Re: [Masque] DNS in connect-ip
David Schinazi <dschinazi.ietf@gmail.com> Sun, 24 March 2024 07:30 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DBFAC14F70F for <masque@ietfa.amsl.com>; Sun, 24 Mar 2024 00:30:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BTs8WiTMeCIq for <masque@ietfa.amsl.com>; Sun, 24 Mar 2024 00:30:28 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C98FC14F70E for <masque@ietf.org>; Sun, 24 Mar 2024 00:30:28 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a4749eecff7so77169666b.2 for <masque@ietf.org>; Sun, 24 Mar 2024 00:30:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711265426; x=1711870226; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fHgrQ6sA8SdbQQZy4X8ER8B9UJl5Rv/uRWkEZQQ65xQ=; b=kEiCEFmiUP6NWvE/4j3wp+IX4vPVZXrnENRS938hmYuFonQNKf3WLLTF6axgQ7vH7R HD7idoDP+Fgd8h+0Yui+sr/vzj3DeAAYs+cOBK7kM+tpZOEld/76bB7d7su05VVlW0a8 cwHynC/ZR5J8QRniZU0HPaw6ex0vnYGRxcx9Wbil6FcSzXFT3kmAQn5svj+gKLXYYYuJ lGUEcY/tHVOxjn2uy1GLLA7NnMFZsNenI4cHzUf11DbFJQV3/nrb8jeQd5XOM9IJCK5C gvODxaxrvDHtrm1Lp+1vKExqm7OAG5ejQ7j3F87aKG98MQ9TuckuOVCx9q+/S3ADVJSK FxlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711265426; x=1711870226; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fHgrQ6sA8SdbQQZy4X8ER8B9UJl5Rv/uRWkEZQQ65xQ=; b=dv3QkLFO1GZ6xeDOdZ0qHj9J/6iiLspAw5N/7dVVDH5I1yH3fuFCramK8uVqL7F5VM TRL8aaqv+v/ixXpz8Hu2PFCukw47Ayejc8Q6GzEr1MM0Q54LpGHdyZgrsQ5VA9HYzAax XirZi9i15PGgjnPGTvGXpQ1U+V0bFVoHa+6YqRHc5pJZFH08+JCKtF8UkO6um/pY4yD9 5ZW3W15OMVWcjdU8mtGYW5vviWcts1XQ5GaEu+bHi6RDev3eohAVyv0AdpZucKlTGteZ Rvz9p3pU64ewc65jhNs+OU+pvtSZuBR9ZXTBMjvV8+R+6hcbxeUbkkEgKI5L+oH6H1hs VMEQ==
X-Gm-Message-State: AOJu0YxDlbR5/GqucXlCSiXzLZ23NR8/6ZgmqGtfp5dfNvJkCT9/fesZ rXinKhj0Q484hZr0FGLutEK9pJCvpL3n7s6iVP36Rl4M7ExeGYdAPVVzyzHOkLm74y0ae6HASiW 231x/vh8YPN/u1u+6XI0Qi1HHmv4=
X-Google-Smtp-Source: AGHT+IHsl5lQpjE0LOcat9t6Bo4i5hUCm7wmij4rEN0jslabF0UBprUQ0SVOAIRymBlRYvU7wYQVtrqJy4eIytcen8I=
X-Received: by 2002:a17:907:7245:b0:a47:4f72:fece with SMTP id ds5-20020a170907724500b00a474f72fecemr1148761ejc.14.1711265426477; Sun, 24 Mar 2024 00:30:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+7iCh9P5vzRSTgBeBPMGJaCzeQQFguh4to9=ZJqZhgULQ@mail.gmail.com> <SA1PR15MB4370BB203F7907568CF27C27B32C2@SA1PR15MB4370.namprd15.prod.outlook.com> <CAPDSy+4RTu6xo+o=25x1fFf34GZycnd6USKCMDu_-K5Eu1stVw@mail.gmail.com> <SA1PR15MB4370E0505044F972994D654DB32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB4370E0505044F972994D654DB32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Sun, 24 Mar 2024 17:30:14 +1000
Message-ID: <CAPDSy+4=SgyC6chGw83xm4VyfGpApSo1nvq9RWdgjtHMRZm9FQ@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dc9b0f06146307d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/JE3HY1LjDJAoBHLmBePvpHUmPGg>
Subject: Re: [Masque] DNS in connect-ip
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2024 07:30:32 -0000
Having the ability to use DoH makes sense long-term. And I like the idea of having a configuration format that can handle a proxy with all of these features (see Tommy's proposal [1]). But in the meantime, we currently have systems with something akin to /etc/resolv.conf, so for those it makes sense to allow connect-ip to be a drop-in replacement for IPsec or OpenVPN. Once we have that we can then provide further improvements like switching DNSo53-over-connect-ip to DoH, but production systems need incremental development steps from what they have today to where we want them to be later. David [1] https://datatracker.ietf.org/doc/draft-pauly-intarea-proxy-config-pvd/ On Tue, Mar 19, 2024 at 3:16 PM Ben Schwartz <bemasc@meta.com> wrote: > Thanks for the context. I think ChromeOS is an interesting example. From > the user's perspective, the distinction between Chrome and ChromeOS on the > same device is generally uninteresting, and they likely wish to designate a > single "VPN" for both. This could be done by configuring the system with a > connect-ip proxy, connect-udp proxy, and DoH server. Chromium would use > connect-udp and DoH directly, bypassing connect-ip entirely. The rest of > the OS would use connect-ip, and non-browser DNS queries would be tunneled > into DoH via a local transparent forwarder. (This is similar to how Chrome > currently bypasses Android's transparent DoH forwarder, preferring direct > DoH to the same DNS server.) > > If configuration provides only a connect-ip proxy, that will result in > unnecessary transfer overhead, MTU loss, and redundant congestion control. > The engineering necessary to avoid that seems straightforward, and if the > standards are missing a piece for that then we should add it. > ------------------------------ > *From:* David Schinazi <dschinazi.ietf@gmail.com> > *Sent:* Tuesday, March 19, 2024 12:49 AM > *To:* Ben Schwartz <bemasc@meta.com> > *Cc:* MASQUE <masque@ietf.org> > *Subject:* Re: [Masque] DNS in connect-ip > > Hi Ben, While your proposal sounds interesting, it doesn't match how we > are implementing MASQUE in practice. That's because for most > implementations, the application and OS are different entities. In > particular, we're deploying > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > > ZjQcmQRYFpfptBannerEnd > Hi Ben, > > While your proposal sounds interesting, it doesn't match how we are > implementing MASQUE in practice. That's because for most implementations, > the application and OS are different entities. In particular, we're > deploying CONNECT and CONNECT-UDP in Chrome, but are interested in > CONNECT-IP for ChromeOS. (And I do realize that those two products have > similar names and are built by the same corporate entity, but that's still > how they work.) Because of the realities of the platform, we do need a "90s > style" DNS configuration mechanism for the OS. > > That said, I'm not saying I dislike your design - I think it's something > we should also explore. But we can do that in parallel with what I'm > proposing for DNS in connect-ip. One doesn't preclude the other. > > Thanks, > David > > On Mon, Mar 18, 2024 at 9:30 PM Ben Schwartz <bemasc@meta.com> wrote: > > I think this would be a good and logical design if we believe that > connect-udp, DoH, DNR (RFC 9463), PvD, etc. should not be combined with > connect-ip. In that case, connect-ip needs some kind of basic 1990s-style > in-band DNS bootstrap mechanism, like DHCP or IPv6 RA, resulting in things > like INTERNAL_IP4_DNS in IKEv2. > > I would prefer a design where these standards are combined into an > integrated package, with DNS specified alongside connect-ip, connect-udp, > etc. That would allow a variety of behaviors that are difficult or > impossible in this draft: > > * Clients could do a DNS query, get an HTTPS record, and then choose > between connect-ip and connect-udp based on the indicated ALPNs. > * DNS could use a secure transport (without the delay of a DDR upgrade and > reliance on IP certificates). > * DNS queries could avoid various inefficiencies of conveyance over > connect-ip. > * Clients could use connect-ip's "target" and "ipproto" fields to connect > to a destination selected via DNS. > * Clients could avoid establishing a connect-ip tunnel that turns out not > to be needed for any current destination. > * connect-ip and connect-udp could share a DNS configuration (which > logically applies to both). > * Clients could be protected from domain hijacking by > draft-ietf-add-split-horizon-authority. > > Overall, I think connect-ip, connect-udp, and DNS are all building blocks > for a complete access service, and we should combine them via an > overarching configuration, rather than trying to extend each of them as if > it were the main "entry point". Vending a "connect-ip" template directly > to a client should be viewed as an extremely low-level configuration flow, > similar to manually entering an IP gateway. > > Not coincidentally, this is basically the argument for > https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/ > > --Ben > > ------------------------------ > *From:* Masque <masque-bounces@ietf.org> on behalf of David Schinazi < > dschinazi.ietf@gmail.com> > *Sent:* Monday, March 18, 2024 9:29 PM > *To:* MASQUE <masque@ietf.org> > *Subject:* [Masque] DNS in connect-ip > > Hi fellow enthusiasts, Some colleagues recently reached out to me asking > about implementing connect-ip into their platform as a VPN client, next to > their IKEv2/IPsec implementation. However, they rapidly found that > connect-ip didn't have > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > > ZjQcmQRYFpfptBannerEnd > Hi fellow enthusiasts, > > Some colleagues recently reached out to me asking about implementing > connect-ip into their platform as a VPN client, next to their IKEv2/IPsec > implementation. However, they rapidly found that connect-ip didn't have a > way to communicate DNS servers in-band, and that's a pretty important > feature that almost every VPN protocol supports. Back when we standardized > connect-ip, we had decided to not put it in RFC 9484 and that we'd do it > later as an extension. Now that there's implementer interest, I think it > would make sense for us to work on this. So I wrote up a quick draft about > this: > https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/ > > The chairs have gracefully accepted that I present this in the as-time > presents section of the agenda today. I wouldn't expect anyone to have read > the draft by then, and I'll cover the overall idea in the presentation to > gauge interest, but I thought I'd still post it in case someone's bored > between now and the session later today. > > Cheers, > David > >
- [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi