IETF Logo Mail Archive

Re: [Masque] Adoption call for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 18 September 2020 08:27 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1B73A0F4A for <masque@ietfa.amsl.com>; Fri, 18 Sep 2020 01:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjfNu34n4vzV for <masque@ietfa.amsl.com>; Fri, 18 Sep 2020 01:27:09 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40055.outbound.protection.outlook.com [40.107.4.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E783A0F20 for <masque@ietf.org>; Fri, 18 Sep 2020 01:27:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EQ5nAMStsLvkfllPR6kLIcz05bE/VQBwuxihwHE+0HA2mUHe1QBKQkRR2V+75s9WyEG8cY7vfeFXFBf5yg8tsSkqfGNg3A+Qp/lRpRi0pRqaTbWq59jiV35TVAhaT2iczsncStVrpAiRc43JlKtyPMS5CHJEpFe6/RqvyKjaS8ll3fd/o95eM27tid0cYENvwu9naTUKbhKn1aTiQLLuh3XI/hrGhsZeXkvzndK9yGOlqw+2ZcWURrQHSqHqIm12NYNcwW5ggA+n2CcCTpBedQX309cS6xo8Dh5lwyY5ju/2RctWqUMlB8HaNwgNcJknNpSZa+PpzPg6c75DCxJUtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bVmKUo8vtcN9AYM5HYVi2lDzXxy9sXtOJEzbh1uZL0E=; b=FXVr33DXF5alcElPf4Z3H06T1QE4pREXGOO/Sv5R5og4L4B/ZhGzzHWYTXp7IRU3Sm705sXhcU2HL3ELwk/1ehf+yYZm3C48TwqH2lgbTV9S3vJGupiIogh5zFRmSAXm+xoZgPCA/iag99y1m3a8ONfkQE8tFUyTf152Yvn7kyoRBkOFXubZ7K2zPgdCv0Z/slDiuLckbxSLjRoi8SBq59nbMhwiHdRjz4JCajoApm++pDkpGOkhgMNEBdMzJDS3ItFL6/TENbYkAhsS+Vg6NZLd7hePqLUmCwBZkyRySovKE3oDBKb4Xee2StGg3CM6/Mg5SBj5sPjEvEtQ764zQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bVmKUo8vtcN9AYM5HYVi2lDzXxy9sXtOJEzbh1uZL0E=; b=jxqeExwUauc+f8PJcqcN8NzWW7fNSx+9AMe9oPwZmYtbmmXSsHRod05Jym1gRSTBhxRDLLecYxUVBP9n8wPXzrf36SQ4y9J/HeKdHiN7S2L9TuUDStmZRrxinb/Nsfq2bq/e7Fclrg1HgorE1c1ZYBttohOBVC4RZe2Bx3JS++g=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3627.eurprd07.prod.outlook.com (2603:10a6:7:84::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.9; Fri, 18 Sep 2020 08:27:05 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc%6]) with mapi id 15.20.3391.009; Fri, 18 Sep 2020 08:27:05 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "masque@ietf.org" <masque@ietf.org>, "caw@heapingbits.net" <caw@heapingbits.net>
Thread-Topic: [Masque] Adoption call for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
Thread-Index: AQHWhqVNz95g1b/pEkmNGiYHq3EDmqluHa8A
Date: Fri, 18 Sep 2020 08:27:05 +0000
Message-ID: <d360df8c2870acdc4b312ab3f5f9031610a24703.camel@ericsson.com>
References: <4f83a742-e6c3-4aef-a26b-1801ecf19cdf@www.fastmail.com>
In-Reply-To: <4f83a742-e6c3-4aef-a26b-1801ecf19cdf@www.fastmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.116.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aa8f5fb5-3baf-46d8-4cc4-08d85baca060
x-ms-traffictypediagnostic: HE1PR0702MB3627:
x-microsoft-antispam-prvs: <HE1PR0702MB36276165C9477C5936D10F47953F0@HE1PR0702MB3627.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A/6C57+wevnt8Z2yc9nTJuQEXB/IlDvXyljZmtCh8BgF+qe3keCXHgdVXsgQr+Vyob51V9cv08pObBDcBP0svJZWSWVDfhj62a0eHna/NC5RMtt13HVe1IFXyGAkG3NJ70WHJ4zgY1ozRIosxR5+W0llh6Bc0FJ7YU4iPmoaZAeJsIdpteMHHeaFesxM90r7qiUYx+gkk5vDY0uKzFMBdFEexyA6fMJRZTa78CnNHbUDRJtBeUv0RizEcMcYR3VTIYaxVP+oOkbRsz+O+6hhKxGSpoZmDvN77TkmZlx8wJba6Hxl49r2Z5svcZBWc/4pflyluBbpgTu6xj1O5mYwCYGlq67NAZjBiLYhyXntlnHb6b+3vrJZfXxkvn5pA2WU
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(366004)(136003)(39860400002)(396003)(6512007)(83380400001)(110136005)(66574015)(6486002)(316002)(66946007)(66446008)(86362001)(64756008)(76116006)(5660300002)(8676002)(66476007)(66556008)(478600001)(36756003)(8936002)(71200400001)(186003)(6506007)(2906002)(44832011)(2616005)(26005)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 8Xl5OanY0I/4zecCqocGnt7Nwjrd77EhJrjn1gcNsi2cvgWgFO43dwXj34WK8pe6qY4qGSVC8YILxCloXk5E9jwIjGGebN3o/FW/IKrxQzef4J1v+XcuVYoC6OXbiGAJ+tqyLtI0aBBu+DN6OXg4VKdjSt1FQp9GSdxptK5vnAxacE8sl3Qk1h1HoFDxLOw0IZARJrBvqJaF713E/Tn+n6cwVDor6imAQYw3WKI5kSm0FmWWPfcDfAYoDR1hK7FrdfnBsv2taq+xTAnXvbdKMXUlJpJRsVAUyjbhDYw+B+t7WkEoL1nzruJoWhm0fqVovsJLNJxqsXi2MpVGuwk/WbXNWDP5yfvp4stC2sGYQyDw60C/TnC2Ic+cGp/CUEtr/3MO9c5wc6bcbAG0VD+TvZIPogrLEt8TqUHr+uC+lRbyTpWVwxvM/S3ESMM/xy5xBF4pZOPlk/Lq0rY4E98eUjGqu9yFrv/bXEiRXVXTcuOAJ69TImut3+zShR7EwivBk7ChHd1bnzKvxIo4vwGejpDxyTX8PrWS9fhQCacXTOPHrW7c8B6zdR6o1+PAVcK+KhaRa+a+X4AmjX6ddNZzLDq78MUpTD825c+3PLuEYWNYgA1wNOkou0ktQQWSO/07Qbl9RKc988gD93gj+s3upw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <6A7C89386E7AC043B57F55BD250F3537@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aa8f5fb5-3baf-46d8-4cc4-08d85baca060
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 08:27:05.5383 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XTVQYtcXRTnUfmy1YyLGk9U4Xm9Wc9RDTbXx1dunq4hBZGvm18ayK1lt/8DaERpWjRiVYkcJTsfnNrHqCnItnBmrqrYYYOd35DWQ7VYwmZY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3627
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/5k_IUw6-A8jQi3i_q1MOtZt5Hl8>
Subject: Re: [Masque] Adoption call for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 08:27:11 -0000

Hi,
(As individual)

I think this adoption call is a premature. I think the WG need to agree to the
general scope of what IP proxying in MASQUE means before we can adopt a document
on its requirement. Yes, the WG will need a working document, we likely do not
need to publish it as the resulting scope of the solution anyway should be
descirbed in the solution document that I expect the WG to produce eventually.

To make it clear why I think we should agree on a few aspects before adopting a
requirements document I would like to bring up a significant discussion point
for draft-cms-masque-ip-proxy-reqs. In setion 2 the document states:

2.  Use Cases

   There are multiple reasons to deploy an IP proxying protocol.  This
   section discusses some examples of use cases that MUST be supported
   by the protocol.

And the subsections include the following:

2.1.  Consumer VPN
2.2.  Point to Point Connectivity
2.3.  Point to Network Connectivity
2.4.  Network to Network Connectivity

The first three I think have very similar solution space and big overlap in
functionality requried to safely do them. However, the one I really think we
need to discuss more indept before agreeing to do it is: 

2.4 Network to Network Connectivity.

So from my point of view the solution for this can fall into two main
categoriezs. 

A) The MASQUE server is the owner of the network prefix being proxied

B) The MASQUE server proxies any network prefix given by client

The reason for dividing it up like this is to look at what is required to safely
deploy these two differnt versions. 

In A) the MASQUE server gives the MASQUE client and its local network a prefix
that is has been assigned to hand out for this purpose and where the upstream
router has a route for the whole prefix that the MASQUE server uses to hand out.
In this case source address validation for the MASQUE server is easy. By only
forwarding source address from the prefix handed out there are no risks for
source address spoofing through the MASQUE server. Also, from a routing
perspective the route to the prefixes the MASQUE server uses is a primary route
and one which network adimns have a chance of doing attestation of ownership for
the address space. 

In B) if the MASQUE client can inject any network prefix to the MASQUE server we
have just created a tool for avoiding source address validation, or we need to
have a solution where the MASQUE server can verify the source address ownership
to the client. Secondly, this allows then route injection into the routing
system that are likely to go all the way to BGP in the general case. 

I think I understand Google's use case and why they push this, and from their
perspective this is done using internal network resources and networks prefixes
that they will control and they can authorize. However, from a general MASQUE
solution this do require a security solution and discussion of this security
threat realted to source address validation, and impact on routing. Thus, the
scope of the work if B) is included is significant larger and will take longer
time. 

I would propose that B) is not taken on initially and is for future
consideration. With that I requirements 3.4, 3.5, 3.6 can be modified and
simplified. 

I also think that not having a discussion of addressing architecture and
implications on routing by network proxying, which is what Section 4.1 states
will result in a solution that will not be published. So also that needs to be
addressed. 

The below question will also show that I think this document needs to mature a
bit prior to adoption. 

 
I also have some questions on the draft:

A. In Section 3.4:

   Similarly, to support the network-
   to-network use case, the server will be able to request assignment of
   an IP address range from the client, and the client will either
   assign a range or decline the request.

Can you elaborate why the Server would need an IP address from the Client's
network? The client will need to be a gateway in the client side network to be
able to receive the traffic to forward, but I don't see why the server needs
appear as that gateway?

B. Section 3.6:

I do understand the need for some identify. The server first of all to allow the
client to determine it is communicating with the right MASQUE server. However
for the identification of the client, is that likely at all to be a domain
name?Isn't that a user name, or some other form of authorization to use the
resource. 

C. Section 3.8 in this context I think there are more than the endpoint that
needs authoriztion if network to network proxying would happen. Also, extension
to OAUTH, doesn't that require work in another WG. It looks like more
explanation of what the needs are that prompt the need for extending the
authorization protocol. 

D. Section 3.10

I don't see an issue with a tunnel protocol being used without flow control. If
one overwhelm either of the MASQUE client or server that is equal to congestion
in the network. However, in the meeting I got the impression there was
consideration to disable congestion control also. Is this or not a requ

E. Section 3.11

I think a general VPN use would from a traffic pattern would be distinguishable
from encrypted HTTP Web traffic. Is only wire format the goal here?

F. Section 3.14

Do I interpret this section correctly that it requires a IP session to be split
from a client to two servers? If that is the case that will imply additional
functionality for path selection on a sub IP session flow level to avoid
reordering within such subflows. 

Does this also need some additional concerns if someone deploys the servers
under different networks, resulting in multi-homing scenarios where outgoing and
returning traffic for sub-flows ends up in different paths? In general you will
get some traffic steering concerns to deal with. 

To me this requirement appears to potentially imply quite a bit of more
functionality to work. 


Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Mobile +46 73 0949079
Torshamnsgatan 23           |
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email