Re: [Masque] FW: New Version Notification for draft-kuehlewind-quic-proxy-discovery-00.txt

Ben Schwartz <bemasc@google.com> Mon, 03 February 2020 16:28 UTC

Return-Path: <bemasc@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB83120B09 for <masque@ietfa.amsl.com>; Mon, 3 Feb 2020 08:28:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v1D5Q3JrTxfm for <masque@ietfa.amsl.com>; Mon, 3 Feb 2020 08:28:00 -0800 (PST)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DA46120A9D for <masque@ietf.org>; Mon, 3 Feb 2020 08:27:59 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id z9so6811683wrs.10 for <masque@ietf.org>; Mon, 03 Feb 2020 08:27:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r4i/EgL/Of0KsbE/O8wYnSg1ZSK3/joP0LoOOyBNYqY=; b=IXOQ+eGw7MIyir2Fn6sGnAlRHkCcvUCyN++dhcgqaPahFTtldOZ2Mt9eZbdzsT4yQn x2Fry7ApdkZB2HyYrmurSJi1sIDFLRfAI8QMfc7weq5nY8FXCtxg2q7uomXIOfNW2EFy OGqzp2OfduSECsuzLveWRsd3m0tP1mTQ7i59hQ2I0447S6br9QU3DIjUXg1oLmOmvj64 154P6/R1CLwdGL6cSBXYiKKMBtTxBYvn2UfOu7hijdYpAxXziO1tblQximJJB9d72Of2 u7WY3sondk8qUJTMXctQ4NaLv8utfJbmQVlJPE37GW35uFVoOKBOrKWn/0F5f5OfesyZ EjKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r4i/EgL/Of0KsbE/O8wYnSg1ZSK3/joP0LoOOyBNYqY=; b=q0yesaGySEo8G9j/vztMW6S6XbQSK/eCWmThlJ7/iXvedop4sRaOO8F07soeX6ZMZ+ 0wMwJxnwg/LElJinEv81QnwENE6K9v0a/nIONg4JyuLExnYlkRPpG7QQZeHJSAPke9qO 39vfyUWayFTlgo0JWpUG4pCQhkHdESRN+jeK946nvr779mn8hrQcd3kmM5LgEGMf6wqA fAuceCwD+y1wHFKgbCcuAOAl+nUuvLT12m4tl2zxqnA6pcw3FXsk0+4SVEKfXh5EaXDu P6polL8+FzJdE8ilFgQeHhIGj/QPDQdFG1VM5cKnkavMuMkcGm1Kke08AShfwV9EIAGe WCrw==
X-Gm-Message-State: APjAAAW2yaqfVkVJvCf1D/AQWmy4AnA4XT1mfsgVLx/xI9wkdFPCqSAq 3MR+GpuoO2g8iKf2+vqtxm2SIMnoKI0Yl5r5Dd+aCQ==
X-Google-Smtp-Source: APXvYqw6zSZhRGKFoloJEh9eThWWu2Y7DZxbMw5Ha010ig3VWSNbxwF2BX/LipaMllkkfcYEa1LgGGaHCX38iUJXe+M=
X-Received: by 2002:adf:ffc7:: with SMTP id x7mr16163682wrs.159.1580747277706; Mon, 03 Feb 2020 08:27:57 -0800 (PST)
MIME-Version: 1.0
References: <157288641719.16495.4218503379126128243.idtracker@ietfa.amsl.com> <CA5EB3C0-F510-4883-B50B-51A3E46B47CA@ericsson.com> <CALGR9obp-YARLEXDVWvTqZ_h=Ocbn6m2On+uovK-SL-6TaOSXg@mail.gmail.com> <3F20108D-DEED-4AEF-89D3-55F11058110B@ericsson.com> <CALGR9oYHce0mnkj5Kz13EoR-zN3-xSr0igkJF2Z_dJ2vgfVNSQ@mail.gmail.com> <SN6PR11MB3087D25371090E7E40FA32B2CE7F0@SN6PR11MB3087.namprd11.prod.outlook.com> <CAOdDvNruDZuBYp2ABfWCKMF4o6rY5Qk6x6ofH1qCJgLfKpsCUg@mail.gmail.com> <65CD80F2-11BF-4D48-A011-17F6E431D209@ericsson.com> <CABcZeBMd+1X674qJcxLpD2CGPSduO8G1rM1s-r_ccXXy7pn++A@mail.gmail.com> <9AA1F2AB-AF93-4A28-B258-3A691A4DCDEC@ericsson.com> <CABcZeBPv7r53rwru6PaaUBHSNz685WmHM8n=+E+bJHV9AMRLuw@mail.gmail.com>
In-Reply-To: <CABcZeBPv7r53rwru6PaaUBHSNz685WmHM8n=+E+bJHV9AMRLuw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 3 Feb 2020 11:27:46 -0500
Message-ID: <CAHbrMsCwt_XBTJNAV7eLYZ4KrUQaJt4ovyDSb5UZw8EhNEjMJA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, "Su, Chi-Jiun" <Chi-Jiun.Su@hughes.com>, "masque@ietf.org" <masque@ietf.org>, Patrick McManus <mcmanus@ducksong.com>, Lucas Pardue <lucaspardue.24.7@gmail.com>, "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000018e12059dae6845"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/JfmSx9Tvk378MxEWXZyfJifsjY8>
Subject: Re: [Masque] FW: New Version Notification for draft-kuehlewind-quic-proxy-discovery-00.txt
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 16:28:03 -0000

I think topology-as-authorization is typically appropriate when the
authorization doesn't reveal additional information to the network.
Otherwise, it is likely not appropriate.  Some of the protocol proposals
that have been discussed on this list (e.g. IP over QUIC) likely meet this
requirement, and some (e.g. connection ID negotiation) might not.

I would suggest clarifying that our program of work is:
1. Define a tunnel protocol with good, clear privacy properties, providing
no more information to the proxy than the local network would otherwise
have.
2. Analyze and optimize its performance.
3. If performance is better with the tunnel than without in some
sufficiently common scenario, define a discovery mechanism (like this
draft) for PEP use.

On Mon, Feb 3, 2020 at 10:11 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Feb 3, 2020 at 6:46 AM Mirja Kuehlewind <
> mirja.kuehlewind@ericsson.com> wrote:
>
>> Hi Ekr,
>>
>>
>>
>> TLS MITM is not the right analogy here. As I said in my email below we
>> only look at services for the proxy could to provide that do not intercept
>> the end-to-end connection.
>>
>
> Hence the phrase "loose analogy". Those service still require
> authorization and the only authorization you are providing is network
> topology.
>
> -Ekr
>
>
>
> Instead the client would either request a certain network service from the
>> proxy (in any case at least simple forwarding) or, what we have in mind for
>> performance optimization, the proxy would provide additional information to
>> the client that then can be used in the endpoints to optimize traffic.
>>
>>
>>
>> Further you can still configure a trust anchor in your client and use
>> local recovery to dynamically find the IP address. And not all mechanisms
>> described in the draft are actually for local recovery.
>>
>>
>>
>> And at the end it depends on the service the proxy provides if a local
>> proxy makes sense or not. E.g. if you only look at forwarding and address
>> translation in order to conceal the client IP address from the server, not
>> that much trust is needed and a local proxy can make a lot of sense as your
>> access provider knows you IP address anyway.
>>
>
>>
>> Mirja
>>
>>
>>
>>
>>
>>
>>
>> *From: *Eric Rescorla <ekr@rtfm.com>
>> *Date: *Monday, 3. February 2020 at 13:57
>> *To: *Mirja Kuehlewind <mirja.kuehlewind@ericsson.com
>> <mirja.kuehlewind@ericsson..com>>
>> *Cc: *Patrick McManus <mcmanus@ducksong.com>om>, Lucas Pardue <
>> lucaspardue.24.7@gmail.com>gt;, "quic@ietf.org" <quic@ietf.org>rg>, "Su,
>> Chi-Jiun" <Chi-Jiun.Su@hughes.com <Chi-Jiun..Su@hughes.com>>m>>,
>> Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>om>, "masque@ietf.org"
>> <masque@ietf.org>
>> *Subject: *Re: [Masque] FW: New Version Notification for
>> draft-kuehlewind-quic-proxy-discovery-00.txt
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jan 22, 2020 at 5:54 AM Mirja Kuehlewind <mirja.kuehlewind=
>> 40ericsson.com@dmarc.ietf.org <40ericsson..com@dmarc.ietf.org>> wrote:
>>
>> Hi Partick, hi Lucus, hi all,
>>
>>
>>
>> I’m currently updating the discovery draft and therefore looking at this
>> email thread.
>>
>>
>>
>> So looking at WPAD, it also uses DHCP and/or DNS to get a config file. In
>> the draft we mentioned also the use of Provisioning Domains (PvDs) to get
>> information about local configuration. This seems to be the more
>> appropriate and soon to be standardized alternative, so I don’t think
>> mentioning WPAD will add much. Lucas?
>>
>>
>>
>> Mentioning WPAD could maybe lead to a discussion about who this
>> information can be access by an application/browser (if needed because it
>> could also be the OS that handles the proxying transparently for the app),
>> however, this seems a bit out of scope for this document and probably is
>> mostly covered by taps for PvDs.
>>
>>
>>
>> Patrick, you said below that “series of CONNECT tunnels to the proxy are
>> giving up the end to end security of transport features that QUIC“. In
>> the setup we have in mind for use with MASQUE, we never touch the encrypted
>> QUIC end-to-end connection and just forward those packets. Other than for
>> HTTP/TCP proxies, the idea is to always have an outer QUIC connection
>> between the client and the proxy and an inner QUIC connection between the
>> client and the server. So I think if you only look for a forwarding service
>> (+ address translation/anonymization), it’s actually okay to rely on
>> potentially unauthenticated local discovery as you basically only have to
>> trust the proxy as much as you trust any router on the path.
>>
>>
>>
>> Well,  one of the most common reasons why you would want some sort of
>> tunnel proxy is to conceal your behavior from the local network, which is
>> clearly inconsistent with having the local network supply the proxy
>> information.
>>
>>
>>
>> More generally, I find the whole premise of this draft somewhat
>> confusing. If we look at TLS MITM proxies as a loose analogy, there are two
>> kinds of configuration one might want:
>>
>>
>>
>> 1. To tell the client to trust the proxy
>>
>> 2. To tell the client to connect to the proxy
>>
>>
>>
>> However, as a practical matter, TLS MITM proxies don't do (2) and just
>> rely on network mechanisms to make that work. They only configure trust
>> anchors to let the client trust the proxy. Similarly here, the challenge
>> with QUIC is that you want the client to engage in some behavior that has
>> trust implications, but for this you need some discovery mechanism that is
>> secure, which the ones you propose are not.
>>
>>
>>
>> -Ekr
>>
>>
>>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>