IETF Logo Mail Archive

Re: [Masque] Comments on draft-age-masque-connect-ip-01

Eric Rescorla <ekr@rtfm.com> Mon, 08 November 2021 16:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B5673A11D1 for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 08:44:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjs4Cf1o0LU2 for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 08:44:14 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DF243A0ED6 for <masque@ietf.org>; Mon, 8 Nov 2021 08:44:14 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id i11so8357099ilv.13 for <masque@ietf.org>; Mon, 08 Nov 2021 08:44:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K/GGir03JfELbpVO6oOGuHmMTGgCIsAarBJSmLVYGNk=; b=qmRLLY1yxTKkSMYuEqDBvB/B9+wXjcTEVAlGvYo/xBQC6xX1DaPxrWvF6/4mgRGMAo +i7Fcu/ZbfcFGhXafzdEbo9nmIlhJKL9jcUp79QUnvzivz1sOq1NM2rhYhAeZE2UcqjI zqqLOKIpXKM8GqPcXAglvpIvS5cwRqUA76DLip9QMgu3Ly+vF6e/YSjnZTPzj9+xBCm7 VBVWdq7/no8t6yzqongQePgXTo0aUYNN5c9gQhsr+myo8gzUyyD2xMz5bMF2HkmK4U/w 4DwUbXIe6yOlRpL4bH/s5M+h3aDvdoOmb66a7b1+R2YAkt218HrvGY4heo6TN/XRx1Ft IZnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K/GGir03JfELbpVO6oOGuHmMTGgCIsAarBJSmLVYGNk=; b=g418Od3gskyudi6IglErVyG13GnrL7PEv1UDeVu3vcFFuaaY+vBm9n86t+Rw7UtYrm WHPxBW7/iwX2LYR3qTvF0P6+zWnY1uiN2Gv9eydtpaHFeTVJGby0ZVvrqZZpSbjo3BaR Nl749QW9ikrRIh2UKfB9mh+Rbg+v5c/6SxyJ8f8+I2djhPqt4thc/goOhRwfuWoAeKq/ sO110jhRXepF9Bd4Tt1NexR+4x0w2E/gZdunKqPhFYUp9vHcHBt/yu/a9pgXNfGoT2kn PFA62YS78XwyjFFuXJbcNE/LTU7mHz+4B8DjXz4npn/N0AF/lz7lQEHGzdwAa0czBame ogIg==
X-Gm-Message-State: AOAM531uwZOJax/RaZqQDIaw986viQwhsCB8GXi0ACvAsDp0bdoexTAr snIMNh8EMbR22cg8wh91EMB8oVFW1ZbedOZgydDQjQ==
X-Google-Smtp-Source: ABdhPJwOI34pJ7U3FJu+KwA91GvO1fcHTIaoHzC74R+kUoJPGD4sk2WTndOH4eQ9OOcxHniwHyLhITC8FkfrnI+tvDg=
X-Received: by 2002:a92:c051:: with SMTP id o17mr305710ilf.276.1636389850008; Mon, 08 Nov 2021 08:44:10 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMSe7JJ41EC+f1pyAFrm_+9TU2h=SY-_Xy5vX5wu8TgOQ@mail.gmail.com> <7C41DE50-EE9B-4084-8A1D-88471664E23E@apple.com>
In-Reply-To: <7C41DE50-EE9B-4084-8A1D-88471664E23E@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 08 Nov 2021 08:43:33 -0800
Message-ID: <CABcZeBN1Q00hLijF9D1Wu7eGVDe_8jRR=QZ9t3gc-xtkee0=rw@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b9629605d049b398"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/40lghQ_bb5taoMc_4F_tZyun4oo>
Subject: Re: [Masque] Comments on draft-age-masque-connect-ip-01
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 16:44:19 -0000

On Mon, Nov 8, 2021 at 7:52 AM Tommy Pauly <tpauly@apple.com> wrote:

>
>
> On Nov 7, 2021, at 3:12 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> This document seems like a reasonable starting point. Good to see
> the authors converging. Some technical comments below.
>
>
> Thanks for the comments!
>
>
> Overall, I wonder if we should actually forbid the client from
> using IP addresses in packets when the target is specified.
> That would avoid goofy situations in which the client does
>
>    CONNECT 192.0.2.1
>
> And then sends to 192.0.2.2.
>
>
> I think it’s more consistent to define the behavior of what error the
> sender receives when it sends a packet for which it didn’t have an assigned
> source address or a valid destination route. Is this cause for dropping the
> packet silently, sending an error capsule, or closing the request stream
> with an error?
>
> I filed this to discuss:
> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43
>

I could live with that, though I do like to make it impossible to do bad
things.



> S 4.1.
>
>    target:  The variable "target" contains a hostname or IP address of a
>       specific host to which the client wants to proxy packets.  If the
>       "target" variable is not specified, the client is requesting to
>       communicate with any allowable host.  If the target is an IP
>       address, the request will only support a single IP version.  If
>       the target is a hostname, the server is expected to perform DNS
>       resolution to determine which route(s) to advertise to the client.
>       The server SHOULD send a ROUTE_ADVERTISEMENT capsule that includes
>       routes for all usable resolved addresses for the requested
>       hostname.
>
> This treatment of DNS names seems like it's going to create a lot of
> additional complexity: for instance, how does the client know which IP
> to put in the dst field. You don't specify that the
> ROUTE_ADVERTISEMENT MUST *only* include valid addresses. For instance,
> suppose that the DNS name resolves to
>
>   192.0.2.1
>   192.0.2.2
>   192.0.2.4 <-- No 192.0.2.3!
>   192.0.2.5
>   192.0.2.6
>   192.0.2.7
>
> and the server advertises 192.0.2.1-192.0.2.7.
>
> Given that this is an IP layer mechanism, I would simply remove the
> DNS option; clients can always do DNS over the tunnel.
>
>
>
> I can see this either way.
>
> For cases where I don’t want a full tunnel, but just want to talk to one
> host, I would need to open an IP flow for a DNS server. I could of course
> open one, and then open a proxied flow to each target address, and request
> the same local address I got on the first.
>
> This would work, but is more back-and-forth, and also doesn’t give me a
> way to just ask the proxy to use it’s own DNS cache. For cases like CONNECT
> and CONNECT-UDP, we’ve found it very useful for latency to have the DNS
> cache run on the proxy, so that we benefit from all clients going through
> the proxy sharing the same cache, and not needing a round trip back to the
> client. To that end, I’d like to at least *allow* connecting by a
> hostname in the protocol (even if some proxies wouldn’t choose to support
> that).
>

I would make several points here.

First, while it's desirable to be able to use the proxy's DNS cache, it's
increasingly insufficient to simply get the A/AAAA records, for reasons
such as SVCB. For instance, you wouldn't be able to do ECH using the DNS
version alone because you would need to look up the SVCB. So, while it does
incur a round trip, it seems like you are going to need to do a DNS
resolution for this case.

Second, even taken on its own terms, if I understand this mechanism
correctly, I think it's still broken for the reason I mentioned above. The
problem is that you are using the ROUTE_ADVERTISEMENT as an implicit DNS
resolution--to tell you what to put in the dst-addr. If that's true, then I
think you need to require that the ROUTE_ADVERTISEMENT to be strict.



>
>
> S 4.2.
> Is the server required to send ADDRESS_ASSIGN? If not, what is the
> client supposed to use as it's source address? Also, what happens
> if you only get a v6 address but need to talk to a v4 endpoint,
> or vice versa.
>
>
> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42
>
> Probably the best thing to say is that any peer that can send packets MUST
> first have received an ADDRESS_ASSIGN capsule.
>
> Regarding v4 and v6, yes, you do need the right family assigned.
>
>
>
> S 4.2.3.
> You should probably say something here about how in many cases
> you shouldn't trust a ROUTE_ADVERTISEMENT. For instance, it's
> incoherent for an ordinary consumer VPN client to start
> advertising routes.
>
>
> A full-tunnel VPN server may not have a complex routing table, but it’s
> still possible to have some “excluded” routes that won’t be allowed
> (private subnets, etc). Traditionally, most VPN protocols do always include
> the route information. The “trust” here is just about what the endpoint is
> willing to route/forward.
>
> What kind of warning were you imagining?
>

"Note: peers MUST NOT blindly trust ROUTE_ADVERTISEMENT. They MUST filter
it through local policy"

-Ekr


> Best,
> Tommy
>
>
>
>
>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>
>
>

v2.23.0 | Report a Bug | By Email