Re: [Masque] New Version Notification for draft-schwartz-masque-access-descriptions-00.txt
Tommy Pauly <tpauly@apple.com> Thu, 14 April 2022 16:07 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BFBA3A067A; Thu, 14 Apr 2022 09:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTctXOBukRh4; Thu, 14 Apr 2022 09:07:52 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCB243A058F; Thu, 14 Apr 2022 09:07:51 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 23EG0Coq018736; Thu, 14 Apr 2022 09:07:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=DqKN69yzOIuhNYKPSHwfrgfQNAuEtqgo4nzZDFWRZ2Y=; b=YU89ELKOVvvxmmDQ3crDU84qgR/EyriygEyjKQj36NC1VReT1YK+rNGDMC0IJfjqDrhV VuTXbQ4B2fn/rioc8K2eC7RMZj9erg6r5M+u6B+dE3sAyMBUfmaYAf3/QgmzRD0qp6K4 RPjdr6YoNftexNlhYJrmKyJtadmYJdjkC7edgAdcX3YsYqy4++ccazTZfKoJppCenk9y +5cJTpJ9BrgGJYoMnUN+K2iqy3vSlishpPNxSsfJvbjIa+6ZX5L36AQHfBaA7D9Nr85R iro5gAiZnsvlG5SAEByK/IFEidnAv6ZF2wgV1Vy3U2h4coIG8jxpM0LZ3AOCOoh3m3/T jg==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 3fb8t47f3r-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 14 Apr 2022 09:07:50 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.16.20220118 64bit (built Jan 18 2022)) with ESMTPS id <0RAC00JU57H1X4G0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Thu, 14 Apr 2022 09:07:49 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.16.20220118 64bit (built Jan 18 2022)) id <0RAC00W006XIUZ00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 14 Apr 2022 09:07:49 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e72da815dcb01dab2f988f94f1719970
X-Va-E-CD: 9bd0a1a3b82f4cab23930100db55a819
X-Va-R-CD: e2272db19f2437ea3bb2a405ba2b4c38
X-Va-CD: 0
X-Va-ID: 969db749-6942-408e-8dd3-7e68fa717604
X-V-A:
X-V-T-CD: e72da815dcb01dab2f988f94f1719970
X-V-E-CD: 9bd0a1a3b82f4cab23930100db55a819
X-V-R-CD: e2272db19f2437ea3bb2a405ba2b4c38
X-V-CD: 0
X-V-ID: a2a5a38b-c1b8-49d6-956a-3c6620bfedc7
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-14_04:2022-04-14, 2022-04-14 signatures=0
Received: from smtpclient.apple (unknown [17.11.142.236]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.16.20220118 64bit (built Jan 18 2022)) with ESMTPSA id <0RAC00W0S7H01A00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 14 Apr 2022 09:07:49 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <5D8D3A35-B0FB-49C4-AE7D-7BB0E322A319@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_C97E68F5-951A-45AF-828B-1EB452532429"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3691.0.3\))
Date: Thu, 14 Apr 2022 09:07:48 -0700
In-reply-to: <CAHbrMsAApaR6msGqfbxDfcRkFsmUh=KYRRwjeZhAZpvbAiDQ1Q@mail.gmail.com>
Cc: MASQUE <masque@ietf.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <164936282532.19763.13879305625655347746@ietfa.amsl.com> <CAHbrMsANk1qqwHR6iusO+q48QODPF3RoVp13UbZo=_0PyvjVPg@mail.gmail.com> <CAHbrMsAApaR6msGqfbxDfcRkFsmUh=KYRRwjeZhAZpvbAiDQ1Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3691.0.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-14_04:2022-04-14, 2022-04-14 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/GEabNxPdlkvvMsbf4HQHsXKvzDs>
Subject: Re: [Masque] New Version Notification for draft-schwartz-masque-access-descriptions-00.txt
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2022 16:07:57 -0000
Hi Ben, Speaking from the experience we’ve had in actually configuring clients to use MASQUE, I agree that the right thing to do is to use a single URL to identify the proxy service that can support CONNECT/CONNECT-UDP/CONNECT-IP. It’s useful to be able to have other attributes configurable too, of course, such as keying material for authentication/pinning. I don’t think that it makes sense to overload DoH into this directly. A proxy server doesn’t necessarily have any relation to a DoH server — you may access your DoH servers (or ODoH/OHTTP) servers through a proxy. Having a MASQUE proxy URL also be able to handle being an OHTTP/ODoH proxy is more useful, in my opinion, and is what we are currently doing. To that end, it may be useful to have some markings to say what set of HTTP proxying protocols a proxy URL supports (CONNECT / CONNECT-UDP / CONNECT-IP / POST for oblivious). That may also be something you could just ask the proxy via some query. To the other questions: - Trying to express split tunnels sounds like the wrong thing — even a VPN config doesn’t generally tell you up front if it is full or split. - Certainly we should avoid the complexity of PAC files! - A proxy becomes a PvD in that it has a self-consistent way of accessing other hosts; the question is if we have a way to access it’s broader metadata, which may that way to query properties I mentioned above. Best, Tommy > On Apr 14, 2022, at 8:19 AM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: > > In the interest of stimulating discussion, the key question for this draft is: how does one configure a client to use MASQUE? I would like the answer to be "copy a single URL into a field on the settings page". The question then becomes: what does this URL need to convey? I think it needs to convey both CONNECT-UDP and CONNECT-IP (in case the client only supports one or the other), DoH (to ensure that DNS queries get the same treatment as other network traffic), and possibly other proxy-like services as they are invented. > > There are many interesting open questions here: > - Should we have less flexibility (e.g. keeping all services on a single origin)? > - Do we need more flexibility, to express things like split tunnels? > - Can we avoid, or at least separate out, the turing-complete expressiveness of PAC files? > - Should this somehow integrate with the Provisioning Domain (PvD) concepts? > > Please review, > Ben Schwartz > > On Thu, Apr 7, 2022 at 5:20 PM Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com>> wrote: > Hi MASQUE, > > I've written a very short draft that describes how to find a MASQUE server if (1) you're starting with an HTTP CONNECT proxy or (2) you want to use multiple services in combination (e.g. CONNECT-UDP + CONNECT-IP + DoH + ...). > > This design can also serve as a building block for a solution to the key consistency problem in Oblivious HTTP, which I've written up separately: https://datatracker.ietf.org/doc/draft-schwartz-ohai-consistency-doublecheck/ <https://datatracker.ietf.org/doc/draft-schwartz-ohai-consistency-doublecheck/>. > > --Ben Schwartz > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> > Date: Thu, Apr 7, 2022 at 4:20 PM > Subject: New Version Notification for draft-schwartz-masque-access-descriptions-00.txt > To: Benjamin M. Schwartz <bemasc@google.com <mailto:bemasc@google.com>> > > > > A new version of I-D, draft-schwartz-masque-access-descriptions-00.txt > has been successfully submitted by Benjamin Schwartz and posted to the > IETF repository. > > Name: draft-schwartz-masque-access-descriptions > Revision: 00 > Title: HTTP Access Service Description Objects > Document date: 2022-04-07 > Group: Individual Submission > Pages: 6 > URL: https://www.ietf.org/archive/id/draft-schwartz-masque-access-descriptions-00.txt <https://www.ietf.org/archive/id/draft-schwartz-masque-access-descriptions-00.txt> > Status: https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/ <https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/> > Html: https://www.ietf.org/archive/id/draft-schwartz-masque-access-descriptions-00.html <https://www.ietf.org/archive/id/draft-schwartz-masque-access-descriptions-00.html> > Htmlized: https://datatracker.ietf.org/doc/html/draft-schwartz-masque-access-descriptions <https://datatracker.ietf.org/doc/html/draft-schwartz-masque-access-descriptions> > > > Abstract: > HTTP proxies can operate several different kinds of access services. > This specification provides a format for identifying a collection of > such services. > > About This Document > > This note is to be removed before publishing as an RFC. > > Status information for this document may be found at > https://datatracker.ietf.org/doc/draft-schwartz-masque-access- <https://datatracker.ietf.org/doc/draft-schwartz-masque-access-> > descriptions/. > > Source for this draft and an issue tracker can be found at > https://github.com/bemasc/access-services <https://github.com/bemasc/access-services>. > > > > > The IETF Secretariat > > > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque
- [Masque] Fwd: New Version Notification for draft-… Ben Schwartz
- Re: [Masque] New Version Notification for draft-s… Ben Schwartz
- Re: [Masque] New Version Notification for draft-s… Tommy Pauly
- Re: [Masque] New Version Notification for draft-s… Ben Schwartz