Re: [Masque] Unifying CONNECT-IP Proposals
Eric Rescorla <ekr@rtfm.com> Sat, 28 August 2021 00:37 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E4D3A2390 for <masque@ietfa.amsl.com>; Fri, 27 Aug 2021 17:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5O9qrmnQ-BDX for <masque@ietfa.amsl.com>; Fri, 27 Aug 2021 17:37:51 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9F73A238E for <masque@ietf.org>; Fri, 27 Aug 2021 17:37:51 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id v16so8911583ilo.10 for <masque@ietf.org>; Fri, 27 Aug 2021 17:37:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gs7R/bn5XAafQCxU5nmO9qYw0HS+kqgkL3zsrmSl0pQ=; b=ZlK00OcpKVs8IJ9M+02pdKVcsH8pM52EYHIIzlLARDuSfh/qa8QTuFweqNfdikTYPf lOqehFzBRQT/l+Rhx6rbrVQEjABkffG4VlIzOXcSOt7uUJZkpe/EVYcn1KzAybmVuJWc vmIgm8/fl1b3M7rCqLyaCw4RYeNwlzScCvcCSOOJ7O4572IR1aRqvc76gkTqBc7kfgbX nBZ/HxGTy2M4/YL6ER4UxFQDzRxk9nzXEdAY6ecm1Ggw+rMuYHkpKQpps3UjG1fot0m7 LZVDeM/uWIUrirtlVMwYf6I4hE5i060oiMtBdshW6XLMJoq/2qy4rFYNL1QlF6soCmJT UDvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gs7R/bn5XAafQCxU5nmO9qYw0HS+kqgkL3zsrmSl0pQ=; b=RKsMISuue82N3zLXnICBagrCtTud/5tsVMGaUMzI0wGAcX6P3rEO7JD+eEMkdalICq qhUH3j1s+wE8kXTrHt7/kMkQHuRQb1z/AFZi//ivBgEjPA4V6+rbxE/IfB1u2aigXOJY kzooSpcZEjjq5iKBBjU9xfobupkeqAIHWI8HZsezrkpfzyTuZBs7fu3PiWEos0Gr+DMY DkdAxuArjO4d0LuLybkNij8oo298glX8UyKfbuXx6GFxJljPwjw4O9Q7o/zUI3PLPQqp RsSKADfNXRYhj2YTfKpD6lLSwoULJw5qe6aHNG+hkobkcgeggLrLaDI1lc30WQLO3uUe Hxig==
X-Gm-Message-State: AOAM533r32qOXw8kf5xYxc3dj5ji1VVl/RNrKJtnjqGflDjem4ql7R0P AQJUBVLCzsrdwry5Gp1Ki6jtdSTC2RgbWRf0zT0s5tbGmdfqTw==
X-Google-Smtp-Source: ABdhPJyo0tBULBikJJmhl+hHb/V5x948RH/0gX7LiMEhmiruLuX+U78jEamXa62R39cYErPksKQ7VE04sITtHBl4X+E=
X-Received: by 2002:a92:7312:: with SMTP id o18mr8160117ilc.56.1630111069289; Fri, 27 Aug 2021 17:37:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+5R68Kn8uD_ig1vVbxO+Z=vEBJBy+veBCXN-GU1xmGGzw@mail.gmail.com> <CAM4esxQheGGMZ4CS+NNZvd8_h=KSG6T6hA_b59cY2hH7Ai6YAw@mail.gmail.com>
In-Reply-To: <CAM4esxQheGGMZ4CS+NNZvd8_h=KSG6T6hA_b59cY2hH7Ai6YAw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 27 Aug 2021 17:37:13 -0700
Message-ID: <CABcZeBNUdM5EG+zWc+OO3SfyioxCOqe-dXhRuDhqTFN+FeGOAA@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ad7e105ca93cfac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/IBDvJ9irUWo3NavRHeT06nLLTQY>
Subject: Re: [Masque] Unifying CONNECT-IP Proposals
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Aug 2021 00:37:57 -0000
On Fri, Aug 27, 2021 at 5:22 PM Martin Duke <martin.h.duke@gmail.com> wrote: > Hi David, > > First, thanks for making an effort (and some concessions) to move things > along! > > As an AD, I have no objection to splitting up the CONNECT-IP deliverable > into multiple drafts. I would consider all of these child drafts to be in > scope of the current charter. > > As an individual, I'm fine with the split at a high level, but this > architecture needs some deeper thinking about failure cases - servers that > don't support the extension, or intermediaries that forward CONNECT-UDP but > eat CAPSULE. > FWIW, I'm generally not really sympathetic to these cases. Clients don't magically connect to services, they are configured with them by services. If you need CAPSULE, then you shouldn't be configured with the address of a server which doesn't support it. -Ekr In particular, I can see immediately that making flow forwarding mode an > extension creates a 1 RTT penalty -- IIUC I can't send a datagram until the > server confirms it processed the flow forwarding header. > > That's not a deal breaker for me, but I'm curious what other failure cases > are lurking in the design. > > AFAICT the network-to-network design is robust to these issues, so that's > safe to split out. > > Hope that helps. > > Martin > > > On Fri, Aug 27, 2021 at 8:05 AM David Schinazi <dschinazi.ietf@gmail.com> > wrote: > >> Hi MASQUE Enthusiasts, >> >> As you know, we've had two distinct proposals for CONNECT-IP for a while. >> While >> both of them have interesting features, we need to unify on a joint >> effort if >> we want to make progress. In order to further that goal, we've made some >> edits >> to the existing documents in order to create a unified coherent path >> forward. >> >> First, we updated draft-ietf-masque-ip-proxy-reqs to reflect working group >> consensus: since the WGLC showed consensus on everything except the >> network-to-network use-case and the route negotiation requirement, both of >> those were removed from the document. draft-ietf-masque-ip-proxy-reqs-03 >> [1] >> now better reflects the working group's choice. >> >> Based on these requirements, and on the WG consensus at IETF 110 to focus >> on >> Proxying IP Packets, we also updated draft-cms-masque-connect-ip. We >> removed >> all routing-related features and now draft-cms-masque-connect-ip-02 [2] >> contains solely what is needed to satisfy the WG's requirements from >> draft-ietf-masque-ip-proxy-reqs-03. We've had some interesting >> conversations >> with Tommy Pauly on this topic and would love for him to join us as >> editor on >> draft-cms-masque-connect-ip. >> >> Additionally, the discussion at IETF 111 showed that folks were also >> interested >> in various features that didn't have WG consensus: some are interested in >> negotiating routing and some are interested in flow forwarding. We >> believe that >> both of those are interesting features worth pursuing. The best way to >> accomplish this is through extensions. Luckily CONNECT-IP is extensible. >> >> We wrote up the routing negotiation as an extension in >> draft-cms-masque-connect-ip-ext-routes [3]. This enables split-tunnel VPN >> and >> the network-to-network use-case. >> >> We also made sure that flow forwarding mode would work as an extension, >> and as >> proof-of-concept wrote it up as draft-tbd-masque-connect-ip-ext-flow [4]. >> As >> mentioned in that document, this is mostly copied from >> draft-kuehlewind-masque-connect-ip-01 [5] with some minor modifications. >> We >> would like to have the authors of draft-kuehlewind-masque-connect-ip >> author >> this extension, given that they produced the interesting ideas in it. >> >> We think this refactor would be a great path forward for the MASQUE >> working >> group: it would allow us to unify multiple proposals around a common >> extensible >> protocol. We did discuss merging these three documents into one, but >> decided >> against it because it would unnecessarily delay the publication of >> CONNECT-IP. >> We would love for the working group to adopt both extensions as they will >> influence the design of CONNECT-IP, but both need to solve some specific >> hard >> problems that don't need to delay CONNECT-IP, so they deserve their own >> drafts. >> >> As usual, comments and thoughts are most welcome! >> >> Thanks, >> David >> >> [1] >> https://datatracker.ietf.org/doc/html/draft-ietf-masque-ip-proxy-reqs-03 >> [2] https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-02 >> [3] >> https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-ext-routes-00 >> [4] >> https://datatracker.ietf.org/doc/html/draft-tbd-masque-connect-ip-ext-flow-00 >> [5] >> https://datatracker.ietf.org/doc/html/draft-kuehlewind-masque-connect-ip-01 >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque >
- [Masque] Unifying CONNECT-IP Proposals David Schinazi
- Re: [Masque] Unifying CONNECT-IP Proposals Tommy Pauly
- Re: [Masque] Unifying CONNECT-IP Proposals Eric Kinnear
- Re: [Masque] Unifying CONNECT-IP Proposals Martin Duke
- Re: [Masque] Unifying CONNECT-IP Proposals Eric Rescorla
- Re: [Masque] Unifying CONNECT-IP Proposals Martin Duke
- Re: [Masque] Unifying CONNECT-IP Proposals David Schinazi
- Re: [Masque] Unifying CONNECT-IP Proposals Martin Duke