IETF Logo Mail Archive

[Masque] QUIC non-encapsulation and CIDs

Martin Thomson <mt@lowentropy.net> Wed, 09 November 2022 19:48 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA00FC1524AC for <masque@ietfa.amsl.com>; Wed, 9 Nov 2022 11:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=mfjOa1Tu; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=noKVGYKD
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVToG7dKrWxH for <masque@ietfa.amsl.com>; Wed, 9 Nov 2022 11:48:43 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A867C14F730 for <masque@ietf.org>; Wed, 9 Nov 2022 11:48:42 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 7149B320097E for <masque@ietf.org>; Wed, 9 Nov 2022 14:48:40 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Wed, 09 Nov 2022 14:48:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=fm2; t= 1668023320; x=1668109720; bh=zCpHyptQwXubNbhwOKVAEg+9jsI2wyG/Etb +b7sPkBE=; b=mfjOa1TugFFNi5Qa2yu/2vfm0fluSmL+JxiD+TnMyPZUUPPvYgb WmX5ko5EiwAh8NpbC1B9lZ64Opud7gRXaRGTZQcahlPJBFOg0Qrtch8401C82Aax lAbpDHDhuL+devvr9qAlaQ9j6R43LTIO1mtTIpFENBq/OdqRtgzgHApS4nX07qtz A4cmgvBwl1IpGqievIrJ6PbIO57CNLY5MXB4vaazMoOjgTZ6xzhj+WsdPzLO4rFl OYBIPHKEbMy3q/owyTXWJZHfzfC1iX1bjfFMZYhqFTkF+37k/hc7GD0Wvkuggjq0 NZecUa28hiw8TnhIPJ6IqM3C7qb2iUw7kuw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:message-id:mime-version :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1668023320; x= 1668109720; bh=zCpHyptQwXubNbhwOKVAEg+9jsI2wyG/Etb+b7sPkBE=; b=n oKVGYKD5hTYUuapzaHkubdflA38ojbk/7dVMuzeBZ/0mKCXqz+zUvcei4F1kpK4L vmxLWXTu5uw8LA+wDnojKWo50rQb9MmUEmBv1Jpct475hFTqJpDAF7V1a6EQoP6q tIBXmJu/OwJWN6JnWCQlTifq1NqwVAIKbTCjkz4lL8SIocYDg8+E5qtfVDbeo1yf covSmcfSXNo0bhjPAvrjdjRcy+LiunviJ84meC6XqRMM+AtpCZWbSA98RZKdwDtc RmG+S2T2PbcUEyibADp4649Y5fpPMJ5kDReLOyeBDNK5j6GzVSjPjQEia0VphHtf jrl1iN6lLzbHqWbTgGotA==
X-ME-Sender: <xms:FwRsY-bpZgU4yY5LYMpeLyZqCOF-rt27na069SeNcAYg07poXAQzyA> <xme:FwRsYxZX9B63pMvJCVHHXcbosuog17yvaFpJJ1kgy_epbi7jJchLoHkEbyzCa5CnT GqvtE1zkxthT0zKEyY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrfedvgddufedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeevgfdutdfgjeefudeuheekhe ekudeugeehfeegveekkeegleevveffueduffehheenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:FwRsY48w7wdpacguzeMVW5AD_sQQ92meQv8QOdRXUD_gunT4dQEAOg> <xmx:FwRsYwqTL1EX5EYSgrZPW537-2VbHz6Eihj7FoDzvV6I5aH6DuoM6Q> <xmx:FwRsY5pb2MTfqEoi9sZz1A_uUq4g6xTpE_PcFuJndqOSVyiXZXeiGQ> <xmx:GARsY21rGNJ176gAxE0L-bhxuGZWogwYDjK9oQGnyfu9-i92wTB2TA>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CF0AA234007E; Wed, 9 Nov 2022 14:48:39 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1115-g8b801eadce-fm-20221102.001-g8b801ead
Mime-Version: 1.0
Message-Id: <976e7806-0e83-4090-95c5-7905f89fe02f@app.fastmail.com>
Date: Wed, 09 Nov 2022 19:48:18 +0000
From: Martin Thomson <mt@lowentropy.net>
To: masque@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/HDSj3TzfvyZ6MG20A3xxQWrvXdQ>
Subject: [Masque] QUIC non-encapsulation and CIDs
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 19:48:47 -0000

I've been looking more closely at draft-pauly-masque-quic-proxy.  I think that we can fix the protocol so that the use of this mechanism isn't a strict privacy reduction for the general case.  But I want to start with the connection ID design, which I find very confusing in its current form.

I wasn't able to tell exactly how the connection ID mappings work in the draft.  The structure of the document is a little confusing.  I really hoped that it would discuss how things work rather than just document state and capsule formats.

The idea something like this:

1. Client -> Server direction

The client tells the proxy about each connection ID used by the server.  The proxy tells the client which connection ID to use for that connection ID when sending packets to the proxy.

For this the client needs to tell the proxy:
a) the connection ID the server has provided
b) (maybe) the stateless reset token that the server will recognize if we want the proxy to be able to terminate the flow

I want to put a pin in the stateless reset design here, because there are a lot of requirements we might need to discuss regarding that.  More in a follow-up, I think.  Stateless resets that aren't visible to the proxy are not great, but we might want to avoid having the proxy be able to terminate the flow at the client.  There is a simple design for this too - maybe - but I need to think about that some more.

The proxy can then tell the client
a) the (virtual) connection ID that the proxy will map to the provided server connection ID

Here, the client is responsible for forwarding connection IDs from the server to the proxy so that it can be assigned a virtual connection ID.

Note that I think that virtual connection ID is not a great name, this is a mapped connection ID or a replacement connection ID.  Maybe an overlaid connection ID.


2. Server -> Client direction

The client will need to provide the server with connection IDs that the proxy will accept, so...

The client tells the proxy:
a) the connection ID it wants to use

The proxy responds with:
a) the connection ID that it wants the client to pass to the server

Basically, the client is responsible for putting connection IDs from the proxy into the connection on this side.


All of these are request-response exchanges, because the mapping will need to be clear.  Also, that same identifier can be used to remove connection IDs once the client or server retire them.  For that, I think that using the QUIC sequence number is fine as it might allow a bulk removal at the proxy if Retire Prior To is used.

Things I didn't solve: connection ID limits (the proxy will want some, how does the client convey this?), removal messages (easy), and connection ID length constraints and the effect of different lengths on MTU (this should be minor, but it will need to be mapped out).

With this design, the proxy could move all forwarding logic to a load balancer and never touch packets again.  The load balancer only needs to support QUIC-LB for that to work (with encrypted connection IDs, of course).  Of course, this will need to be revisited in my follow-up as the workload increases somewhat.

Cheers,
Martin

v2.23.0 | Report a Bug | By Email