IETF Logo Mail Archive

Re: [Masque] DNS in connect-ip

David Schinazi <dschinazi.ietf@gmail.com> Sun, 24 March 2024 07:30 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DBFAC14F70F for <masque@ietfa.amsl.com>; Sun, 24 Mar 2024 00:30:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BTs8WiTMeCIq for <masque@ietfa.amsl.com>; Sun, 24 Mar 2024 00:30:28 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C98FC14F70E for <masque@ietf.org>; Sun, 24 Mar 2024 00:30:28 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a4749eecff7so77169666b.2 for <masque@ietf.org>; Sun, 24 Mar 2024 00:30:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711265426; x=1711870226; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fHgrQ6sA8SdbQQZy4X8ER8B9UJl5Rv/uRWkEZQQ65xQ=; b=kEiCEFmiUP6NWvE/4j3wp+IX4vPVZXrnENRS938hmYuFonQNKf3WLLTF6axgQ7vH7R HD7idoDP+Fgd8h+0Yui+sr/vzj3DeAAYs+cOBK7kM+tpZOEld/76bB7d7su05VVlW0a8 cwHynC/ZR5J8QRniZU0HPaw6ex0vnYGRxcx9Wbil6FcSzXFT3kmAQn5svj+gKLXYYYuJ lGUEcY/tHVOxjn2uy1GLLA7NnMFZsNenI4cHzUf11DbFJQV3/nrb8jeQd5XOM9IJCK5C gvODxaxrvDHtrm1Lp+1vKExqm7OAG5ejQ7j3F87aKG98MQ9TuckuOVCx9q+/S3ADVJSK FxlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711265426; x=1711870226; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fHgrQ6sA8SdbQQZy4X8ER8B9UJl5Rv/uRWkEZQQ65xQ=; b=dv3QkLFO1GZ6xeDOdZ0qHj9J/6iiLspAw5N/7dVVDH5I1yH3fuFCramK8uVqL7F5VM TRL8aaqv+v/ixXpz8Hu2PFCukw47Ayejc8Q6GzEr1MM0Q54LpGHdyZgrsQ5VA9HYzAax XirZi9i15PGgjnPGTvGXpQ1U+V0bFVoHa+6YqRHc5pJZFH08+JCKtF8UkO6um/pY4yD9 5ZW3W15OMVWcjdU8mtGYW5vviWcts1XQ5GaEu+bHi6RDev3eohAVyv0AdpZucKlTGteZ Rvz9p3pU64ewc65jhNs+OU+pvtSZuBR9ZXTBMjvV8+R+6hcbxeUbkkEgKI5L+oH6H1hs VMEQ==
X-Gm-Message-State: AOJu0YxDlbR5/GqucXlCSiXzLZ23NR8/6ZgmqGtfp5dfNvJkCT9/fesZ rXinKhj0Q484hZr0FGLutEK9pJCvpL3n7s6iVP36Rl4M7ExeGYdAPVVzyzHOkLm74y0ae6HASiW 231x/vh8YPN/u1u+6XI0Qi1HHmv4=
X-Google-Smtp-Source: AGHT+IHsl5lQpjE0LOcat9t6Bo4i5hUCm7wmij4rEN0jslabF0UBprUQ0SVOAIRymBlRYvU7wYQVtrqJy4eIytcen8I=
X-Received: by 2002:a17:907:7245:b0:a47:4f72:fece with SMTP id ds5-20020a170907724500b00a474f72fecemr1148761ejc.14.1711265426477; Sun, 24 Mar 2024 00:30:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+7iCh9P5vzRSTgBeBPMGJaCzeQQFguh4to9=ZJqZhgULQ@mail.gmail.com> <SA1PR15MB4370BB203F7907568CF27C27B32C2@SA1PR15MB4370.namprd15.prod.outlook.com> <CAPDSy+4RTu6xo+o=25x1fFf34GZycnd6USKCMDu_-K5Eu1stVw@mail.gmail.com> <SA1PR15MB4370E0505044F972994D654DB32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB4370E0505044F972994D654DB32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Sun, 24 Mar 2024 17:30:14 +1000
Message-ID: <CAPDSy+4=SgyC6chGw83xm4VyfGpApSo1nvq9RWdgjtHMRZm9FQ@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dc9b0f06146307d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/JE3HY1LjDJAoBHLmBePvpHUmPGg>
Subject: Re: [Masque] DNS in connect-ip
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2024 07:30:32 -0000

Having the ability to use DoH makes sense long-term. And I like the idea of
having a configuration format that can handle a proxy with all of these
features (see Tommy's proposal [1]). But in the meantime, we currently have
systems with something akin to /etc/resolv.conf, so for those it makes
sense to allow connect-ip to be a drop-in replacement for IPsec or OpenVPN.
Once we have that we can then provide further improvements like switching
DNSo53-over-connect-ip to DoH, but production systems need incremental
development steps from what they have today to where we want them to be
later.

David

[1] https://datatracker.ietf.org/doc/draft-pauly-intarea-proxy-config-pvd/

On Tue, Mar 19, 2024 at 3:16 PM Ben Schwartz <bemasc@meta.com> wrote:

> Thanks for the context.  I think ChromeOS is an interesting example.  From
> the user's perspective, the distinction between Chrome and ChromeOS on the
> same device is generally uninteresting, and they likely wish to designate a
> single "VPN" for both.  This could be done by configuring the system with a
> connect-ip proxy, connect-udp proxy, and DoH server.  Chromium would use
> connect-udp and DoH directly, bypassing connect-ip entirely.  The rest of
> the OS would use connect-ip, and non-browser DNS queries would be tunneled
> into DoH via a local transparent forwarder.  (This is similar to how Chrome
> currently bypasses Android's transparent DoH forwarder, preferring direct
> DoH to the same DNS server.)
>
> If configuration provides only a connect-ip proxy, that will result in
> unnecessary transfer overhead, MTU loss, and redundant congestion control.
> The engineering necessary to avoid that seems straightforward, and if the
> standards are missing a piece for that then we should add it.
> ------------------------------
> *From:* David Schinazi <dschinazi.ietf@gmail.com>
> *Sent:* Tuesday, March 19, 2024 12:49 AM
> *To:* Ben Schwartz <bemasc@meta.com>
> *Cc:* MASQUE <masque@ietf.org>
> *Subject:* Re: [Masque] DNS in connect-ip
>
> Hi Ben, While your proposal sounds interesting, it doesn't match how we
> are implementing MASQUE in practice. That's because for most
> implementations, the application and OS are different entities. In
> particular, we're deploying
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
>
> ZjQcmQRYFpfptBannerEnd
> Hi Ben,
>
> While your proposal sounds interesting, it doesn't match how we are
> implementing MASQUE in practice. That's because for most implementations,
> the application and OS are different entities. In particular, we're
> deploying CONNECT and CONNECT-UDP in Chrome, but are interested in
> CONNECT-IP for ChromeOS. (And I do realize that those two products have
> similar names and are built by the same corporate entity, but that's still
> how they work.) Because of the realities of the platform, we do need a "90s
> style" DNS configuration mechanism for the OS.
>
> That said, I'm not saying I dislike your design - I think it's something
> we should also explore. But we can do that in parallel with what I'm
> proposing for DNS in connect-ip. One doesn't preclude the other.
>
> Thanks,
> David
>
> On Mon, Mar 18, 2024 at 9:30 PM Ben Schwartz <bemasc@meta.com> wrote:
>
> I think this would be a good and logical design if we believe that
> connect-udp, DoH, DNR (RFC 9463), PvD, etc. should not be combined with
> connect-ip.  In that case, connect-ip needs some kind of basic 1990s-style
> in-band DNS bootstrap mechanism, like DHCP or IPv6 RA, resulting in things
> like INTERNAL_IP4_DNS in IKEv2.
>
> I would prefer a design where these standards are combined into an
> integrated package, with DNS specified alongside connect-ip, connect-udp,
> etc.  That would allow a variety of behaviors that are difficult or
> impossible in this draft:
>
> * Clients could do a DNS query, get an HTTPS record, and then choose
> between connect-ip and connect-udp based on the indicated ALPNs.
> * DNS could use a secure transport (without the delay of a DDR upgrade and
> reliance on IP certificates).
> * DNS queries could avoid various inefficiencies of conveyance over
> connect-ip.
> * Clients could use connect-ip's "target" and "ipproto" fields to connect
> to a destination selected via DNS.
> * Clients could avoid establishing a connect-ip tunnel that turns out not
> to be needed for any current destination.
> * connect-ip and connect-udp could share a DNS configuration (which
> logically applies to both).
> * Clients could be protected from domain hijacking by
> draft-ietf-add-split-horizon-authority.
>
> Overall, I think connect-ip, connect-udp, and DNS are all building blocks
> for a complete access service, and we should combine them via an
> overarching configuration, rather than trying to extend each of them as if
> it were the main "entry point".  Vending a "connect-ip" template directly
> to a client should be viewed as an extremely low-level configuration flow,
> similar to manually entering an IP gateway.
>
> Not coincidentally, this is basically the argument for
> https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/
>
> --Ben
>
> ------------------------------
> *From:* Masque <masque-bounces@ietf.org> on behalf of David Schinazi <
> dschinazi.ietf@gmail.com>
> *Sent:* Monday, March 18, 2024 9:29 PM
> *To:* MASQUE <masque@ietf.org>
> *Subject:* [Masque] DNS in connect-ip
>
> Hi fellow enthusiasts, Some colleagues recently reached out to me asking
> about implementing connect-ip into their platform as a VPN client, next to
> their IKEv2/IPsec implementation. However, they rapidly found that
> connect-ip didn't have
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
>
> ZjQcmQRYFpfptBannerEnd
> Hi fellow enthusiasts,
>
> Some colleagues recently reached out to me asking about implementing
> connect-ip into their platform as a VPN client, next to their IKEv2/IPsec
> implementation. However, they rapidly found that connect-ip didn't have a
> way to communicate DNS servers in-band, and that's a pretty important
> feature that almost every VPN protocol supports. Back when we standardized
> connect-ip, we had decided to not put it in RFC 9484 and that we'd do it
> later as an extension. Now that there's implementer interest, I think it
> would make sense for us to work on this. So I wrote up a quick draft about
> this:
> https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/
>
> The chairs have gracefully accepted that I present this in the as-time
> presents section of the agenda today. I wouldn't expect anyone to have read
> the draft by then, and I'll cover the overall idea in the presentation to
> gauge interest, but I thought I'd still post it in case someone's bored
> between now and the session later today.
>
> Cheers,
> David
>
>

v2.23.0 | Report a Bug | By Email