IETF Logo Mail Archive

Re: [Masque] Updated proposed charter text

Alex Chernyakhovsky <achernya@google.com> Fri, 03 April 2020 13:18 UTC

Return-Path: <achernya@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F080F3A0363 for <masque@ietfa.amsl.com>; Fri, 3 Apr 2020 06:18:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.587
X-Spam-Level:
X-Spam-Status: No, score=-9.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWBcTh7ZXiKK for <masque@ietfa.amsl.com>; Fri, 3 Apr 2020 06:18:00 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DDD03A00C1 for <masque@ietf.org>; Fri, 3 Apr 2020 06:17:49 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id v2so7201750oto.2 for <masque@ietf.org>; Fri, 03 Apr 2020 06:17:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tk+MwVaeFgsrFBHDcLkqgGBnwcVjT8ACS9TcL00NSXM=; b=PVRzee2SXcQ13U9Qcg4JQt7FYyry1Z4bBmHcimGqkLGRmV573jF6OAiyt+ElTJM36A oVCI1HRiY9lq7rmGaQxscE+U4A2iSNrwj4rrA0JB0Cx++f1xO/sviOjuYjIqvHXEWb9t iKbH760/fMUrVE9+zQDRk/nH1H1r+sLVkAXp55MOeGsVHG8WuvPDrf+36yqu+g5DTOLT CRB7KW64nKaUdsBajjzHhSW0HUJN3FVv2uBX2nT555WyJr7T02T+fCdKB21jOwv3sisr g+Ei7CGGpKQU15rgKPTyng7fl6uRm/U5Sw/EALZgVgbfsfVnotNRs8iZufeSfdb6nWsF 4gKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tk+MwVaeFgsrFBHDcLkqgGBnwcVjT8ACS9TcL00NSXM=; b=uQsjhgDTw8ldwGHUiAjb2NPZNpGRWJBaYZ6BX65HJMb75oxX44syxsUnCDJmecm+so rw5O0ptlVrSHymrV5HR+dfh92DOJ58EslHh+OvCcHmIn/q647IL8AdYvx8BJK+bEOx6C yaKsCZfFX+T/lXebawZh68l3gGivU30zNOej0gXIwFQk4WCFWuZK6pDRBNphQzo1ss5g 362YTHfn2SnVU7UWXxneJurghUk8GQZbFeRDu25FDWrKjmCEzh3sZadMvYxXWKI3OjeM PTRDqm8KryLAz53wlTYeOKBtw3/JgYmooKBnpC9RcPwAau532ejIdr0Izl95tBuD7lOD b28g==
X-Gm-Message-State: AGi0PuYQYjw8voAarX6d9GpoiK3z1klyPs/oH84aOUc/LjmVIzmNARmy 8JAfuKizR/4ZCihoEOnyqG3IpZUHTH1L86KYXkdJhxHI
X-Google-Smtp-Source: APiQypIZenZFrMsVTP/gr0DoI1WdNpcEt9Xb8luc4lL78jjcBc8lLYJRtPK+1dWQlwti5Iq4121DZ4ugOMuPdnFghiw=
X-Received: by 2002:a05:6830:101a:: with SMTP id a26mr5927940otp.173.1585919867751; Fri, 03 Apr 2020 06:17:47 -0700 (PDT)
MIME-Version: 1.0
References: <89136f8b-70bd-40a0-b6d1-0e8a62a50ece@www.fastmail.com> <CAKKJt-dJqTYJPj0u7mZvaJKoiRX7oXeQCSyQV9xN_zkzHY-LXQ@mail.gmail.com> <48dcc4c3-0039-4de4-9028-c2059b34140c@www.fastmail.com> <CABcZeBPiT+gWCV0QZyoUNzyAgQ_5MHgi+uk7aaAQ-t0te3f5tw@mail.gmail.com> <CAKKJt-fWC_6Cy-tB=chKUaECC1wXsbzArxK27E1AuvnaUUS9Qw@mail.gmail.com> <CAHbWFkTfUBbgeEMwMP_Gshp2MH2QFQ4fvBc3EHTu7gtRXWJpxg@mail.gmail.com> <CABcZeBNVFKyeCo2+7yXbOB66RMSBhwjip8+hpsz+a+a6R2sUsQ@mail.gmail.com>
In-Reply-To: <CABcZeBNVFKyeCo2+7yXbOB66RMSBhwjip8+hpsz+a+a6R2sUsQ@mail.gmail.com>
From: Alex Chernyakhovsky <achernya@google.com>
Date: Fri, 03 Apr 2020 09:17:36 -0400
Message-ID: <CAHbWFkQ+J9HZfeAX0Z1_0+Nmaj9+NzU9Vf+_8T9o2ixqnwNKfA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Christopher Wood <caw@heapingbits.net>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c960805a262bede"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/4SCLGKXyY_VqAH66fHLEkpkgEJY>
Subject: Re: [Masque] Updated proposed charter text
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 13:18:07 -0000

On Thu, Apr 2, 2020 at 4:26 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Thu, Apr 2, 2020 at 12:40 PM Alex Chernyakhovsky <achernya@google.com>
> wrote:
>
>>
>>
>> On Thu, Apr 2, 2020 at 11:36 AM Spencer Dawkins at IETF <
>> spencerdawkins.ietf@gmail.com> wrote:
>>
>>> Replying to Chris via Ekr's reply to me :-)
>>>
>>> On Thu, Apr 2, 2020 at 9:09 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>> I don't think the diversity of naming here is that useful as a guide to
>>>> the diversity of the use cases. For instance, 2817, which defines CONNECT
>>>> uses the term both "proxy" and "tunnel" in the same sentence.
>>>>
>>>> "A CONNECT method requests that a proxy establish a tunnel connection
>>>> on its behalf."
>>>>
>>>> And yet TURN, which provides a similar service, calls itself "Traversal
>>>> Using Relays around NAT".
>>>>
>>>> As a practical matter, the TCP and UDP use cases focus on establishing
>>>> an association with the server in which packets are forwarded to and from a
>>>> given destination and the IP use case seems to focus on forwarding IP
>>>> datagrams from the client to and from arbitrary destinations (this last
>>>> might use some fleshing out, I suppose).
>>>>
>>>
>>> This is the kind of thing I was also thinking about - not that we
>>> weren't using the right terms, but that we were vague enough that people
>>> during the BOF were guessing at what MASQUE would be most like (
>>> https://en.wikipedia.org/wiki/Blind_men_and_an_elephant). So, yes,
>>> fleshing out what we expect to happen, and not to happen, makes sense to
>>> me.
>>>
>>> Just to start where Ekr started, do people think we're forwarding to
>>> arbitrary destinations, or only to destinations that were explicitly set up?
>>>
>>> What does "arbitrary destinations" mean here? For QBONE, we have built
>> the ability to route between networks, including setting a default that can
>> be for reaching the public internet. Is that arbitrary, or is that a
>> destination that was explicitly set up because a route was configured? I'm
>> not sure I understand the implication of the distinction.
>>
>
> So, you have a tunnel between point A and point B.
>
> In TCP CONNECT (and hypothetically UDP CONNECT) you set up an association
> to a given destination. You then inject datagrams labelled with the
> association ID and it gets routed to that destination and packets in the
> return direction get labelled with the same association ID on the way to
> the client. Incoming messages not coming from any association are discarded.
>
> In a pure IP VPN, there aren't any destination associations and packets
> just get routed based on the IP header in both directions, regardless of
> what state has been created. Note that a TURN relay occupies a sort of
> intermediate state where associations are implicitly created and destroyed.
>
> -Ekr
>
> I don't think this is a meaningful distinction. If I understand correctly,
you're identifying that CONNECT is actually two actions that have to happen
in sequence: establish a tunnel to some destination, then relay bytes to
that destination. The first step allows you to connect to arbitrary
destinations, unless you have some sort of firewall or ACL system to limit
the scope.

You can do the same with a VPN, you just need to have connection tracking
implemented in the VPN terminator. The only real difference I see here is
with a traditional TCP connection, you can't avoid having the connection
state, as that's inherent to the protocol, whereas with a VPN one could
choose to not implement connection tracking and therefore not have an easy
filtering capability. (You could, of course, use stateless firewall rules,
even without changing the VPN terminator implementation and relying on the
OS native features).

Sincerely,
-Alex


>> Sincerely,
>> -Alex
>>
>> Best,
>>>
>>> Spencer
>>>
>>>
>>>> -Ekr
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Apr 2, 2020 at 7:03 AM Christopher Wood <caw@heapingbits.net>
>>>> wrote:
>>>>
>>>>> On Tue, Mar 31, 2020, at 4:34 PM, Spencer Dawkins at IETF wrote:
>>>>> > Hi, Christopher,
>>>>> >
>>>>> > Thanks for getting this update out so quickly.
>>>>> >
>>>>> > I have thoughts, but wanted to start with the first couple of
>>>>> paragraphs.
>>>>> >
>>>>> > On Tue, Mar 31, 2020 at 11:43 AM Christopher Wood <
>>>>> caw@heapingbits.net> wrote:
>>>>> > > Based on last week's meeting, it seems folks are generally
>>>>> enthusiastic about some form of MASQUE moving forward. To help scope that
>>>>> particular form, here's an update to the proposed charter.
>>>>> > >
>>>>> > >  ~~~
>>>>> > >  Many network topologies lead to situations where transport
>>>>> protocol proxying is beneficial. For example, proxying enables endpoints to
>>>>> communicate when end-to-end connectivity is not possible and can apply
>>>>> additional encryption where desirable (such as a VPN). Proxying can also
>>>>> improve client privacy, e.g., by hiding a client's IP address from a target
>>>>> server.
>>>>> > >
>>>>> > >  Proxying technologies such as SOCKS and HTTP(S) CONNECT exist,
>>>>> albeit with their own shortcomings. For example, SOCKS signalling is not
>>>>> encrypted and HTTP CONNECT is currently limited to TCP. In contrast, HTTP/3
>>>>> is a viable candidate protocol for proxying arbitrary traffic, as it
>>>>> provides secure connectivity, multiplexed streams, and migration for a
>>>>> single connection while taking advantage of a unified congestion
>>>>> controller. HTTP/3 datagrams provide for unreliable data transmission,
>>>>> which enables transporting UDP and other unreliable flows via a proxy
>>>>> without introducing potentially redundant or unnecessary recovery
>>>>> mechanisms. Further, HTTP/3 supports an established request/response
>>>>> semantic that can set up and configure flows for different services.
>>>>> >
>>>>> > If I remember correctly, somewhere between the audio conference and
>>>>> the
>>>>> > active jabber conversation, there were people who mentioned
>>>>> >  * proxies
>>>>> >  * relays
>>>>> >  * tunnels
>>>>> >  * VPNs
>>>>> >  * NATs, and
>>>>> >  * now that I look at the second paragraph, maybe even firewalls
>>>>> > Is it possible to agree on the functionalities that this community
>>>>> of
>>>>> > interest is thinking of, as part of the charter discussion?
>>>>> >
>>>>> > ISTM that if we're talking about "connect for IP", we're closer to a
>>>>> > tunnel than a proxy, and I don't think that's what most of the
>>>>> MASQUE
>>>>> > folk were thinking of.
>>>>> >
>>>>> > Perhaps this will fall out of the use cases people have been
>>>>> collecting?
>>>>>
>>>>> Yep, I expect that to be the case! While the use cases in the charter
>>>>> are not meant to be exhaustive, more specificity would probably help frame
>>>>> the rest of the content.
>>>>>
>>>>> Meta question: are you looking for a specific change in the text, and
>>>>> if so, what might that be?
>>>>>
>>>>> Best,
>>>>> Chris
>>>>>
>>>>> --
>>>>> Masque mailing list
>>>>> Masque@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/masque
>>>>>
>>>> --
>>> Masque mailing list
>>> Masque@ietf.org
>>> https://www.ietf.org/mailman/listinfo/masque
>>>
>>

v2.23.0 | Report a Bug | By Email