Re: [Masque] Benjamin Kaduk's No Objection on charter-ietf-masque-00-00: (with COMMENT)
Martin Duke <martin.h.duke@gmail.com> Wed, 20 May 2020 22:49 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 799893A08A6; Wed, 20 May 2020 15:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfX7CymgsWi4; Wed, 20 May 2020 15:49:25 -0700 (PDT)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ECA03A089B; Wed, 20 May 2020 15:49:25 -0700 (PDT)
Received: by mail-io1-xd44.google.com with SMTP id f4so5176561iov.11; Wed, 20 May 2020 15:49:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VLM40i5K6Q1kons1XFRlr57Yhn4+lgbNjYrTb2u3RB8=; b=aQQ87rHxYkMEZ71rycXFGkpn3jh55M8PqFycpHA5AS04mkFWwYr/cCcAWiSG1wsdDs XQAGQca8aWDi6qghClYkrxfrR5vkB678jdDkfkGBYX23dnv8r/lovRsmB4a0Z/kWzOsD sAHU2iUvDjBMmA7IvLHuW6FpcNbKcbN/t9Vi1ClCjwPE4qgI3qdBbxMqUfu9805EUqNy k15y1U9F+Z75gZw9F0orFYUhpLW3ujAc0K3vIiTSL/9vbI8/pGN8AFPDiedr25bRZXJV mDCgOXkOngVHLDLGktGriGj4FRoaTRkljWEzDoMQzeIPumHCr4C4PYPeMHG3zBWXmDPR 0kzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VLM40i5K6Q1kons1XFRlr57Yhn4+lgbNjYrTb2u3RB8=; b=ejBYUkTptPmHsog1CHwB3PWN114e3WnwbUuaXhOV5FvqB8doeu9aY+ZD3PqhX7qiML mlFFVGbV8tHRZgJFOBKYlUYgVAywgUYVRhClWHnMijn8AS21TgnBEi5rz5OXxW40tH1J iFSvZ+Dj31XMnSFtHzGI57BhnZePS/qmQUWFn2XZQq/8Gf3RKYHDoMGeNS8cWnX7Flbm WHkeG6i+2pRRnQ+J3nA2toZlq4KDhYQf/GpveWk+k2e1IyQ2kz2RYDQeBKoyHBkQLNrd qk/4hmPJgTE+z5YNTAdFhUsB/zQ6DZZ5hSfQ2c8V+NqtMR+rbrtn/KCbWh4z6iNFnRTA cvgw==
X-Gm-Message-State: AOAM530wEY0js6/KHRMODUmnr90KjvoD4PHRoep0mZQDxifK016A/U2b ZWfXS3ZojBcbTAss/fmaGkCgUaODaQbgWyncwLAYs0awm4c=
X-Google-Smtp-Source: ABdhPJyQ/h0001/IwAD7wI0Rz0bGdMxz9WNDIkjNS4+3gV61lfOckLDGaodaVcl0ago2ByGmmo6pNaDJEMrB0HwqcYE=
X-Received: by 2002:a6b:d10b:: with SMTP id l11mr5339601iob.51.1590014964465; Wed, 20 May 2020 15:49:24 -0700 (PDT)
MIME-Version: 1.0
References: <158999499543.12397.7137358356514385454@ietfa.amsl.com> <CAM4esxT0Cr46QLa_8fKqk8XE19gvY8t=5sJg1w6W06HGmAj+CQ@mail.gmail.com>
In-Reply-To: <CAM4esxT0Cr46QLa_8fKqk8XE19gvY8t=5sJg1w6W06HGmAj+CQ@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 20 May 2020 15:49:13 -0700
Message-ID: <CAM4esxSjAWbd6Jbn7YjMdPW2zx1=a+XaxwHRUZRAgVR1vbYusg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, masque-chairs@ietf.org, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025063f05a61c351b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/IEMgO8k7l9WIsEuFPnDHIxifFuM>
Subject: Re: [Masque] Benjamin Kaduk's No Objection on charter-ietf-masque-00-00: (with COMMENT)
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 22:49:28 -0000
After wordsmithing with the chairs, a revised edits: The last service discovery clause now reads: "However, the group may consider features, such as proxy server identifiers, that aid future discovery mechanisms." On Wed, May 20, 2020 at 3:11 PM Martin Duke <martin.h.duke@gmail.com> wrote: > Thanks Ben, replies inline. > > Please see this PR to see the changes in context: > https://github.com/chris-wood/ietf-masque/pull/7 > > > On Wed, May 20, 2020 at 10:16 AM Benjamin Kaduk via Datatracker < > noreply@ietf.org> wrote: > >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Just "HTTP" does not imply any particular level of security mechanism, >> though >> "HTTP/3" would. I think we need to say something about what security >> properties we expect MASQUE to provide, even if it's just "equivalent to >> HTTP/3 >> or better". (This would be a BLOCK at external-review time but may not >> need to >> hold up asking for external review.) >> > > [MD] Shall I simply change HTTP to HTTPS? There is not an intent to run > this over plaintext HTTP. > > >> >> Proxying technologies such as SOCKS and HTTP(S) CONNECT exist, albeit >> with >> their own shortcomings. For example, SOCKS signalling is not encrypted >> and HTTP >> CONNECT is currently limited to TCP. In contrast, HTTP/3 is a viable >> candidate >> protocol for proxying arbitrary traffic, as it provides secure >> connectivity, >> multiplexed streams, and migration for a single connection while taking >> advantage of a unified congestion controller. An HTTP/3 datagram >> construct >> >> Am I parsing this properly that the last thing in the list of what HTTP/3 >> provides is just "migration", and that the "for a single connection [...]" >> stuff applies to all of it? I'm not sure if another comma would help make >> that separation more clear. >> > > [MD] Clarified to make it clear "for a single connection" applies to all > of it. > > >> >> The primary goal of this working group is to develop mechanisms that >> allow >> >> nit: maybe "mechanism(s)"? >> > > [MD] done > > and/or HTTP/3 extensions to enable this functionality. The group will >> focus on >> a limited set of client-initiated services: (1) UDP CONNECT and (2) IP >> proxying. Server-initiated services are out of scope. The working group >> will >> first deliver a protocol solution for UDP CONNECT and a requirements >> document >> for IP proxying. Once both are complete, the working group will focus >> on a >> protocol solution for IP proxying. >> >> I assume there's a reason to do UDP separately instead of just letting UDP >> run on top of proxied IP. (Expediency?) >> > > [MD] Yes, IP proxying raises a number of issues about addresses, etc. that > make it much more challenging. UDP proxying covers most use cases, likely > neatly corresponds to HTTP CONNECT, and has less packet overhead. > > >> >> The working group will consider fallback to versions of HTTP that >> operate over >> TCP as a mitigation to UDP or HTTP/3 blocking. Moreover, the working >> group will >> consider implications of tunneling protocols with congestion control >> and loss >> recovery over MASQUE, and may issue recommendations accordingly. New >> congestion >> >> This sounds like "nested congestion controllers". Is that more of a >> research >> question or an engineering one? >> > > [MD] A true nested congestion controller would indeed be research into a > new algorithm, which is forbidden in the charter. Instead, the WG will make > some sensible recommendations to tune existing congestion controls, e.g. > "turn off the outer congestion control" or "raise the reordering threshold > on the inner loss recovery". > > >> Multicast UDP and multicast IP support are out of scope. However, the >> group may >> specify extension points that would enable future work on multicast. >> Specifying >> proxy server discovery mechanisms is also out of scope, but the group >> may >> specify techniques for identifying proxy servers to aid future discovery >> mechanisms. >> >> How do "techniques" differ from "mechanisms"? >> > > [MD] One is a service discovery protocol, the other is some sort of server > identifier and capability report that a future service might use. IIUC DoH > had a similar split. > > I changed it to "... but the group may specify identifiers and capability > reports for proxy servers to aid future discovery mechanisms." > > >> >> Impacts on address migration, NAT rebinding, and future multipath >> mechanisms of >> QUIC are not anticipated. However, the working group should document >> these >> impacts if they arise. >> >> Presumably we also want to pay attention to any other developments in QUIC >> that would be impacted by MASQUE, and document those, too. >> > > [MD] added > >> >> >> >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> >
- [Masque] Benjamin Kaduk's No Objection on charter… Benjamin Kaduk via Datatracker
- Re: [Masque] Benjamin Kaduk's No Objection on cha… Martin Duke
- Re: [Masque] Benjamin Kaduk's No Objection on cha… Martin Duke
- Re: [Masque] Benjamin Kaduk's No Objection on cha… Benjamin Kaduk