Re: [Masque] Tsvart last call review of draft-ietf-masque-connect-ip-08
David Schinazi <dschinazi.ietf@gmail.com> Thu, 30 March 2023 04:47 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D39CDC14CEFF; Wed, 29 Mar 2023 21:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.852
X-Spam-Level:
X-Spam-Status: No, score=-5.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCIzogP5cu5f; Wed, 29 Mar 2023 21:47:38 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31EC0C14F726; Wed, 29 Mar 2023 21:47:38 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id h8so71680434ede.8; Wed, 29 Mar 2023 21:47:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680151656; x=1682743656; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wApU/DWMlDGNTWKFD88K+I47qXV44rbbMk+gvHknRz0=; b=diLUigO4q2/K0GcsgOYntk1yyDpn3lYHBdK3xZcFRbIavOalieYkXWyekvCZmpsbnC c7q7QK0jfqVwhCMc+mN3pXNvr6oXW1HUFLaRQhDpkf20Rcrx++rKqQnTD1v5/nJItbAn nM0Mhu/lnh/mncJXg14jADuWcLipfAatviOA3ov5ic/ahjS1ht/dcPIQb+RWn/+NDRwc j8whLmweC+HitaqvVVR6tGIOVJXD5szRYFvYT8uQRsk/tKqKMmnOlq9OEcX/UM8jJNcu iqLljBiv3G/1khoUZ6Hs3mga0ycOtoRpWxkonkd+X84oOdfBi/QbbnauDAPytqI9DINe Powg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680151656; x=1682743656; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wApU/DWMlDGNTWKFD88K+I47qXV44rbbMk+gvHknRz0=; b=ZqgoIxzCowrGeg8RsPGIVKhdbNOLdjT7yVF+KwXkB9PkUbTGBPPrD2td8xmCt8tU1w A/s76UP6a8wt1mJcmE2MSlSmTwSHjg5vWyZDCo99D+U5wDba/VfthASW9Nb/EpjWy38a 93Rh4yi46MiDtIgu6c5Guk7h/OYjwMPx9A5Y3o1Q01XPWuRK94iACfayPK8IWB57tkTt mwNSyBYxriU8gKL5j/xJo0MsuH84PT/ZAbIy1wJcPOGYZoQ/vuQQfE2yHi8F6eqASyhB p7j7xUjyaRfWAhrYNiG99jJXc29D/KMpWiVkMKESjUs8mTLrHbCBd80Yhvfea8QanlsC 5qdA==
X-Gm-Message-State: AAQBX9ewMM5cYF9H95Jb5tPx954SA5QqA/HpyU1cOpKqsKp171UkmDhM JmM8fxZYvqmcUV9ofhxB8WYkNgLbgDlUkbsh3ZNtZ4VowG2l9g==
X-Google-Smtp-Source: AKy350bMz8twpVeycT60V7fleQ1rRYoHgCWxR4ylbLXV8pBrdHUQG8OJuln9T/RgyAweYNS+VKKa/jGSvTcrxZeudkc=
X-Received: by 2002:a17:906:16da:b0:8b2:d30:e728 with SMTP id t26-20020a17090616da00b008b20d30e728mr10987603ejd.1.1680151655473; Wed, 29 Mar 2023 21:47:35 -0700 (PDT)
MIME-Version: 1.0
References: <168004824424.62790.4460255897375599810@ietfa.amsl.com> <DU0PR07MB8970244B99139BEDE384AB3295899@DU0PR07MB8970.eurprd07.prod.outlook.com>
In-Reply-To: <DU0PR07MB8970244B99139BEDE384AB3295899@DU0PR07MB8970.eurprd07.prod.outlook.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 30 Mar 2023 13:47:24 +0900
Message-ID: <CAPDSy+4M7p3k+Mrp5HhkbFiY5i5ixCzsrYD3G30MPE7E1ditmQ@mail.gmail.com>
To: Bob Briscoe <ietf@bobbriscoe.net>
Cc: "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-masque-connect-ip.all@ietf.org" <draft-ietf-masque-connect-ip.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "masque@ietf.org" <masque@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000097e54605f816ca95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/7bU2pETclyTIkpiounexroNz0i4>
Subject: Re: [Masque] Tsvart last call review of draft-ietf-masque-connect-ip-08
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 04:47:42 -0000
Hi Bob, Alex and I sat down to go through your thorough review in detail. I'm sending our responses below marked with "EDITORS:". Important note: in this email, EDITORS refers only to Alex and myself, not all document editors/authors. Apologies if the email formatting comes out strange. Thanks, David On Wed, Mar 29, 2023 at 2:48 PM Magnus Westerlund < magnus.westerlund@ericsson.com> wrote: > Hi Bob, > > > > Thanks for the review. We authors will have to go though your comments in > details. It is unfortunate that you did not review HTTP Datagram > specification (RFC 9297) prior as that is allowing sending of datagrams > over HTTP/3. In my initial read through of the comments I think most still > applies as they are not directly related to if the tunneled IP are in > datagrams (unreliable in delivery order) or in streams (reliable in order > delivery). I do know some of the issues you bring up have been discussed > but was not documented. We will have to consider if the choice to not > document them should be changed or not. > > > > Cheers > > > > Magnus > > > > *From: *Bob Briscoe via Datatracker <noreply@ietf.org> > *Date: *Wednesday, 29 March 2023 at 09:04 > *To: *tsv-art@ietf.org <tsv-art@ietf.org> > *Cc: *draft-ietf-masque-connect-ip.all@ietf.org < > draft-ietf-masque-connect-ip.all@ietf.org>, last-call@ietf.org < > last-call@ietf.org>, masque@ietf.org <masque@ietf.org> > *Subject: *Tsvart last call review of draft-ietf-masque-connect-ip-08 > > Reviewer: Bob Briscoe > Review result: Not Ready > > This document has been reviewed as part of the transport area review team's > ongoing effort to review key IETF documents. These comments were written > primarily for the transport area directors, but are copied to the > document's > authors and WG to allow them to address any issues raised and also to the > IETF > discussion list for information. > > When done at the time of IETF Last Call, the authors should consider this > review as part of the last-call comments they receive. Please always CC > tsv-art@ietf.org if you reply to or forward this review. > > ----------------------------------------------------------------------- > ==Overall comments== > > How can I say this politely? The HTTP aspects of this document are great > work > and near-complete. However, the tunnelling aspects, in particular the > layering > interactions need a lot of work - possibly even a partial redesign in > places. > Also, the security aspects seem to have been viewed through rose-coloured > spectacles; sthg like "Most people who like privacy are nice". > > Well-written, but not an easy read in a single pass (not clear what the > point > is for quite a few pages and lots of forward x-references). Early overview > of > the scheme would help. Need to bear in mind that cross-layer work has to be > addressed at a wider community who don't necessarily all subscribe to the > same > mind-share. > > ----------------------------------------------------------------------- > ==Document Structure== > > I believe §§3-4 are about the tunnel config, and §§5-7 are the per-packet > aspects of the tunnel. Might be worth explaining that in a doc roadmap. > > EDITORS: That's a reasonable editorial ask, we'll look into it as editors > and see what we can do. > > §6 "Payload Format" > This section needs to be split and/or re-titled, 'cos in the middle (from > "Client MAY optimistically start sending...") it switches to operation, not > format. At "Note that endpoints will decrement..." it switches to TTL > handling. Then at "IPv6 requires that.." it switches to MTU discovery, > which is another aspect of operation. > Just because TTL and packet size are fields of an IP packet, doesn't mean > these aspects fall under the heading of "Payload Format" - these paras are > about handling these fields, not defining their format. > > EDITORS - We agree, filed an issue to track adding a new Performance > Considerations section: > https://github.com/ietf-wg-masque/draft-ietf-masque-connect-ip/issues/144 > > ----------------------------------------------------------------------- > ==Gaps== > > ===A) No discussion of packet ordering === > > Although one of the variants of HTTP (http/3) is over UDP, which is > unordered, QUIC still delivers an ordered stream to the app (which, in this > case, is the inner of the tunnel). So, presumably as packets arrive at the > proxy, if there has been misordering or a loss, QUIC will buffer until the > next packet in order can be delivered, i.e. head-of-line blocking. Hence, > it's not really advisable to forward connectionless packets through a > connection-oriented tunnel. The privacy benefit might make the poor latency > performance worth it. But this trade off at least needs to be stated, > perhaps in an applicability section. > > I don't think an http3 stream is any less granular than an http2 stream or > an http1.1 connection in this proxy arrangement. But if it is, each need to > be discussed separately. > If there is a vision to use an unordered variant of QUIC, then there could > be problems with Context IDs being processed out of order, which could > produce all sorts of unexpected side-effects, given Context IDs are > potentially stateful (caveat: you will see that I don't really understand > what Context IDs might be used for). > > EDITORS: As discussed, this section is incorrect. > > ===B) Conflicting Congestion Controllers (CCs) === > > Needs a section sthg like §12.1 of RFC8229, except: > > That text mostly just listed the problems, but the implication of > publishing such a section in a spec is essentially, "We've told you the > problems, but now go ahead anyway." This is not just a TCP in TCP problem. > It's any nesting of two or more CC-controlled protocols (e.g. TCP within > QUIC, QUIC within QUIC, etc) > > As above, if this is a trade off between privacy and performance, that > needs stating. > > EDITORS: This makes sense, we'll add some text. Tracking in this issue: > https://github.com/ietf-wg-masque/draft-ietf-masque-connect-ip/issues/145 > > ===C) Overlapping connection life-cycles === > > If a proxy crashes, powers down, etc. can it be brought back up with all > the connection state restored that it held before it failed? Otherwise, all > the connections within the tunnel inner depend on the survival of their > outer connection. There is no reason to believe that all the inner > connections are dispensable. > > Would a soft-state design be more resilient than the hard-state design > described? > > EDITORS: This is true of all tunnels, for example IKEv2/IPsec. Luckily > here we can use ADDRESS_REQUEST to recreate the same state and avoid > connections breaking > > [The above points (A-C) are examples of the problems I mentioned when > using a connection-oriented protocol to tunnel a connectionless protocol.] > > ===D) Applicable Next Headers (aka IP Protocols) === > No discussion of whether some IPv6 'Next Headers' (or IPv4 Protocols) are > not applicable / unsafe / poor performing. > > The last time that I proposed a generic UDP tunnel to the Intarea as an > alternative to GUE, the criticism was that it was "too generic". I was told > that the choice of tunnel protocols is about whether they are sufficiently > limiting; the aim is not totally generic. > > EDITORS: This document is about creating an IP tunnel over HTTP so we have > a tight scope based on the underlying protocol instead of on the high layer > protocols. > > === E) Applicable Address Ranges === > > Are anycast addresses in scope? IP multicast? > Link-local multicast is mentioned. What about ARP? Service Discovery? > > EDITORS: We've documented the address types that require implementation > involvement. Anycast and (non-link-local) unicast are equal to unicast as > far as a single link is concerned. ARP operates at L2 so it doesn't apply > to an L3 tunnel. Similarly, service discovery protocols don't need any > special guidance. > > ===F) Propagation of IP headers and header fields between inner and outer. > === > > Some IPv6 extension headers are copied from inner to outer on > encapsulation; others aren't [RFC2473; §5.1]. The outer IPv6 flow label is > often zeroed. The contents of the DSCP, and ECN fields can be propagated > from inner to outer and the ECN outer is propagated back to the forwarded > header [RFC2983], [RFC6040]. > > Because there's a whole stack of headers between the inner and outer IP > headers (e.g. IP, UDP, QUIC, HTTP, IP), the draft needs to make it clear > that these copying and propagation rules still apply between the two IP > headers. > > EDITORS: This is a tunnel operating at L7, not an L3/L4 encapsulation > format. Copying these fields doesn't make sense because it is possible to > have multiple IP packets inside a single IP packet. > > ===G) No explanation of pros & cons relative to other packet tunnelling === > Yes, we can tunnel anything over anything, but why this one? AFAIK, it's > to hide traffic in the HTTP crowd for privacy. But what are the merits > relative to hiding in other crowds? And the drawbacks (e.g. HoL blocking as > mentioned above). In particular, the pros & cons vs UDP in HTTP. > > EDITORS: There are many motivations for tunneling IP over HTTP, one of > them being that it allows traveling through HTTP load balancers. This is > discussed in our charter and doesn't need to be added to the document. > > ===H) Role reversal? === > > It's not made clear whether there's anything intrinsically 'clientish' > about a client. Or 'proxyish' about a proxy. Especially in a bump in the > wire topology (like the site-site VPN example), does it matter which is > which? Is it just determined by the administrator setting a proxy up in > listen mode? Is there anything that one or the other cannot do by virtue of > its role, other than initiate a connection to the other one? Shouldn't the > draft speak about this if it requires correct manual set up? Particularly > for tunnels consisting of chains (or trees?) of intermediaries. > > EDITORS: The terms "client" and "proxy" are HTTP terminology. The client > sends the request, the proxy responds. Once the tunnel is up, the draft > talks about endpoints and peers because then it's symmetric. > > ----------------------------------------------------------------------- > ==Section by Section== > > 1. Introduction (and Abstract) > > "...updates RFC9298" > It's not at all clear to me what aspect of RFC9298 this RFC updates. It > seems unlikely, given IP Proxying is an alternative to UDP Proxying, not an > update. But if it does, the draft needs to say what it updates. And, if > RFC9298 were updated by this draft, it would surely be a normative > reference, not informative. > > EDITORS: Fair enough, we'll add text. Tracked in this issue: > https://github.com/ietf-wg-masque/draft-ietf-masque-connect-ip/issues/146 > > 3. Configuration of Clients > > Reasoning for each each URI template rule? > I can't really judge whether this set of rules leaves the URI template > flexible enough, without knowing the reason for each constraint. Is this > explained in "Proxying UDP in HTTP"? If so, a ref would be useful. "IP > proxy deployments SHOULD offer service at this location if they need to > interoperate with such clients." Surely "MUST" to interoperate? > > EDITORS: That's right, the MUST was to simplify interoperating. We made > these decisions for CONNECT-UDP as a WG and then decided to keep the same > ones for CONNECT-IP. > > 4. Tunnelling IP over HTTP > > "When sending its IP proxying request, the client SHALL perform URI > template expansion..." Surely just "... the client performs..." (just a > necessary process step, not an interop requirement) > > EDITORS: We disagree, making this normative is clearer. This matches our > editorial style in 9298. > > "IP proxying requests [responses] do not carry any message content." Is it > an error if they do? > > EDITORS: The stream is taken over by the capsule protocol. Data on the > stream is not message content as the data stream has been taken over. See > 9297 for details. > > 4.1. IP Proxy Handling > > "...the IP proxy MUST perform DNS resolution..." Surely "... the IP proxy > performs..." (just a necessary process step, not an interop requirement) > > EDITORS: We disagree, making this normative is clearer. This matches our > editorial style in 9298. > > "IP proxies MAY choose to tear down the tunnel due to a period of > inactivity" Better? "IP proxies MAY choose to tear down the tunnel, e.g. > due to a period of inactivity" Rationale: there are other possible reasons, > e.g responding to an attack. > > EDITORS: It's already clear that the proxy can tear down the tunnel, this > bit is about lifetime > > "Any response other than a successful response indicates that the request > has > failed; thus, the client MUST abort the request." This is repeated at each > instance in the subsequent sections. Either not needed here as well, or not > needed in each section as well. > > EDITORS: This isn't repeated, they're separate requirements. > > 4.6. Limiting Request Scope > > "When the IP proxy knows that a request is scoped to a target prefix or > protocol, it can leverage this information to optimize its resource > allocation..." This highlights that the protocol relies on a perverse > incentive for the client to scope its request so that the server can > optimize its resources. That smells like potentially the opposite of > resource optimization, i.e. a vulnerability; clients can scope their > requests to force a server to frag its resources. Perhaps consider > redesigning the protocol so that the server initiates the scoping (or at > least it can somehow negotiate the outcome)? > > EDITORS: The server is always able to abort the tunnel if it doesn't want > to spend resources. The protocol as currently designed is what we need in > practice, your proposed redesign is not. > > "target: ...the IP proxy is expected to perform DNS resolution ..." Might > this potentially amplify a resource exhaustion vulnerability, esp. if the > client continually gives the proxy DNSSEC work? > "IP proxies MAY perform access control using the scoping information > provided by the client: if the client is not authorized to access any of > the destinations included in the scope, then the IP proxy can immediately > fail the request." I think the clause after ':' ought to be tagged as an > example. I think it's intended to be a degenerate/extreme example. > Whatever, its relation with the earlier words is unclear. It's possible > this would be better in §4.1, which is where it would fit into the process > steps. However, at that point in the draft, scope limiting hasn't been > explained. I'm in two minds. > > EDITORS: I agree with you that this change doesn't really improve things, > so we'll keep them as-is. > > 4.7. Capsules > > Are all control messages to the tunnel on one stream, or can each capsule > arrive in a separate stream, or is it up to the operator? IOW, do capsules > have to be acted on in the order they are sent, or does it depend? > > EDITORS: Please read RFC 9297 § 3. Capsules are sent on the one (only) > stream, and are sent in order. Capsule protocol does not require they be > processed in order, but in almost all cases should be. > > §4.7.1 The last para starting "Note that the IP forwarding tunnels > described in this document..." seems more like an architectural point that > ought to be stated earlier. It's related to ADDRESS_ASSIGN, but is it > really appropriate to bury it here? > > EDITORS: Agreed, tracked in this issue: > https://github.com/ietf-wg-masque/draft-ietf-masque-connect-ip/issues/144 > > §4.7.2 > IP version: > Address assignment syntax presumes that two request prefixes will return > two addresses. I think this means that an endpoint cannot request just one > address, when it doesn't mind whether it's within a certain IPv4 address > range or a certain IPv6 address range. In the happy eyeballs example, this > returns two addresses. Similarly, I don't think the syntax can express no > preference for a prefix length. Only a specific prefix length is possible. > Correct? Should these limitations of the syntax be pointed out? > > EDITORS: If a client wants exactly one address, but doesn't care which > address family, it should send an ADDRESS_REQUEST for v4 as 0.0.0.0/32, > and if it does not get one assigned, then send a request for v6 as ::/128 > (or other mask). (This algorithm can be run in the reverse order as well) > If it wants _at least_ one address of either address family, it should > send a single ADDRESS_REQUEST asking for both, and simply not use the > assigned address of the address family it is uninterested in. > > §4.7.3 > "...the most recently received ROUTE_ADVERTISEMENT capsule..." I assume > this means most recently received after reordering has been corrected. See > my first point under Capsules about control message ordering. > > EDITORS: Please read 9297. These capsules are on the reliable stream and > are delivered in order. > > §5 Context Identifiers > > The point below is in a similar vein to the earlier point about whether > generic support of IP Protocols (Next Headers) is a boon or a bane... > > This section seems like it's early research. It's vague, with no examples > and no clear purpose (to me). So one cannot reason about what security > vulnerabilities it might open up (let alone what flexibility it potentially > affords). There is no citation of [HTTP-DGRAM] in this section, nor > explanation of the purpose of a Context ID. > > EDITORS: The first paragraph explains the rationale. This feature was > discussed at length in the WG and we decided to add context IDs to both > CONNECT-UDP and CONNECT-IP. > > "The Context ID value of 0 is reserved for IP payloads, " This clearly > means that non-IP payloads cannot use 0, but does it also mean that IP > payloads cannot use non-zero values? It's not clear, but none of the > examples (that all use IP) show a non-zero Context ID. A later para (2nd > para under Fig 13 in §6) seems to more unambiguously define a 1:1 mapping > between IP and Context ID=0. If so, I don't understand the point of a > Context ID in these tunnelling cases. What am I missing? > > EDITORS: Context IDs are registered and can be for any purpose. Context ID > 0 is pre-registered for full IP payloads. Future extensions can perform > registration to create new context IDs with different payload types > > "it is possible for datagrams to be received with Context IDs that have > not yet been registered. For instance, this can be due to reordering of the > packet containing the datagram and the packet containing the registration > message during transmission." So..., what happens then? > > EDITORS: Datagrams referring to context ids that are not yet registered > can either be buffered or dropped by the receiver, at their discretion. We > don't provide specific guidance because this behavior will be specified by > extensions that use the context ID and that guidance might vary between > extensions. > > 6. HTTP Datagram Payload Format > > "Context ID: > A variable-length integer that contains the value of the Context ID. > If an HTTP/3 datagram which carries an unknown Context ID is received, the > receiver SHALL either drop that datagram silently or buffer it temporarily > (on the order of a round trip) while awaiting the registration of the > corresponding Context ID." > > A number of problems here: > * undefined what happens if an http/2 or http/1.1 datagram carries an > unknown Context ID? > * For TCP, the app layer doesn't know the RTT. > > EDITORS: This won't happen in HTTP/2 or HTTP/1.1, because everything is > delivered in order by TCP. > > * Isn't this a resource exhaustion vulnerability? the sender contrives > packets with Context IDs that cause the receiver to buffer everything, > exhausting the memory available for other senders. > > EDITORS: We're still bound by TCP flow control. Additionally, the receiver > is allowed to drop so it'll do that. > > "Endpoints MAY implement additional filtering policies on the IP packets > they forward." Eh? This is the first mention of filtering policies. > > EDITORS: Agreed, this is the first mention. Implementers of IP tunnels are > familiar with the concept. > > > 7. Error Signalling > > For a bump in the wire topology, can an ICMP error be sent back, from one > IP side to the other, through the HTTP tunnel and out the other side? That > will probably work. However, presumably an ICMP error raised by the network > within the extent of the HTTP tunnel will be directed back to the ingress > tunnel endpoint but no further. > > EDITORS: CONNECT-IP conveys ICMP inside the tunnel only and is not > responsible for any ICMP messages on the outer connection. Existing > handling rules apply and are out of scope of this document. > > 8.4. Proxied Connection Racing > > It might be worth pointing out in a note at the end of this example that, > as well as the proxy deciding to set up parallel tunnels, the approach > would also allow the client to initiate parallel tunnels. > > EDITORS: We don't see value in adding this note to this example. The > proposed note is a completely different example. The proxy cannot set up > parallel tunnels; only the client issuing CONNECT-IP can set up a tunnel. > The right-hand side are not tunnels in this example. > > 10. Security Considerations > > I find it quite lame/naïve that this section essentially says, "This Proxy > design gives arbitrary clients great power, both to toast proxies and to > make them appear to be the senders of arbitrary messages to arbitrary > destinations" BUT, "That's not a problem, because a proxy SHOULD restrict > its use to authorized users." > > This massive "get out of jail free" card begs the question, "What > management > processes are necessary for this proxy to monitor users to determine > whether to remove their authorization?" It's akin to saying, "We're going > to issue automatic assault rifles to everyone over the age of 6, but it's > not a problem, because it's illegal to shoot someone without a permit." > > EDITORS: Your comment is both ableist and violent. Please rephrase this to > be professional and actionable and then we'll discuss more. > > ----------------------------------------------------------------------- > ==Nits== > > EDITORS: We've looked through these nits and made minor changes to the > document for the ones we agree with. > > "HTTP provides the CONNECT method (see Section 9.3.6 of [HTTP]) for > creating a > TCP [TCP] tunnel..." > Citation of IETF core protocols like [TCP] is unnecessary. And > definitely > not normative - this sentence is informatively comparing this draft > with a > TCP-based alternative. > > §3 > s/an URI/a URI/ > (unless we're meant to pronounce URI like Cockney "In an 'urry luv?" :) > > §4 > Para 1: "To allow negotiation..." > Para 3: "To initiate an IP tunnel..." > I think these two paras repeat each other. But para 3 is better: a) > initiate is > a better word than negotiate (AFAICT there is no negotiation), and b) it > explains that it's a /single/ HTTP stream. > > "IPv6 scoped addressing zone identifiers..." ref? [RFC6874]? > > §4.7.3 > Using 'IP Protocol' rather than 'Next Header' as the keyword within an IP > Address Range is rather politically incorrect for IPv6 zealots, isn't it? > :) > > Is 'equal than' (2 occurrences) correct in US English? It's certainly not > in > British. I can't find any reference to it. > > §6 > s/since receiving addresses and routes is/ > /since receipt of addresses and routes is/ > > "When an endpoint receives an HTTP Datagram containing an IP packet, it..." > a tunnel endpoint? > > MTU sometimes ought to be PMTU. > > "HTTP Datagrams with payloads of at least 1280 bytes" > Fig 13 potentially labels two things as HTTP Datagram Payload. Which is > meant > here? I assume the inner one, but it needs to be clear. > > "...the endpoints can pad the QUIC INITIAL packets of the underlying QUIC > connection that IP proxying is running over. (Assuming QUIC version 1 is in > use,..." The parenthesis needs to be tagged as an example. > > §8.1 > In the format defined in §1.3 of [QUIC] and used in the examples, a value > after > '=' is normally numeric. the following format threw me: > Payload = Encapsulated IP Packet > I thought that must imply a field announcing that the type of the payload > is > the string "Encapsulated IP Packet". Any chance this could be bracketed off > somehow, e.g. > Payload = <Encapsulated IP Packet> > Is there any precedent in RFC9000 for an unquoted/unbracketed description > of a > binary blob on the RHS of '='? > > §8.4 > "The IP proxy assigns the client both an IPv4 address (192.0.2.3) and > an > IPv6 address (2001:db8:1234::a) to the client." > Delete first occurrence of 'the client'. > > §10 > s/IP proxies SHOULD restrict its use to authenticated users./ > /IP proxies SHOULD restrict their use to authorized users./ > Reason: as well as the incorrect singular, following the literal rule as > originally written would give access to authentic criminals. > > §11.1 > There's a few places in the IANA section where editor's marks might be > useful > to identify text that will need to be updated once approved. > > Cheers > > Bob > >
- [Masque] Tsvart last call review of draft-ietf-ma… Bob Briscoe via Datatracker
- Re: [Masque] Tsvart last call review of draft-iet… David Schinazi
- Re: [Masque] [Last-Call] Tsvart last call review … Ted Hardie
- Re: [Masque] [Tsv-art] Tsvart last call review of… Bob Briscoe
- Re: [Masque] Tsvart last call review of draft-iet… Magnus Westerlund
- Re: [Masque] Tsvart last call review of draft-iet… David Schinazi
- Re: [Masque] Tsvart last call review of draft-iet… Bob Briscoe
- Re: [Masque] [Tsv-art] Tsvart last call review of… Bob Briscoe
- Re: [Masque] [Tsv-art] Tsvart last call review of… Bob Briscoe
- Re: [Masque] [Tsv-art] Tsvart last call review of… David Schinazi
- Re: [Masque] Tsvart last call review of draft-iet… David Schinazi