IETF Logo Mail Archive

Re: [Masque] Éric Vyncke's Discuss on draft-ietf-masque-connect-ip-09: (with DISCUSS and COMMENT)

David Schinazi <dschinazi.ietf@gmail.com> Wed, 12 April 2023 00:12 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EDDEC152A36; Tue, 11 Apr 2023 17:12:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEJsFVzpzXSW; Tue, 11 Apr 2023 17:12:06 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39964C152A30; Tue, 11 Apr 2023 17:12:06 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-504ecfdf6b6so266928a12.3; Tue, 11 Apr 2023 17:12:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681258324; x=1683850324; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EjipbSf+EHALIJIsDsvgLQhgobfUTMNxdDmc5mokBBc=; b=Gc5INdKXptYtzMSXTz6P8d0CVSv+vXDMmdkUDlJtAggBCEunALvFF6dmvWYLkyO/UH jPVSxt93k78KzeZ/D+JKhCCk8bq0PJ8e+S3Z4XU4aNoER1PVQKQACVl2f46mRuuvcAsG csgcfjh0u2X0AwNqdImpWaL3A5ZVOrFy0UaY4L9mXl+cywm4HtITUIw/edFr0WdFuRD3 EBf7bb+1IejTaNBtcNmtT3sNyiK4fivGVupLsQrd8UchcdoT5nfQ8x7sTIPqPDH3qPfG hVWLps/H6ZTt3g41UmKmqrpshIV+ZrHUkC8mG0Ba675J10JQaAhph13yM8UYXA+YM+Ip kAOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681258324; x=1683850324; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EjipbSf+EHALIJIsDsvgLQhgobfUTMNxdDmc5mokBBc=; b=HCa9ASsmtgjObrcpE16qkETY1B+ZEvxILwaYe48tSOdPLOGm5l7ZKjyqXQpJSWaSKK b9CCt0ob/ly8OaQqJYCfFkBCEWJqmelnlK9Xvzv3flxcYpabnDQ3j370izmUCg+ILa06 4RoGsIGwV6XRHwlsLTVO3PMsaK8ToPz8r0bSgr1Sk2JNTHYcOCLDWfSrLByHBHhZGXVt riw9e5LJsR+eMkg8raaAuQOgmJD+qU4aX1wlRPRl3jwTyb5JX/24o3T0kVUFnel3+Ufi 3sopWj5aqVF/sNUl86Xq3b5Jd9Us2jUjqTGirH5xtBNfw8zag6EuyPHFHUpIf2dy6hUO LR3w==
X-Gm-Message-State: AAQBX9fygReo5Y86FEQ3o2X6g9PKifp0qWbsGbF3RuvvLsquSdHjXT2k H/2LV8Txtdp9jXGtt2pOeUKTQqeL6jL64JzU+6Gh+JsX16w=
X-Google-Smtp-Source: AKy350b0IKuyw1mZT+Hx1mDeCTb1QpEnJnPByVbGRuEIhipZHAeyQ9j0r80k1ed8Asw53w7w3NxdXyPso/8a1KJCjL0=
X-Received: by 2002:a50:8ad7:0:b0:505:4fb:4430 with SMTP id k23-20020a508ad7000000b0050504fb4430mr7582edk.6.1681258324240; Tue, 11 Apr 2023 17:12:04 -0700 (PDT)
MIME-Version: 1.0
References: <168121253516.32736.10754673770332939967@ietfa.amsl.com>
In-Reply-To: <168121253516.32736.10754673770332939967@ietfa.amsl.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Tue, 11 Apr 2023 17:11:53 -0700
Message-ID: <CAPDSy+5joAN3X15PNYv5p9X5vde4mz6rXSf3dFXG1b0D4ZVpSg@mail.gmail.com>
To: Éric Vyncke <evyncke@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-masque-connect-ip@ietf.org, masque-chairs@ietf.org, masque@ietf.org, caw@heapingbits.net
Content-Type: multipart/alternative; boundary="000000000000312b0e05f9187578"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/1FgjItyqNEgkdRxD_Dgp2O-vtvc>
Subject: Re: [Masque] Éric Vyncke's Discuss on draft-ietf-masque-connect-ip-09: (with DISCUSS and COMMENT)
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 00:12:07 -0000

Hi Éric, and thank you for your review.
In this email, I'll address your DISCUSS points. We'll dive into your
COMMENTs once we've cleared your DISCUSS.
Please see responses inline.
David

On Tue, Apr 11, 2023 at 4:28 AM Éric Vyncke via Datatracker <
noreply@ietf.org> wrote:

> Éric Vyncke has entered the following ballot position for
> draft-ietf-masque-connect-ip-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-masque-connect-ip/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Thank you for the work put into this document. I *really* find the idea
> and the
> protocol interesting and useful. The text is also easy to read and to
> understand (albeit underspecified in some cases -- hence my DISCUSS).
>
> Please find below some blocking DISCUSS points (easy to address by adding
> some
> text), some non-blocking COMMENT points (but replies would be appreciated
> even
> if only for my own education), and some nits.
>
> Special thanks to Chris Wood for the shepherd's detailed write-up
> including the
> WG consensus *but* it lacks the justification of the intended status.
>
> Other thanks to Tim Winters, the Internet directorate reviewer (at my
> request):
>
> https://datatracker.ietf.org/doc/review-ietf-masque-connect-ip-09-intdir-telechat-winters-2023-04-07/
> (and I have read the email exchange, thanks to all)
>
> I hope that this review helps to improve the document,
>
> Regards,
>
> -éric
>
> # DISCUSS (blocking)
>
> As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a
> DISCUSS ballot is a request to have a discussion on the following topics:
>
> ## Section 8
>
> Several parts of this section are unspecified, see below.
>
> `Note that ICMP messages can originate from a source address different from
> that of the IP proxying peer.` is of course obvious, but I think that this
> case
> (ICMP originating from the global Internet to the proxy client) deserves a
> section on its own. Notably whether this source must be within the target ?
>

This is discussed in the following paragraph of our Security Considerations:
https://www.ietf.org/archive/id/draft-ietf-masque-connect-ip-09.html#section-12-4
Does that answer your question?

The source address to be used by the proxy when originating an ICMP should
> also
> be specified, even if just a reference to RFC 6724 for IPv6.
>

We already reference RFC 4443 which discusses this in section 2.2. I'm not
sure
adding a reference to RFC 6724 is required. Either way, may I propose we
move
this editorial topic out of your DISCUSS block and into a COMMENT please?

## Section 9.2
>
> In the example where the IP proxy has an IP address in the same prefix as
> the
> legacy client (there is no on-link / off-link state for IPv4 as opposed to
> IPv6), the encapsulation behavior of section 7 requires the TTL to be
> decremented before entering the tunnel, which is really wrong as it this
> case
> it is not formally a routing to a different prefix and some protocols may
> expect TTL=255, which won't be the case.
>
> Request to add some text about this "issue".
>

Can you elaborate on what protocols do this? As far as I know, all modern
OSes
set a default TTL of 64 so you'd never see a TTL or Hop Limit of 255. We use
something very similar to this example in production and haven't had any TTL
problems.

----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
> # COMMENTS (non blocking)
>
> ## Waiting for Last Call PR ?
>
> May I suggest, next time, to wait until a revised I-D is submitted based
> on the
> IETF Last Call before balloting ? E.g., the PR based on the sec-dir review
> is
> not yet merged AFAIK.
>
> ## Section 3
>
> `The URI Template MUST NOT contain any non-ASCII unicode characters and
> MUST
> only contain ASCII characters in the range 0x21-0x7E inclusive` the fist
> part
> of the sentence appears as useless as the second part is more restrictive.
>
> ## Section 4.1
>
> In `establishes an IP tunnel` should the other side of the tunnel
> specified ?
>
> ## Section 4.6
>
> Should the text also be clear that the proxy should only proxy packets
> *from*
> the target to the client ?
>
> ## Section 4.7.1
>
> Should the text specify what are the unused bits of the prefix when the
> prefix
> length is not the address length ? I.e., is 2001:db8:cafe:babe:f00d::/32 a
> valid prefix ?
>
> ## Section 4.7.3
>
> In the previous sections, IP protocol could also be an IPv6 extension
> header.
> I.e., using "0" as a wildcard value prevents using it to signal Hop-by-hop
> extension header. Should 59 be used ? (even if no next header is only for
> IPv6)
>
> BTW, I was about to ballot DISCUSS on this issue.
>
> The reader (including myself and John Scudder per his ballot) would
> probably
> welcome more explanations to understand why the usual CIDR/prefix notation
> for
> routes is not used. I.e., some routers only use CIDR/prefix FIB entries
> and one
> start-end range could translate in a lot of CIDR/prefix routes in the
> router
> FIB.
>
> ## Section 7
>
> Thanks for the text about link-local addresses and link-local multicast.
> But,
> then it raises the question about which IP address to use when replying to
> a
> link-local multicast ? I.e., can a global address be used in the absence
> of LLA
> ?
>
> ## Section 8
>
> Please also add "hop-limit exceeded" in the non-exhaustive list of errors.
>
> Should ICMP echo requests be mentioned ? (they are *not* error signaling
> but
> are quite useful).
>
> ## Section 9.1
>
> In `Such VPN setups can be either full-tunnel or split-tunnel` please
> define
> (or add a reference) to full/split tunnel or simply do not mention those
> terms
> now as they are defined later.
>
> `using a source address in its assigned prefix` while the client has been
> assigned a single /32 (i.e., the sentence is correct but could be
> confusing)
>
> The legends of figures 15 and 16 use different templates ("capsule" in one
> case) is it on purpose ?
>
> Should the split-tunnel example have two routes to exclude 192.2.0.42 ?
>
> ## Section 12
>
> RFC 5095 is probably not the best RFC about extension header security,
> there
> have been many others notably in V6OPS by Fernando Gont et al.
>
> Should there be an informative reference to RFC 6169 (Security Concerns
> with IP
> Tunneling) ?
>
> # NITS (non blocking / cosmetic)
>
> ## Section 4.1
>
> s/via A and/or AAAA records/via A and/or AAAA resource records/ ?
>
>
>
>

v2.23.0 | Report a Bug | By Email