Re: [Masque] DNS in connect-ip
Ben Schwartz <bemasc@meta.com> Tue, 19 March 2024 04:30 UTC
Return-Path: <prvs=8808b73314=bemasc@meta.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A155C14F6B2 for <masque@ietfa.amsl.com>; Mon, 18 Mar 2024 21:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zrR3HMJYmPSN for <masque@ietfa.amsl.com>; Mon, 18 Mar 2024 21:30:04 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D67C14F6A3 for <masque@ietf.org>; Mon, 18 Mar 2024 21:30:04 -0700 (PDT)
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 42IJjJek014495; Mon, 18 Mar 2024 21:30:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=LzGTBFMaQQCGSr3p5c9FB2Z16m7IY8IKYg0aPK8s1I0=; b=fxGvgcwlC1MXKP5urOamPOHSg8XhyO6CUaJj5JZ7iwN3H6DESBVV0brLtp77nSs3Q8vl 6ksyVn0PAC9CUWa8ap9IFg/r76ria2/hL3PazMDSA15WTBsRBvsDE1vmeP6oKVOU2MyV b9h5Y6ucubKCigNdJ/3syBNDSpfLY8Wu8W/EE29MQpUGfw199UGdYA3W9+aRuM3UfVEs FcK9p+iQKS8PT/fc7sL6PlhY0ZRJ2UPzn2HUuqfPiKBn5KsONLT6gO6/gxd49eVAW6bL 5xdr4ot9uhp3CMnRFKU50O4avoOoxoSJBsUpi/d6fhayT1qBDMqTid74QRFWXaA1wBKO /A==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3wxn06w2nt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Mar 2024 21:30:02 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Au5NqfqBq0cgLBRJQBh8SulOn/KLYB+uX/dkmsqns3EwZQm/CjhzxhRO8OSMUTL6YJgr+w1qd8RiGrDTHK7IVhanlrz+RN2LKRX9oQle2gThlmzK+y1ZXA7Wkv3J5vGYjQRusJauOuPqAkJqXQm0uVUkSvQNgSukWQb4dtOYQaQTwcM77KTWmTMggUGRwMQcvnfa7DYeUZOhioWauJXGxjgGUWs0GMUGN1fV41DeSnL/H1ogHEc2rVj+gk+GeLFQAOjqFfptSK8sYNcJQ53/HXAOjXgM4Oa+1RtXXheUGmTYi59vCGv7ovMMUfk97g0T+0JQ+h0TEeNDPASJZJr47w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d5JJFsnJW7wsfYlyb9Qr2wc5Zy4F+uBYIjiF/PlN0rU=; b=MgzYBAjF00CMNpjV+Q1pVN3qZVZyEPsyULs9W9SnpAylnAjExM6Pj9cCRoIkRZ65zTQjyR1WDSnKbR8ZeaDnmVoF7cHTG1AdxLr2FNprlXTei1ZOcZD8YaMh6O8pKs0kYwIsAeGL85dIIpReVQuhDKBS/r4PH5TC3qqo6P0zuDKv2QxQw5egyw2qQRY4M0uKtWtOcBLQL7DLRdIMRiAyBVa2nPuHRWuxOud6GCdi6dwrjaV0BX1Pfb1jNrpXzeQYvo1tsmhbJdVTzFMUhRmdC5UFLE3h6mT0FguqvIttVKrA3hbHVLHh0YMVMf7f2BsIhfhQF6Ww9U9uozg4kA4w+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by DM4PR15MB5477.namprd15.prod.outlook.com (2603:10b6:8:b6::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.28; Tue, 19 Mar 2024 04:30:00 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7386.025; Tue, 19 Mar 2024 04:30:00 +0000
From: Ben Schwartz <bemasc@meta.com>
To: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
Thread-Topic: [Masque] DNS in connect-ip
Thread-Index: AQHaeZz/5IqFW8ptd0yFqh08i5mMy7E+ZGZK
Date: Tue, 19 Mar 2024 04:29:59 +0000
Message-ID: <SA1PR15MB4370BB203F7907568CF27C27B32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <CAPDSy+7iCh9P5vzRSTgBeBPMGJaCzeQQFguh4to9=ZJqZhgULQ@mail.gmail.com>
In-Reply-To: <CAPDSy+7iCh9P5vzRSTgBeBPMGJaCzeQQFguh4to9=ZJqZhgULQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|DM4PR15MB5477:EE_
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NwdOsUGtE4pNY4aHyribPOFpS8WIiBgLwHxTgRVdpoypy1yx3vGJV733DuysOgJFhH8zckY7nQ8HAn4G3XVXoHMTXKaerRoAq6DNRfCKWIaayDpgw6h1FaTz9rB5uCTVzUbBHLMeHGOcDiERPFU/WlZr990BbUpEWixneqTYNTgTdHwt0YOwWlZV+h2x8cpa/gTJ4xGZQ8grveUmSw3999Z/j5W80uVTJRvULbWhiIx8CptGaq7N7uIFHgCoe1Cs2ofpmg0S0uIMKAlN/MeKJD3sIeNG7cmFLCrchAtbjSgDAiv0axLJbNJv4YxKGit+RxpivrqePIa302h3Srn7+987I7gf5fOFiv1V7fR2LpVCdzuOQFnMnI0HOlUK1TkcHhtGFDkl/0GU8WTLcRN9SqvLzaQy22v53Oq0//8FXsFmVepOtQtD2/4meoDV7aDiU638UqV0JmS8t5Tkjn+38azb5IdYOB3NANGMAPweyvrF5RZuLw60HPpMQ+e3xyjC+m9U/wK53v55w8ghBRiAu4kMhKEj945+OOlqDZ+5Febtx5VjbvCo2PpJchBkZf+GKmQzomWxA364xM2vT+bkLdaSEQHBXY//5xZZuuslUtJJCaOKD37mJ/JdAHZ9GGtN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR15MB4370.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nBpDDaBYyw/Ef4fNbQkv4ix00njTYvSm1l2XntYMV/weSH3oLqblSXcAC0gt4DiHKdqW8APnb1cddysDtj+uMAiLe1PqOsMgrDLZ8e/3MWguUQVKHjfoaB0c+svgmSJJ1cGYFEqx2A1DCccUlbNpOSICKolAE5ONNxi4n7PErhxXeHFz+8PlEkZPLbRujoqNccCOg6gGueuuCYnngtR4dvoVbKdqye9jMASZ429XX2PJACyOls6to7S0JlbkAJmKiZi/m1RSeeMkzjwFeAbFyUP6bzSTrl94MV4IQwfLpe0titRDiPGNiuCQLyfPbbErnvLPKtHhq64fhxDmzLv3TW59GJzAwOny5L6+UfgzIr4C7XatXrzwGpZeJh0XHQDqIBSGHMlZFjO+GcovnEs4uR/GwkpPTDshcAY29+YZYSU1VhSrCIvxFegTUD7HTbTUbQuF2qnCrYbis70hnCLdCrdoeY+uQbNIe/KtMTWTNYuEFuz5R2kHEyEYSmeeK64lDtkfN9oQTJNAzjXOJGjfEksBRyUvK99be2/UY2AKrADDNMPrHDB+mL3mCuKIEHv51DIk2KcYgF9yAao5IneETKzR1RR55i68Nsxm0LlMLlFiSh2WmQDPpW/591VSGv/uVFoiI4KLEc/Qy71fAIK0zwR3om2T1LnprWg8FUcM/gsnqNs/C2op2LbJ0dQPm47hwOf+FxNGLNVtMdCOwMmLLzTt0rqXwsbm1uIEqfM5MACXI0zXvossqQEpRxjjraz20moNDzL4JRF/xhKzYfk7SkknbKxZ9w6tFf3D0l3feqOe7p27v61+rBKQVv388rfK4LRszHpMiT1ZKLq87AMim1RvH4MR8YorAGfHYFjHKN1mu3kfHMw1e2M7SJkcyryLhKRmEtv4v7z5+viK0aBOjodqRS1i5TXa9jI2cpg0aDxlR5+Os+7tlaP0rvXPyEdY8vyVAbL8F7czQ71XtaWuv+LwSeYLSQ+Sc167PN8H++KZMdCA7OIM9XCvSuIFP6B+94CT118ukpttri/ZK05pGtdkStgfNsWaa5UPrsVfRoUR5KmolyTLLzIGTM5DBCwyE3acUqXHLfITij16Da4svTHTDzkNX288OWK7ktMBG8ItsyhOamiup8E12Ad3JVZIT46nlNi5CVCAJ9gWeCd1yntcOfbysMOvDZbMwGIFWdP/Uw06G9+3id7/61TTDhCSPTgZeI7jN+RCEjaYTMCFlUGhbceOAX8ql7iDDiWLfmj8NGgvyjicG4fvppfqz9pl4vbjMaggH8TEnMtGOqw/dpBzFirET9LDg8orqjsxvo9dL6oXeXZwrnx/mbM4UOTQl/KhZHhwKEtKg6jwHCOkQp+QbfyG+OszQOOKXAmOAULAaIwRyNhWr2WEFWFg4hy4bL7TScNxj6QEgdTYIRjvl0snSEkhm1nSoH0Gx1OAKDxSUYmedwS6qF8G9ua4VvxFFqIrJaTASMKoc0gRQtRt+oY0HSGj5N7U+C+x3kx1/V619TFzAV7oSJ6WTiDCvezYRL6wsDKU8MmuNStyScd3ilAAoFezlNdd5ms1HBhcoKY9+J6KXtbmAac6z/of6dsuhzy5cNLxkCeaheYr+Jr7A58GytAiAkgypRCP5B8zKRg=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370BB203F7907568CF27C27B32C2SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef6f7d5d-a051-4a32-236d-08dc47cd3d27
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2024 04:29:59.9321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kotpie4rIQxFtdZivrtj1Diar+Uc8b/UmpIyedF90BLW626zGGVf0Uc3SKlGzMNs
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR15MB5477
X-Proofpoint-GUID: URd_Zh18iAoxcNtIFqcdqwEee_jXdbrc
X-Proofpoint-ORIG-GUID: URd_Zh18iAoxcNtIFqcdqwEee_jXdbrc
X-Proofpoint-UnRewURL: 2 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-18_12,2024-03-18_03,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/7icACk7toghl9s_3J6LkNHmjjoc>
Subject: Re: [Masque] DNS in connect-ip
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 04:30:08 -0000
I think this would be a good and logical design if we believe that connect-udp, DoH, DNR (RFC 9463), PvD, etc. should not be combined with connect-ip. In that case, connect-ip needs some kind of basic 1990s-style in-band DNS bootstrap mechanism, like DHCP or IPv6 RA, resulting in things like INTERNAL_IP4_DNS in IKEv2. I would prefer a design where these standards are combined into an integrated package, with DNS specified alongside connect-ip, connect-udp, etc. That would allow a variety of behaviors that are difficult or impossible in this draft: * Clients could do a DNS query, get an HTTPS record, and then choose between connect-ip and connect-udp based on the indicated ALPNs. * DNS could use a secure transport (without the delay of a DDR upgrade and reliance on IP certificates). * DNS queries could avoid various inefficiencies of conveyance over connect-ip. * Clients could use connect-ip's "target" and "ipproto" fields to connect to a destination selected via DNS. * Clients could avoid establishing a connect-ip tunnel that turns out not to be needed for any current destination. * connect-ip and connect-udp could share a DNS configuration (which logically applies to both). * Clients could be protected from domain hijacking by draft-ietf-add-split-horizon-authority. Overall, I think connect-ip, connect-udp, and DNS are all building blocks for a complete access service, and we should combine them via an overarching configuration, rather than trying to extend each of them as if it were the main "entry point". Vending a "connect-ip" template directly to a client should be viewed as an extremely low-level configuration flow, similar to manually entering an IP gateway. Not coincidentally, this is basically the argument for https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/ --Ben ________________________________ From: Masque <masque-bounces@ietf.org> on behalf of David Schinazi <dschinazi.ietf@gmail.com> Sent: Monday, March 18, 2024 9:29 PM To: MASQUE <masque@ietf.org> Subject: [Masque] DNS in connect-ip Hi fellow enthusiasts, Some colleagues recently reached out to me asking about implementing connect-ip into their platform as a VPN client, next to their IKEv2/IPsec implementation. However, they rapidly found that connect-ip didn't have ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd Hi fellow enthusiasts, Some colleagues recently reached out to me asking about implementing connect-ip into their platform as a VPN client, next to their IKEv2/IPsec implementation. However, they rapidly found that connect-ip didn't have a way to communicate DNS servers in-band, and that's a pretty important feature that almost every VPN protocol supports. Back when we standardized connect-ip, we had decided to not put it in RFC 9484 and that we'd do it later as an extension. Now that there's implementer interest, I think it would make sense for us to work on this. So I wrote up a quick draft about this: https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/<https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/> The chairs have gracefully accepted that I present this in the as-time presents section of the agenda today. I wouldn't expect anyone to have read the draft by then, and I'll cover the overall idea in the presentation to gauge interest, but I thought I'd still post it in case someone's bored between now and the session later today. Cheers, David
- [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi