Re: [Masque] New Version Notification for draft-schwartz-masque-access-descriptions-00.txt
Ben Schwartz <bemasc@google.com> Thu, 14 April 2022 20:00 UTC
Return-Path: <bemasc@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1204E3A11CF for <masque@ietfa.amsl.com>; Thu, 14 Apr 2022 13:00:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w01IKj72vVyk for <masque@ietfa.amsl.com>; Thu, 14 Apr 2022 13:00:34 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04263A1252 for <masque@ietf.org>; Thu, 14 Apr 2022 13:00:33 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id p18so7516193wru.5 for <masque@ietf.org>; Thu, 14 Apr 2022 13:00:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q+4JrP44bSPRrCdcSHMV3TwAERZeIuA8UOmuTOWHe2M=; b=WwKVOnzugeURWhb9S00Vu9qNZMXChiDgMaXS7dmXX/N3bbJgMWFPfVpthOW8B2TKRI L+TkuNz8PL/UtaMeY42KusJ+XbArDBnEgXf5GDqns/7/4Ezn78ByMdsR05B/t7qZoJv2 MQ9lfrXvnvpodpQB1+NVASKreFukXnniShJuKgOYwOz4+WpCx1hL9bDBsJT+kdVG8Wqx u/iV+qQQKaEQbNWw1BMUng5E/XAmye2jdyW7ywtJheiL9/b0A2+ULNVu94Ca89x80D1b 5RRBRXpTap+6GIEZuHt3Y9D82lLfMLwfpbt12FEHgW3ojDsIJlRIpzPeQFqr3sZ4h/l4 /Dmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q+4JrP44bSPRrCdcSHMV3TwAERZeIuA8UOmuTOWHe2M=; b=PphvAxTnfa3cca7byA2I/CiHTr0YSBHszdTigsqSMJgLSS8ePrBf9MqFOO+ufkDJj0 dLw/IwGUhzsoBLrXg7+sDjLYwW4aFV2axuVkvPH85TcryGUcRChtGB4SVDGpNvtA0VA5 1NLnPjdGovBS1wpaBP7NUTnfxPuAIF3ql4fmnRtH2MgtwfaOq3gp3aPBCy7nWJwSzNYL HKcA5iipy+xRKNIJU6ZUHV1KKEk+2ofK5dFMqozxDvmFltu36st0cXrgzUCTHOnxaHpW rIYBDWTF5g7mLp90DhdFvG4F7fkCphnmXAOdmrrY3dEY6o2oNGqZtcvHjQVcFsoiGmQA f2HA==
X-Gm-Message-State: AOAM531B2W4CdC1cZNYFqqQ5IqUXweSS22un+Dfd3KqcE4cPqhd7dL5m ISwUIdDhE8DkzCpGm+GanatTfqWVpiL91fLJ9r7TRVpdbs8=
X-Google-Smtp-Source: ABdhPJzG87xuReCTh/LhSvm6gK+YfVI2teBr0s+IENpB/dUwyE4eTAs9nRTioUT4I3t9PPKkXkvtLXh0X/Aiw+1iWfg=
X-Received: by 2002:a05:6000:1549:b0:207:aadd:87ae with SMTP id 9-20020a056000154900b00207aadd87aemr3394624wry.282.1649966431378; Thu, 14 Apr 2022 13:00:31 -0700 (PDT)
MIME-Version: 1.0
References: <164936282532.19763.13879305625655347746@ietfa.amsl.com> <CAHbrMsANk1qqwHR6iusO+q48QODPF3RoVp13UbZo=_0PyvjVPg@mail.gmail.com> <CAHbrMsAApaR6msGqfbxDfcRkFsmUh=KYRRwjeZhAZpvbAiDQ1Q@mail.gmail.com> <5D8D3A35-B0FB-49C4-AE7D-7BB0E322A319@apple.com>
In-Reply-To: <5D8D3A35-B0FB-49C4-AE7D-7BB0E322A319@apple.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 14 Apr 2022 16:00:19 -0400
Message-ID: <CAHbrMsBxQ2pgxdC5i=A7se=Bix9HDae0d4Du-cQVJ6bj9DLsWA@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000eb99905dca2bfd1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/HcuUlpanGYcZC7xd6DmUh9VWoYA>
Subject: Re: [Masque] New Version Notification for draft-schwartz-masque-access-descriptions-00.txt
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2022 20:00:40 -0000
Thanks for sharing your experience, Tommy. On Thu, Apr 14, 2022 at 12:08 PM Tommy Pauly <tpauly= 40apple.com@dmarc.ietf.org> wrote: > Hi Ben, > > Speaking from the experience we’ve had in actually configuring clients to > use MASQUE, I agree that the right thing to do is to use a single URL to > identify the proxy service that can support CONNECT/CONNECT-UDP/CONNECT-IP. > It’s useful to be able to have other attributes configurable too, of > course, such as keying material for authentication/pinning. > > I don’t think that it makes sense to overload DoH into this directly. A > proxy server doesn’t necessarily have any relation to a DoH server — you > may access your DoH servers (or ODoH/OHTTP) servers through a proxy. > I agree that DoH and MASQUE don't "necessarily" have any relation, but I do think this will be a common and useful arrangement. If you want to use HTTPS records along with MASQUE, you need a DNS server. It makes sense for the MASQUE operator to offer clients a corresponding DNS server, to ensure that they have one. Otherwise, clients would have to choose a third-party DNS resolver. Some clients will be able to identify a suitable third-party resolver automatically, but many will not. > Having a MASQUE proxy URL also be able to handle being an OHTTP/ODoH proxy > is more useful, in my opinion, and is what we are currently doing. > > To that end, it may be useful to have some markings to say what set of > HTTP proxying protocols a proxy URL supports (CONNECT / CONNECT-UDP / > CONNECT-IP / POST for oblivious). > Agreed, and that's what this draft offers. (Except that it doesn't cover CONNECT, because (1) that is already implicit in the relevant configurations and (2) I would like a URI-template-driven "CONNECT-TCP" for parallelism with MASQUE.) > That may also be something you could just ask the proxy via some query. > I would argue that this is also a good description of the draft. To the other questions: > - Trying to express split tunnels sounds like the wrong thing — even a VPN > config doesn’t generally tell you up front if it is full or split. > - Certainly we should avoid the complexity of PAC files! > - A proxy becomes a PvD in that it has a self-consistent way of accessing > other hosts; the question is if we have a way to access it’s broader > metadata, which may that way to query properties I mentioned above. > > Best, > Tommy > > On Apr 14, 2022, at 8:19 AM, Ben Schwartz < > bemasc=40google.com@dmarc.ietf.org> wrote: > > In the interest of stimulating discussion, the key question for this draft > is: how does one configure a client to use MASQUE? I would like the answer > to be "copy a single URL into a field on the settings page". The question > then becomes: what does this URL need to convey? I think it needs to > convey both CONNECT-UDP and CONNECT-IP (in case the client only supports > one or the other), DoH (to ensure that DNS queries get the same treatment > as other network traffic), and possibly other proxy-like services as they > are invented. > > There are many interesting open questions here: > - Should we have less flexibility (e.g. keeping all services on a single > origin)? > - Do we need more flexibility, to express things like split tunnels? > - Can we avoid, or at least separate out, the turing-complete > expressiveness of PAC files? > - Should this somehow integrate with the Provisioning Domain (PvD) > concepts? > > Please review, > Ben Schwartz > > On Thu, Apr 7, 2022 at 5:20 PM Ben Schwartz <bemasc@google.com> wrote: > >> Hi MASQUE, >> >> I've written a very short draft that describes how to find a MASQUE >> server if (1) you're starting with an HTTP CONNECT proxy or (2) you want to >> use multiple services in combination (e.g. CONNECT-UDP + CONNECT-IP + DoH + >> ...). >> >> This design can also serve as a building block for a solution to the key >> consistency problem in Oblivious HTTP, which I've written up separately: >> https://datatracker.ietf.org/doc/draft-schwartz-ohai-consistency-doublecheck/ >> . >> >> --Ben Schwartz >> >> ---------- Forwarded message --------- >> From: <internet-drafts@ietf.org> >> Date: Thu, Apr 7, 2022 at 4:20 PM >> Subject: New Version Notification for >> draft-schwartz-masque-access-descriptions-00.txt >> To: Benjamin M. Schwartz <bemasc@google.com> >> >> >> >> A new version of I-D, draft-schwartz-masque-access-descriptions-00.txt >> has been successfully submitted by Benjamin Schwartz and posted to the >> IETF repository. >> >> Name: draft-schwartz-masque-access-descriptions >> Revision: 00 >> Title: HTTP Access Service Description Objects >> Document date: 2022-04-07 >> Group: Individual Submission >> Pages: 6 >> URL: >> https://www.ietf.org/archive/id/draft-schwartz-masque-access-descriptions-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/ >> Html: >> https://www.ietf.org/archive/id/draft-schwartz-masque-access-descriptions-00.html >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-schwartz-masque-access-descriptions >> >> >> Abstract: >> HTTP proxies can operate several different kinds of access services. >> This specification provides a format for identifying a collection of >> such services. >> >> About This Document >> >> This note is to be removed before publishing as an RFC. >> >> Status information for this document may be found at >> https://datatracker.ietf.org/doc/draft-schwartz-masque-access- >> descriptions/. >> >> Source for this draft and an issue tracker can be found at >> https://github.com/bemasc/access-services. >> >> >> >> >> The IETF Secretariat >> >> >> -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque > > >
- [Masque] Fwd: New Version Notification for draft-… Ben Schwartz
- Re: [Masque] New Version Notification for draft-s… Ben Schwartz
- Re: [Masque] New Version Notification for draft-s… Tommy Pauly
- Re: [Masque] New Version Notification for draft-s… Ben Schwartz