Re: [Masque] Adoption call for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 18 September 2020 08:27 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1B73A0F4A for <masque@ietfa.amsl.com>; Fri, 18 Sep 2020 01:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjfNu34n4vzV for <masque@ietfa.amsl.com>; Fri, 18 Sep 2020 01:27:09 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40055.outbound.protection.outlook.com [40.107.4.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E783A0F20 for <masque@ietf.org>; Fri, 18 Sep 2020 01:27:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EQ5nAMStsLvkfllPR6kLIcz05bE/VQBwuxihwHE+0HA2mUHe1QBKQkRR2V+75s9WyEG8cY7vfeFXFBf5yg8tsSkqfGNg3A+Qp/lRpRi0pRqaTbWq59jiV35TVAhaT2iczsncStVrpAiRc43JlKtyPMS5CHJEpFe6/RqvyKjaS8ll3fd/o95eM27tid0cYENvwu9naTUKbhKn1aTiQLLuh3XI/hrGhsZeXkvzndK9yGOlqw+2ZcWURrQHSqHqIm12NYNcwW5ggA+n2CcCTpBedQX309cS6xo8Dh5lwyY5ju/2RctWqUMlB8HaNwgNcJknNpSZa+PpzPg6c75DCxJUtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bVmKUo8vtcN9AYM5HYVi2lDzXxy9sXtOJEzbh1uZL0E=; b=FXVr33DXF5alcElPf4Z3H06T1QE4pREXGOO/Sv5R5og4L4B/ZhGzzHWYTXp7IRU3Sm705sXhcU2HL3ELwk/1ehf+yYZm3C48TwqH2lgbTV9S3vJGupiIogh5zFRmSAXm+xoZgPCA/iag99y1m3a8ONfkQE8tFUyTf152Yvn7kyoRBkOFXubZ7K2zPgdCv0Z/slDiuLckbxSLjRoi8SBq59nbMhwiHdRjz4JCajoApm++pDkpGOkhgMNEBdMzJDS3ItFL6/TENbYkAhsS+Vg6NZLd7hePqLUmCwBZkyRySovKE3oDBKb4Xee2StGg3CM6/Mg5SBj5sPjEvEtQ764zQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bVmKUo8vtcN9AYM5HYVi2lDzXxy9sXtOJEzbh1uZL0E=; b=jxqeExwUauc+f8PJcqcN8NzWW7fNSx+9AMe9oPwZmYtbmmXSsHRod05Jym1gRSTBhxRDLLecYxUVBP9n8wPXzrf36SQ4y9J/HeKdHiN7S2L9TuUDStmZRrxinb/Nsfq2bq/e7Fclrg1HgorE1c1ZYBttohOBVC4RZe2Bx3JS++g=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3627.eurprd07.prod.outlook.com (2603:10a6:7:84::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.9; Fri, 18 Sep 2020 08:27:05 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc%6]) with mapi id 15.20.3391.009; Fri, 18 Sep 2020 08:27:05 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "masque@ietf.org" <masque@ietf.org>, "caw@heapingbits.net" <caw@heapingbits.net>
Thread-Topic: [Masque] Adoption call for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
Thread-Index: AQHWhqVNz95g1b/pEkmNGiYHq3EDmqluHa8A
Date: Fri, 18 Sep 2020 08:27:05 +0000
Message-ID: <d360df8c2870acdc4b312ab3f5f9031610a24703.camel@ericsson.com>
References: <4f83a742-e6c3-4aef-a26b-1801ecf19cdf@www.fastmail.com>
In-Reply-To: <4f83a742-e6c3-4aef-a26b-1801ecf19cdf@www.fastmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.116.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aa8f5fb5-3baf-46d8-4cc4-08d85baca060
x-ms-traffictypediagnostic: HE1PR0702MB3627:
x-microsoft-antispam-prvs: <HE1PR0702MB36276165C9477C5936D10F47953F0@HE1PR0702MB3627.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A/6C57+wevnt8Z2yc9nTJuQEXB/IlDvXyljZmtCh8BgF+qe3keCXHgdVXsgQr+Vyob51V9cv08pObBDcBP0svJZWSWVDfhj62a0eHna/NC5RMtt13HVe1IFXyGAkG3NJ70WHJ4zgY1ozRIosxR5+W0llh6Bc0FJ7YU4iPmoaZAeJsIdpteMHHeaFesxM90r7qiUYx+gkk5vDY0uKzFMBdFEexyA6fMJRZTa78CnNHbUDRJtBeUv0RizEcMcYR3VTIYaxVP+oOkbRsz+O+6hhKxGSpoZmDvN77TkmZlx8wJba6Hxl49r2Z5svcZBWc/4pflyluBbpgTu6xj1O5mYwCYGlq67NAZjBiLYhyXntlnHb6b+3vrJZfXxkvn5pA2WU
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(366004)(136003)(39860400002)(396003)(6512007)(83380400001)(110136005)(66574015)(6486002)(316002)(66946007)(66446008)(86362001)(64756008)(76116006)(5660300002)(8676002)(66476007)(66556008)(478600001)(36756003)(8936002)(71200400001)(186003)(6506007)(2906002)(44832011)(2616005)(26005)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 8Xl5OanY0I/4zecCqocGnt7Nwjrd77EhJrjn1gcNsi2cvgWgFO43dwXj34WK8pe6qY4qGSVC8YILxCloXk5E9jwIjGGebN3o/FW/IKrxQzef4J1v+XcuVYoC6OXbiGAJ+tqyLtI0aBBu+DN6OXg4VKdjSt1FQp9GSdxptK5vnAxacE8sl3Qk1h1HoFDxLOw0IZARJrBvqJaF713E/Tn+n6cwVDor6imAQYw3WKI5kSm0FmWWPfcDfAYoDR1hK7FrdfnBsv2taq+xTAnXvbdKMXUlJpJRsVAUyjbhDYw+B+t7WkEoL1nzruJoWhm0fqVovsJLNJxqsXi2MpVGuwk/WbXNWDP5yfvp4stC2sGYQyDw60C/TnC2Ic+cGp/CUEtr/3MO9c5wc6bcbAG0VD+TvZIPogrLEt8TqUHr+uC+lRbyTpWVwxvM/S3ESMM/xy5xBF4pZOPlk/Lq0rY4E98eUjGqu9yFrv/bXEiRXVXTcuOAJ69TImut3+zShR7EwivBk7ChHd1bnzKvxIo4vwGejpDxyTX8PrWS9fhQCacXTOPHrW7c8B6zdR6o1+PAVcK+KhaRa+a+X4AmjX6ddNZzLDq78MUpTD825c+3PLuEYWNYgA1wNOkou0ktQQWSO/07Qbl9RKc988gD93gj+s3upw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <6A7C89386E7AC043B57F55BD250F3537@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aa8f5fb5-3baf-46d8-4cc4-08d85baca060
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 08:27:05.5383 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XTVQYtcXRTnUfmy1YyLGk9U4Xm9Wc9RDTbXx1dunq4hBZGvm18ayK1lt/8DaERpWjRiVYkcJTsfnNrHqCnItnBmrqrYYYOd35DWQ7VYwmZY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3627
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/5k_IUw6-A8jQi3i_q1MOtZt5Hl8>
Subject: Re: [Masque] Adoption call for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 08:27:11 -0000
Hi, (As individual) I think this adoption call is a premature. I think the WG need to agree to the general scope of what IP proxying in MASQUE means before we can adopt a document on its requirement. Yes, the WG will need a working document, we likely do not need to publish it as the resulting scope of the solution anyway should be descirbed in the solution document that I expect the WG to produce eventually. To make it clear why I think we should agree on a few aspects before adopting a requirements document I would like to bring up a significant discussion point for draft-cms-masque-ip-proxy-reqs. In setion 2 the document states: 2. Use Cases There are multiple reasons to deploy an IP proxying protocol. This section discusses some examples of use cases that MUST be supported by the protocol. And the subsections include the following: 2.1. Consumer VPN 2.2. Point to Point Connectivity 2.3. Point to Network Connectivity 2.4. Network to Network Connectivity The first three I think have very similar solution space and big overlap in functionality requried to safely do them. However, the one I really think we need to discuss more indept before agreeing to do it is: 2.4 Network to Network Connectivity. So from my point of view the solution for this can fall into two main categoriezs. A) The MASQUE server is the owner of the network prefix being proxied B) The MASQUE server proxies any network prefix given by client The reason for dividing it up like this is to look at what is required to safely deploy these two differnt versions. In A) the MASQUE server gives the MASQUE client and its local network a prefix that is has been assigned to hand out for this purpose and where the upstream router has a route for the whole prefix that the MASQUE server uses to hand out. In this case source address validation for the MASQUE server is easy. By only forwarding source address from the prefix handed out there are no risks for source address spoofing through the MASQUE server. Also, from a routing perspective the route to the prefixes the MASQUE server uses is a primary route and one which network adimns have a chance of doing attestation of ownership for the address space. In B) if the MASQUE client can inject any network prefix to the MASQUE server we have just created a tool for avoiding source address validation, or we need to have a solution where the MASQUE server can verify the source address ownership to the client. Secondly, this allows then route injection into the routing system that are likely to go all the way to BGP in the general case. I think I understand Google's use case and why they push this, and from their perspective this is done using internal network resources and networks prefixes that they will control and they can authorize. However, from a general MASQUE solution this do require a security solution and discussion of this security threat realted to source address validation, and impact on routing. Thus, the scope of the work if B) is included is significant larger and will take longer time. I would propose that B) is not taken on initially and is for future consideration. With that I requirements 3.4, 3.5, 3.6 can be modified and simplified. I also think that not having a discussion of addressing architecture and implications on routing by network proxying, which is what Section 4.1 states will result in a solution that will not be published. So also that needs to be addressed. The below question will also show that I think this document needs to mature a bit prior to adoption. I also have some questions on the draft: A. In Section 3.4: Similarly, to support the network- to-network use case, the server will be able to request assignment of an IP address range from the client, and the client will either assign a range or decline the request. Can you elaborate why the Server would need an IP address from the Client's network? The client will need to be a gateway in the client side network to be able to receive the traffic to forward, but I don't see why the server needs appear as that gateway? B. Section 3.6: I do understand the need for some identify. The server first of all to allow the client to determine it is communicating with the right MASQUE server. However for the identification of the client, is that likely at all to be a domain name?Isn't that a user name, or some other form of authorization to use the resource. C. Section 3.8 in this context I think there are more than the endpoint that needs authoriztion if network to network proxying would happen. Also, extension to OAUTH, doesn't that require work in another WG. It looks like more explanation of what the needs are that prompt the need for extending the authorization protocol. D. Section 3.10 I don't see an issue with a tunnel protocol being used without flow control. If one overwhelm either of the MASQUE client or server that is equal to congestion in the network. However, in the meeting I got the impression there was consideration to disable congestion control also. Is this or not a requ E. Section 3.11 I think a general VPN use would from a traffic pattern would be distinguishable from encrypted HTTP Web traffic. Is only wire format the goal here? F. Section 3.14 Do I interpret this section correctly that it requires a IP session to be split from a client to two servers? If that is the case that will imply additional functionality for path selection on a sub IP session flow level to avoid reordering within such subflows. Does this also need some additional concerns if someone deploys the servers under different networks, resulting in multi-homing scenarios where outgoing and returning traffic for sub-flows ends up in different paths? In general you will get some traffic steering concerns to deal with. To me this requirement appears to potentially imply quite a bit of more functionality to work. Cheers Magnus Westerlund ---------------------------------------------------------------------- Networks, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Mobile +46 73 0949079 Torshamnsgatan 23 | SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [Masque] Adoption call for "Requirements for a MA… Christopher Wood
- Re: [Masque] Adoption call for "Requirements for … Ben Schwartz
- Re: [Masque] Adoption call for "Requirements for … David Schinazi
- Re: [Masque] Adoption call for "Requirements for … Eric Rescorla
- Re: [Masque] Adoption call for "Requirements for … Mirja Kuehlewind
- Re: [Masque] Adoption call for "Requirements for … Christopher Wood
- Re: [Masque] Adoption call for "Requirements for … Spencer Dawkins at IETF
- Re: [Masque] Adoption call for "Requirements for … Magnus Westerlund
- Re: [Masque] Adoption call for "Requirements for … Spencer Dawkins at IETF
- Re: [Masque] Adoption call for "Requirements for … David Schinazi
- Re: [Masque] Adoption call for "Requirements for … Magnus Westerlund
- Re: [Masque] Adoption call for "Requirements for … David Schinazi
- Re: [Masque] Adoption call for "Requirements for … Christopher Wood
- Re: [Masque] Adoption call for "Requirements for … Magnus Westerlund
- Re: [Masque] Adoption call for "Requirements for … Eric Kinnear
- Re: [Masque] Adoption call for "Requirements for … Lucas Pardue
- Re: [Masque] Adoption call for "Requirements for … Magnus Westerlund
- Re: [Masque] Adoption call for "Requirements for … David Schinazi
- Re: [Masque] Adoption call for "Requirements for … Magnus Westerlund
- Re: [Masque] Adoption call for "Requirements for … Ben Schwartz
- Re: [Masque] Adoption call for "Requirements for … Magnus Westerlund
- Re: [Masque] Adoption call for "Requirements for … Alex Chernyakhovsky
- Re: [Masque] Adoption call for "Requirements for … Tommy Pauly
- Re: [Masque] Adoption call for "Requirements for … Christopher Wood
- Re: [Masque] Adoption call for "Requirements for … David Schinazi