IETF Logo Mail Archive

Re: [Masque] Proposed draft charter

Paul Vixie <paul@redbarn.org> Mon, 27 January 2020 23:00 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61E913A0FEF for <masque@ietfa.amsl.com>; Mon, 27 Jan 2020 15:00:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWLE87kr8QNB for <masque@ietfa.amsl.com>; Mon, 27 Jan 2020 15:00:53 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C5EB3A0FEE for <masque@ietf.org>; Mon, 27 Jan 2020 15:00:53 -0800 (PST)
Received: from linux-9daj.localnet (dhcp-157.access.rits.tisf.net [24.104.150.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 02829B0591 for <masque@ietf.org>; Mon, 27 Jan 2020 23:00:51 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: "masque@ietf.org" <masque@ietf.org>
Date: Mon, 27 Jan 2020 23:00:48 +0000
Message-ID: <5832705.CKfpiBrxtv@linux-9daj>
Organization: none
In-Reply-To: <9daceeb9b5775846be0a0551bbdfa643e962fbcf.camel@ericsson.com>
References: <845946C2-EB98-4F3A-966E-968AE349302C@ericsson.com> <1917123.yJOJJviVma@linux-9daj> <9daceeb9b5775846be0a0551bbdfa643e962fbcf.camel@ericsson.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/4zKoSVf2IDT0d77HW4KtD6vewPU>
Subject: Re: [Masque] Proposed draft charter
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 23:00:54 -0000

On Monday, 27 January 2020 12:04:59 UTC Magnus Westerlund wrote:
> Hi Paul and Lars,
> (As individual, my AD role clearly have an conflict of interest situation
> here)

ty for your answer. mine is inline below.

> Paul's question is something that needs to be discussed. This goes beyond
> the security model I have envisioned for this work.
> 
> So the most basic security model for this work would be to have a secured
> connection (outer) between an endpoint (mostly the client) and the proxy.
> Then run a end-to-end secure QUIC connection between client and server
> (inner). That end-to-end connection can run either inside the client-proxy
> connection for certain properties or in parallel for other set of
> properties. Then use the client proxy connection for meta data exchange to
> accomplis things. This model can be extended to use outer connections
> between proxies and proxy to server, and in cases where desired to even
> have an onion model where client uses a set of proxies but each proxy only
> see the next and previous hop.

you're right that my vision exceeds your described model. there are situations 
where e2e won't be allowed due to corporate policy, local law, or local 
regulation. it may be nec'y for the outbound proxy to see the request URI in 
order to determine whether to allow-direct, allow-via, or disallow.

historically (H1), the proxy had only two choices, allow-via or disallow. this 
led to the development of the HTTPS MiTM model, which is explicitly and 
intentionally voided by TLS 1.3 + ESNI. i wish to reestablish a corporate 
policy perimeter which does not depend on MiTM, and is a negotiation between 
the initiator and the proxy.

this negotiation would rely on secure proxy discovery and establishment of 
trust. this has to be fairly well automatable, because of IoT and ICS devices.

> An evolved model would be to move the inner connection from a full blown
> QUIC connection to something which is an object security model end-to-end
> between client and server. This will require an chain of outer transport
> connections all the way between client and server. However, it would enable
> certain use cases that isn't possible in the first, like object caching. It
> also enables the proxies to do a much better job transport wise and avoid
> head of line blocking completely for inner object fragments and enable
> proxy level prioritizations, which is not really possible in the first
> model. I do note this model will require basically a new QUIC version as it
> will redefine the internals significantly.

i am simultaneously heartened that your understanding of "an evolved model" is 
similar to mine for "trusted proxy discovery and connection negotiation" 
(above), and disheartened that it would apparently require a QUIC development 
restart, which i feel is not in the cards.

> Paul I am uncertain of exactly what you attempting to accomplish. I think in
> the basic security model the client proxy connection can be used by the
> client to disclose information like SNI (assuming ESNI otherwise) to the
> proxy as that would allow policy recommendations that it appear you ask
> for. But, my assumption for this work is that the proxy will by default
> have no access to clear text content being transfered between endpoints.
> Any such access would require an explicit disclosure of the security
> context by the client to the proxy.

there are three levels of such access. SNI, URI, and content. in the use cases 
i predict (e.g., employee doing personal banking using company network) only 
the SNI and URI need to be known in order to yield a trusted "allow-direct" 
answer. for more sensitive managed private networks such as military or 
government, and for corporations under a regulatory regime that includes 
transparency for archival, the content would also have to be visible. in no 
case should this be possible without the initiators knowledge and consent, but 
in some cases the result will be "disallow" because the negotiation "failed".

> But, lets also try to answer Lars's question. Why not in QUIC WG. ...

that's not my area of expertise, so i'll remain silent as to that point.

-- 
Vixie

v2.23.0 | Report a Bug | By Email