnel that is provided. Details are > provided below. > > -- > > The terminology is confusing. Because HTTP is a client/server protocol, it > makes sense to refer to a web (or HTTP) proxy, a single entity that acts as > both server and client, relaying requests received on the server side and > initiating them on the client side. An IP proxy would relay datagrams > received > on one IP address and issue them with at least some new addressing. What > appears to be described here is way to create an IP tunnel over a web > connection, which is not a proxy. It is (and should be called) just an IP > tunnel. The web client and server are not co-located as they are in a > proxy; > the term proxy is nonsensical in this context. > > Sec 4.6 indicates that ipproto can be any number in [IANA-PN]; this is not > consistent with the document title or remainder of the document > description. > That list is of protocols that can be payloads of IP packets, not of IP > protocols - e.g., IPv6 is not 6 but 41, and when it is 41 it describes > IPv6 as > a payload of an outer IP packet, not an IPv6 packet. There does not appear > to > be a way to indicate the outermost IP packet protocol version, e.g., > https://www.iana.org/assignments/version-numbers/version-numbers.xhtml. > The > claim that implementations MUST walk the chain of extensions to find the > protocol is unboundeded as stated; it needs to be limited, e.g., it needs > to > stop at the first non-IP protocol (e.g., it should not “find” TCP in IP in > UDP > in IP, if limited to protocol=6). > > Note that this also raises a further concern, that of the utility of an IP > tunnel. The Internet is composed of links and tunnels emulate links. This > document appears to describe tunnels that can be limited to specific types > of > IP packets, but it overlooks the outermost IP packet version. It also > overlooks > support for non-IP protocols that are critical to IP operation, e.g., for > IPv4, > these include ICMP and ARP. If an “IP proxy” were limited to protocol 6 > (TCP), > it would block ICMP (which protocol 1) and ARP (which isn’t an IP packet at > all). Note that this is also inconsistent with the ROUTE_ADVERTISEMENT > capsule > as described in Sec 4.7.3, which asserts that ICMPs are exceptions to the > indicated protocol (at a minimum, this needs to be noted here as well). > > Sec 4.7, although defining new capsules, is really about tunnel > configuration. > It should be moved to a top-level section and presented as such. > > Except for Sec 4.7, which explains how IP addresses and routing can be > obtained > over the HTTP connection, the document views the necessary behavior from > only > the perspective of the tunnel ingress as an HTTP client and the tunnel > egress > as an HTTP server. It is missing the way in which these ingress/egress > components are viewed a their endpoints, e.g., to be useful as an IP > tunnel, > these need to appear as attached to (possibly virtual) network interfaces, > i.e., to appear as a link, which allows them to then be used for local > processes (via sockets), packet forwarding, etc. E.g., the mechanism in > Sec 4.7 > is only one way that endpoints may be configured; others should be > discussed – > including using DHCP or IPv6 RAs over the tunnel itself. > > Sec 7 explains many aspects of IP packet handling that are already > sufficiently > described in RFCs 1122 and 1812 (for IPv4) and 8200 (for IPv6). That > section > unnecessarily repeats that detail and is also vague as to where particular > behaviors are to be realized. I.e., parsing the IP header, hopcount > processing, > and packet forwarding. The document should just clearly state that tunnels > behave as links > (as explained in draft-ietf-intarea-tunnels) But the draft-intarea-tunnels doesn't talk about the type of tunnel described in this draft, i.e. tunnels over an HTTP connection. Maybe you can add it before it becomes an RFC. Behcet > and the rest of > processing happens *outside* the HTTP server as defined for a host or > router. > > It seems incorrect to design these tunnels as something less than a > typical IP > interface, esp. for IPv6 (autoconfig, neighbor discovery). Doing so only > serves > to invite incompatibility and/or undermine existing mechanisms that are > useful > in detecting misconfiguration (e.g., duplicate address detection). If > there is > believed to be a technical justification for this limitation, the argument > needs to be presented and its implications reviewed (e.g., an IPv6 tunnel > that > isn’t a true IPv6 interface may not be useful as an IPv6 tunnel). > > The end of section 7 on link MTUs needs to address the additional > requirement > of IPv6 EMTU_R of 1500 bytes. Source fragmentation and reassembly need to > be > addressed for both IPv4 and IPv6, and path-fragmentation for IPv4 (unless > it is > not supported, which needs to be noted). > > Sec 8 should be clear on what entity is responsible for ICMP packet > generation > and receipt. This presumably should be the HTTP endpoint device, not the > HTTP > client or server. I.e., the tunnel transits ICMP packets but tunnel > endpoints > should neither generate nor consume them, just like any other link. > > As other reviewers have noted, Sec 10 on nested congestion control is quite > thin. The current statement is equivalent to “if you KNOW congestion is > nested, > turn it off” – it should be the opposite, i.e., “turn congestion ON only > if you > KNOW congestion is NOT nested”. > > Section 11.1 refers to fragmented packets; it should refer to them as not > being > able to be “re-fragmented”; source-generated fragments are still > fragmented and > can cross the tunnel subject to the tunnel MTU. > > Section 11.1 should require that the IP tunnel be created with a given MTU > and > to indicate that to the endpoint where the client/servers reside; issuing > ICMP > PTBs is the responsibility of those endpoints when they are seeking to use > those tunnel endpoints, NOT of the tunnel endpoint itself. Tunnels are > links; > links do not issue ICMPs. > > Sec 12 should indicate how access to the HTTP proxy itself should be access > limited, i.e., to avoid presenting an arbitrary traffic injection point. It > should also address the potential use of HTTP-level encryption (e.g., TLS, > DTLS) to protect the tunnel contents and tunnel configuration exchanges. > > -- > > > -- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call >
- [Int-dir] Intdir telechat review of draft-ietf-ma… Joseph Touch via Datatracker
- Re: [Int-dir] [Last-Call] Intdir telechat review … Behcet Sarikaya
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] Intdir telechat review of draft-iet… David Schinazi
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … Magnus Westerlund
- Re: [Int-dir] [Last-Call] Intdir telechat review … David Schinazi
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … David Schinazi
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … Mirja Kuehlewind
- Re: [Int-dir] [Last-Call] Intdir telechat review … Christian Huitema
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … Christian Huitema
- Re: [Int-dir] [Last-Call] Intdir telechat review … David Schinazi
- Re: [Int-dir] [Last-Call] Intdir telechat review … David Schinazi
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … David Schinazi
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … Martin Duke
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … touch@strayalpha.com
- Re: [Int-dir] [Last-Call] Intdir telechat review … Eric Vyncke (evyncke)