Re: [Masque] DNS in connect-ip
David Schinazi <dschinazi.ietf@gmail.com> Tue, 19 March 2024 04:49 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBA7C14F694 for <masque@ietfa.amsl.com>; Mon, 18 Mar 2024 21:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86xGWG9VSCIp for <masque@ietfa.amsl.com>; Mon, 18 Mar 2024 21:49:23 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A28F2C14F686 for <masque@ietf.org>; Mon, 18 Mar 2024 21:49:23 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a45f257b81fso661454766b.0 for <masque@ietf.org>; Mon, 18 Mar 2024 21:49:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710823762; x=1711428562; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ArI0ka4hTJnoPlEg+vmVPc+TiQ7trrGApOXI6c62Hfg=; b=CtessIj8IUsEAxKepLP5J0xmiHOnAQwzbGSYPhIwg1j78vVfG8p/qyLnFbDOgPBsKh z4e5//0OA2aAvXJ5gC9fuzIfS4pB0Yji4Ysc7OazToPxpSt+q8J0bdRlcDRRolh6eHo5 03RpKvpIDzjf3uUQ6CLFvdy8MZdZQPvsdEtllRcso5FR1LFxd0lXhe+ise1vCwioBdTK 6jjw2LmJbkThcDKawBaM40IQmt4ubWch0+rycXC6nvDLbH2qfgtEJD9VRPg1d0HTJNz4 +ZSxAm4It3D46lxSADZyflUlOG+P0xGViPGmAzokOK6OoSkIAhq+OsLBJx3DvgRsHkA9 ifEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710823762; x=1711428562; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ArI0ka4hTJnoPlEg+vmVPc+TiQ7trrGApOXI6c62Hfg=; b=M1DXaw4LKfqDcArcp6dv39ukFpBE1/kT39iPquO0/Zl2GJBbaX/8HNpn1L8tyk5Ja+ 5e/cDTQiRx6WBC3067rue4Q2YWxYWO8c+ZEKZ+9SmomQ2V1mWBYBpyleRQZSihhztZFz ytFZeGnwxhmsWKR11/VEAK6H+STifgNJbN/4HzbVtOKami1zvQ4q5jz+UXNBll/pUJgK ETR9khas1zPjIWYXRBlgdAeMDoQl5B1mT8kwLkYDsayWaiCw6DKrafkeGnVMu3mhoIQX MqC/jr7iMkLhJoCmCXUe/rdQ3LmJVCJRupepEjS3qlwYZry4uQwG3YuqOrs1ox852QZG iR4A==
X-Gm-Message-State: AOJu0YxkwqNGYGiKDA2JEAt6GUSiVeGJOoXaZkdehvW63mXSIHWcXWCc mxwIzrUP62/QdcTNdCf9x9cKrOCDi1mt3KN1i25SYYlCW2Tu6yH2iwWVFvtBeLazOPF8DPMBG3i 6qWMeMCP2IQHn9fI1aqgjoJQMPLo=
X-Google-Smtp-Source: AGHT+IFQf+W+APhVkIdA6tHNCkXg9n/Guc69QAX5leqxp5SvZusNnobRJwiahVgRgorhduVqkss8UvX+SYSjx160jhY=
X-Received: by 2002:a17:906:c415:b0:a46:7dcc:78f0 with SMTP id u21-20020a170906c41500b00a467dcc78f0mr713176ejz.10.1710823761788; Mon, 18 Mar 2024 21:49:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+7iCh9P5vzRSTgBeBPMGJaCzeQQFguh4to9=ZJqZhgULQ@mail.gmail.com> <SA1PR15MB4370BB203F7907568CF27C27B32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB4370BB203F7907568CF27C27B32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 18 Mar 2024 21:49:10 -0700
Message-ID: <CAPDSy+4RTu6xo+o=25x1fFf34GZycnd6USKCMDu_-K5Eu1stVw@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009844270613fc32cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/4_O2J3oUU7Wi-11fBe9T2-Mqap0>
Subject: Re: [Masque] DNS in connect-ip
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 04:49:24 -0000
Hi Ben, While your proposal sounds interesting, it doesn't match how we are implementing MASQUE in practice. That's because for most implementations, the application and OS are different entities. In particular, we're deploying CONNECT and CONNECT-UDP in Chrome, but are interested in CONNECT-IP for ChromeOS. (And I do realize that those two products have similar names and are built by the same corporate entity, but that's still how they work.) Because of the realities of the platform, we do need a "90s style" DNS configuration mechanism for the OS. That said, I'm not saying I dislike your design - I think it's something we should also explore. But we can do that in parallel with what I'm proposing for DNS in connect-ip. One doesn't preclude the other. Thanks, David On Mon, Mar 18, 2024 at 9:30 PM Ben Schwartz <bemasc@meta.com> wrote: > I think this would be a good and logical design if we believe that > connect-udp, DoH, DNR (RFC 9463), PvD, etc. should not be combined with > connect-ip. In that case, connect-ip needs some kind of basic 1990s-style > in-band DNS bootstrap mechanism, like DHCP or IPv6 RA, resulting in things > like INTERNAL_IP4_DNS in IKEv2. > > I would prefer a design where these standards are combined into an > integrated package, with DNS specified alongside connect-ip, connect-udp, > etc. That would allow a variety of behaviors that are difficult or > impossible in this draft: > > * Clients could do a DNS query, get an HTTPS record, and then choose > between connect-ip and connect-udp based on the indicated ALPNs. > * DNS could use a secure transport (without the delay of a DDR upgrade and > reliance on IP certificates). > * DNS queries could avoid various inefficiencies of conveyance over > connect-ip. > * Clients could use connect-ip's "target" and "ipproto" fields to connect > to a destination selected via DNS. > * Clients could avoid establishing a connect-ip tunnel that turns out not > to be needed for any current destination. > * connect-ip and connect-udp could share a DNS configuration (which > logically applies to both). > * Clients could be protected from domain hijacking by > draft-ietf-add-split-horizon-authority. > > Overall, I think connect-ip, connect-udp, and DNS are all building blocks > for a complete access service, and we should combine them via an > overarching configuration, rather than trying to extend each of them as if > it were the main "entry point". Vending a "connect-ip" template directly > to a client should be viewed as an extremely low-level configuration flow, > similar to manually entering an IP gateway. > > Not coincidentally, this is basically the argument for > https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/ > > --Ben > > ------------------------------ > *From:* Masque <masque-bounces@ietf.org> on behalf of David Schinazi < > dschinazi.ietf@gmail.com> > *Sent:* Monday, March 18, 2024 9:29 PM > *To:* MASQUE <masque@ietf.org> > *Subject:* [Masque] DNS in connect-ip > > Hi fellow enthusiasts, Some colleagues recently reached out to me asking > about implementing connect-ip into their platform as a VPN client, next to > their IKEv2/IPsec implementation. However, they rapidly found that > connect-ip didn't have > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > > ZjQcmQRYFpfptBannerEnd > Hi fellow enthusiasts, > > Some colleagues recently reached out to me asking about implementing > connect-ip into their platform as a VPN client, next to their IKEv2/IPsec > implementation. However, they rapidly found that connect-ip didn't have a > way to communicate DNS servers in-band, and that's a pretty important > feature that almost every VPN protocol supports. Back when we standardized > connect-ip, we had decided to not put it in RFC 9484 and that we'd do it > later as an extension. Now that there's implementer interest, I think it > would make sense for us to work on this. So I wrote up a quick draft about > this: > https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/ > > The chairs have gracefully accepted that I present this in the as-time > presents section of the agenda today. I wouldn't expect anyone to have read > the draft by then, and I'll cover the overall idea in the presentation to > gauge interest, but I thought I'd still post it in case someone's bored > between now and the session later today. > > Cheers, > David >
- [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi