Re: [Masque] QUIC proxying and stateless reset
David Schinazi <dschinazi.ietf@gmail.com> Wed, 30 November 2022 15:17 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2A3C1522CD for <masque@ietfa.amsl.com>; Wed, 30 Nov 2022 07:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnonvRSQdNNE for <masque@ietfa.amsl.com>; Wed, 30 Nov 2022 07:17:53 -0800 (PST)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363C0C14CF05 for <masque@ietf.org>; Wed, 30 Nov 2022 07:17:53 -0800 (PST)
Received: by mail-ej1-x62c.google.com with SMTP id n20so42199894ejh.0 for <masque@ietf.org>; Wed, 30 Nov 2022 07:17:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YVwcUEeMxhPtqT8qm7s0oL73rM61QI1o/cDk4mQLlfY=; b=kzQVs+Zs9Rut4rmwkL9JArcmtsXPhUn7xv108Bwxn2SEi+ztPgZ/zTGVLL7pZ8u1cm VIk/yW9O8Cr+Py4xyWZgBhVPMsweY5dE4XjtMQhPYn4ffez2TYB7AUPSK/cuMN4GlscP w2rShdgOkQv0hflUCJ7g9+ARhPgMfNt6ZjFB4gTNLLMeu3wcZ1ubxyLOEtcIKeNHGIyi 7xMQJ2Ut0HFLJgkgAF2G91fe9dE87EoISvR2feVJPO3iMZgzn0JZy9IywJmNPgQ7a2Y0 5xW3ZLD6T3QaEnI8hjEFB8bxY0cwsUG1LurhXwhq137BFour+ZJ8EfcM4FdTXo6ldbuT dKoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YVwcUEeMxhPtqT8qm7s0oL73rM61QI1o/cDk4mQLlfY=; b=hTKDqQqdZpuXddt1US1+E5bL2hUOxNcLo3OBb0SSoYp+/FslZsHamTVeo3A3UQ43dE 6njD/ElMEjkMxP9uC1qygOAS5PGpHkoeZ35JWSmAi9HLS1joQYCSZGrhz8jKKfGZF2xU RmhJm9qAocPWaYkVJ4a+o3H3uxS7oVrUzgMB+LC6JHaJ/d/1GMk1xXhi7Eb+rWg3So/6 MwBaQ7ugg1HFVLR+YgAmkxzC3uFEmslkSHX7n5WOYJV0ZctmiDWP1z3CIXYR8h+NklG4 gEDrjDzGfM5l7dU8VBIv2q4vXfXZuhF1Aio+2Hu4vTnbaK7YJLVpM8iMFeTF2ihIx7ct wNkw==
X-Gm-Message-State: ANoB5plDGFI0RYpnOjIoz2Jwh4cqRYFmjVHxnOGBXPquqRIWH2fc410b yzRTSz7hZfa9+S5VX3jJDI7vLR8MxMx+TnW+qEBMoNQszuk=
X-Google-Smtp-Source: AA0mqf5gh6lVRaoA00vD0QIIj8r7lzwBJN5VgC0+bSOiV0+VmWgPWgde8DQgPe3isDWYzWaSDEYW5KNhyM3SWMiDCMw=
X-Received: by 2002:a17:907:918d:b0:78d:2eea:28c7 with SMTP id bp13-20020a170907918d00b0078d2eea28c7mr53225302ejb.266.1669821470556; Wed, 30 Nov 2022 07:17:50 -0800 (PST)
MIME-Version: 1.0
References: <9b01d7e4-3ad4-4baf-9e94-6f80c9f33451@betaapp.fastmail.com>
In-Reply-To: <9b01d7e4-3ad4-4baf-9e94-6f80c9f33451@betaapp.fastmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 30 Nov 2022 07:17:39 -0800
Message-ID: <CAPDSy+6VLSPRZnq2Yyy_b=RGYnnRDh+6v05bbOtwBBBQLy=pEA@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: masque@ietf.org
Content-Type: multipart/alternative; boundary="000000000000974ac705eeb19bc8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/Ip_Q_Kh64DrR3MezoiaAuct4W7A>
Subject: Re: [Masque] QUIC proxying and stateless reset
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 15:17:55 -0000
Hi Martin, This is interesting, but I'm not sure I follow how it applies outside of draft-pauly-masque-quic-proxy. In the non-extended CONNECT-UDP case, the proxy operates very similarly to a NAT and has a single tool at its disposal for communication closure to the server: ICMP. (This is analogous to CONNECT and TCP RST.) In order for the proxy to close the connection at the QUIC level (via SRT or otherwise), it needs to know that CONNECT-UDP is carrying QUIC and not another protocol. And the only way we currently have to tell the proxy that QUIC is being used over CONNECt-UDP is draft-pauly-masque-quic-proxy. Am I missing something? Additionally, I don't expect proxies will want to check every single packet for every single SRT they're aware of. But having the proxy generate its own SRTs alongside its own CIDs and sending them to the client makes sense to me. David On Wed, Nov 16, 2022 at 4:39 PM Martin Thomson <mt@lowentropy.net> wrote: > I was going to post about this in the context of > draft-pauly-masque-quic-proxy, but then I realized that maybe this is a > bigger topic that relates to all use of QUIC via a proxy. > > # Intro > > Stateless reset exists to handle the case where one party to a connection > dies (or routing no longer works, or...). The failed endpoint needs a way > of telling their peer to stop sending them stuff. It's called stateless > because they might not retain per-connection state. Of course, it's a bit > of a misnomer as they need to retain enough state to generate the reset, so > they aren't completely stateless. > > In a three-party system, there are three entities that are in this > position. This creates a new design problem. Though not particularly > challenging, it is worth exploring a little. > > # Requirements > > We want the client, proxy, and server each to be able to send a message > that will cause the other actors in the system to stop. > > * The client needs to tell the server to stop. > * Similarly, the server needs to tell the client to stop. > * Finally, the proxy needs to tell both client AND server to stop. > > When endpoints tell each other to stop, the proxy doesn't really need to > be involved. It doesn't originate packets, but this last requirement > affects all of them. > > Obviously, clients and servers could keep the proxy out of the loop, > operating end-to-end. That works, but is not resilient to loss of state at > the proxy. > > # Clients > > Clients that die are probably the least interesting. > > A dead client will be evident to the proxy by virtue of having lost its > connection to the proxy (i.e., it's control channel). This means that a > client doesn't strictly need to tell the proxy about the stateless reset > token (SRT) that it uses. However, a dead control channel might take a > long time to become evident if it isn't used that much. > > A client does need to tell both the proxy and the server that they aren't > coming back. For this, the proxy might benefit from knowing what SRT the > client might generate. When the client registers a CID, it can tell the > proxy the corresponding stateless reset token. The proxy can remember this. > > The proxy needs to be able to inform the server about a dead client either > way. The proxy might just forward the SRT from the client, but we'll see > later that this isn't practical. > > # Servers > > These are not the same as clients, except that it mostly is. The server > stateless reset won't be routable unless the proxy knows about it. So the > client needs to tell the proxy about the SRT that corresponds to the server > CID. The proxy could, again, just forward any SRT it receives to the > client, using its state. > > # Proxies > > Now that the proxy knows the SRT from both endpoints, it can kill the > connection in both directions. Mission accomplished, right? No. The > proxy can lose state too. > > We could solve this by adding an extra SRT to every CID, exclusively for > signaling that the proxy is dead, but that means changing QUIC. This is > best solved with another mapping. > > The proxy needs to take packets it receives, using CIDs that it chose, and > produce a SRT from those. This means that instead of forwarding the client > SRT, the proxy should generate a SRT alongside any CID that it tells the > client to pass to the server (an SRT that the server might use). > Similarly, instead of forwarding the server SRT, the proxy should generate > a SRT alongside the CID that it tells the client to use. > > Now we have this (arrows indicate flow of packets): > > Client [CID, SRT]_c <----- Proxy [CID, SRT]_pc <----- Server > > The client creates []_c for receiving packets, sends those to the proxy, > receives []_pc, then sends the server []_pc in a NEW_CONNECTION_ID frame. > > To the earlier point, the client could omit the SRT from []_c and rely on > the death of the control channel to inform the proxy. For the purposes of > symmetric operation and timely detection of failures, I would prefer to > keep that signal. > > Client -----> [CID, SRT]_ps Proxy -----> [CID, SRT]_s Server > > The client receives []_s from the server in NEW_CONNECTION_ID, sends that > to the proxy and receives []_ps for use in sending packets. > > # Multiple Paths > > Obviously, if the path via the proxy is just one path between client and > server, this gives the proxy the ability to kill the entire connection > across all paths. That's not ideal, so endpoints might choose to regard a > reset on one path as not sufficient cause to terminate the entire > connection. > > # With Tunnels > > If the proxy dies, a tunnel will die, meaning that the client is > informed. The server is not. This means that it might still be beneficial > to have the client advertise CIDs - or at least SRTS - chosen by the > proxy. That would allow a crashed proxy to tell servers to stop. > > A tunnel also means that the client->proxy signal really isn't needed as > the outer connection will have its own SRT. However, the proxy might > benefit from a way to indicate to the server that a client is dead. That > also suggests that there is some value in having clients use a CID chosen > by - or at least known to - the proxy. > > The server->proxy signal isn't really needed here. The death of a server > can be indicated through the tunnel. The proxy might benefit from > knowledge of the server's SRT, but I don't see a driving need. This means > that when tunnelling, clients can safely drop the flow where the proxy > learns the server CID/SRT. Obviously, there is no need for the proxy to > generate a new CID/SRT for the client to use in that direction. > > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque >
- [Masque] QUIC proxying and stateless reset Martin Thomson
- Re: [Masque] QUIC proxying and stateless reset David Schinazi
- Re: [Masque] QUIC proxying and stateless reset Martin Thomson