IETF Logo Mail Archive

Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Tue, 08 June 2021 01:30 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659433A1AD2 for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 18:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stCiYeyCuCq3 for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 18:30:17 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F1DE3A1ACF for <masque@ietf.org>; Mon, 7 Jun 2021 18:30:17 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id m9so21305199ybo.5 for <masque@ietf.org>; Mon, 07 Jun 2021 18:30:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=39fiKYssiJEdp8Tq+2xM+5yErLkbqhMhLKWaWIgUAP8=; b=bQPagTmSBhyjhUyNDjljJto9W/PqrZ9kFII8IR0OT/HrypCmUYUmQfVH3zzs1rVcAS HYXOizxd2f7mIe3cV1cSKLJ5InN+CyMy0IPDTAHczAhnwaf3fKDzMp7iTKpvg6AmgAPQ FHt4/O76BcOdrajKmqVYCvIU+kE6mFOTt1G6JOaWXAjns5mLQnnK+3NhUP293PaKdSwR OOuqhLk/iQGaO9DftV24soIecfuSnDTRENw4ob8dD+HtGE7ZzMGn/HOtJ7zyHqy7Vtny e1E8Y7GJs1rO/b0So1bS4BKPDPrQnf38xHf9c/Ema2vZVi72xWlwL8FcOmbdQdejRDrS 0e2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=39fiKYssiJEdp8Tq+2xM+5yErLkbqhMhLKWaWIgUAP8=; b=jPf+314mG7j9wo7fHnozw8TvLeyI+CZ+2eVR465YGd+3zUhHgWT7F5fSnSCX+2lDVE Wf9/21evCKk5Vb2WYvxlRF8T4sB5h4tDMb3i7shwk0EVaNR2er5q/+a+SO+EVMBTdEhS qig/0C7gqGYRCkKp1zFYgDMlsnDZcUcmQcRW2BoQU/i2oIeA7Z1cPq03LvxInNinSP9t yleeAD0wRx7XgcG09oYKxtmb50jwjtkX7VCD8vsBglqj2Cht8M4FQ9MVpa5dITeex6lY 9o5AF1No08Li0bBwkPuQJOFQOzr74si8xxtddd7SefsblhBGIFqrP4SwoOPnjGr35m6b ByoQ==
X-Gm-Message-State: AOAM5319pDBRJPlMam3JRO59liIq8DwEq203goOVGM2tjab3gXoDGrS3 6vwJz17WQFpXPf/UkxfkqIdxWGSvxK/nxVFlyXo=
X-Google-Smtp-Source: ABdhPJzV8z5LZYLXf/QRkwHEyVPVvxCERKPvmnix1k36DVuFQyTwwNNTZl0YQ8LJo3uZ46DHw5uUMERlatsqD9rh4NA=
X-Received: by 2002:a25:2a04:: with SMTP id q4mr29389442ybq.154.1623115816039; Mon, 07 Jun 2021 18:30:16 -0700 (PDT)
MIME-Version: 1.0
References: <d314198b-6c01-4b15-84d8-9896b5fdee80@www.fastmail.com> <HE1PR0702MB3772355483E2771650C6D679953F9@HE1PR0702MB3772.eurprd07.prod.outlook.com> <746F7E16-37BD-49EF-896A-649D394CCB05@ericsson.com> <CAPDSy+6PjZk0Kea6154V3=GF-8bs+0Mr+FtFfi-girGh3uAVrQ@mail.gmail.com> <3deea8212d66731de5c81abae353f3e9322f2d57.camel@ericsson.com> <CAPDSy+68DoVrRiC7uEn1-Ze_5LDn9mt7-f+ZeovTTYAUh=w2Og@mail.gmail.com> <21d8fc788051b570768e53d6d9355ed51b423c0a.camel@ericsson.com> <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com> <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com> <CAM4esxQatk4-ENdz+2jCbpRtr8hT0nLWbVLbb64RMJwvBf2qDA@mail.gmail.com> <CAHbWFkQ6YAhqgbbsAPC-i2Rv-_LRZ4R3NKTk4of200GUt38A_g@mail.gmail.com> <91475be5-dee4-435e-a65b-1cde43ffff0e@www.fastmail.com> <CAPDSy+4w_SCR5G5LFrpefsNPpu=od1JH0JGcP86nAsEmAvJTig@mail.gmail.com>
In-Reply-To: <CAPDSy+4w_SCR5G5LFrpefsNPpu=od1JH0JGcP86nAsEmAvJTig@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Mon, 07 Jun 2021 20:29:50 -0500
Message-ID: <CAKKJt-cfDe0+J-KuV_dWpqOgbwMhnpSL6Td5x_ZLTgBKY8cKZQ@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, Alex Chernyakhovsky <achernya@google.com>, Martin Duke <martin.h.duke@gmail.com>, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a4f88705c4371946"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/Mxiy16byVeb92p8dkxAmf1iD8xY>
Subject: Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 01:30:23 -0000

To the upthread posters - that sounds good to me.

Thanks, Martin, for helping clarify the expectations.

Best,

Spencer

On Mon, Jun 7, 2021 at 5:41 PM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> That makes sense to me. The requirements document states that the
> network-to-network use-case will be optional to implement, so it won't be a
> burden. As we make progress on building the actual protocol, we'll find out
> whether the network-to-network use-case adds delays or not. If it does,
> then we'll split it off to its own document. Alternatively, I think Magnus
> has offered a great suggestion in his latest message: a separate
> architecture document. This way we can keep the protocol document shorter
> and tackle the policy/address-validation/trust/addressing questions in the
> architecture document. Either way, it does sound like we have a good path
> forward to wrap up the requirements document.
>
> David
>
> On Mon, Jun 7, 2021 at 1:07 PM Christopher Wood <caw@heapingbits.net>
> wrote:
>
>> As Martin points out, the solution for the network-to-network use case in
>> Section 2.4 can be split out into a separate document should we run into
>> timeline issues down the road.
>>
>> To that end, we'd like to reiterate that the purpose of this WGLC is to
>> determine if we can we move forward with this understanding and consensus
>> on this document in its current state, plus or minus maybe some editorial
>> cleanup. If not, what specific requirements in the document are
>> problematic, and why?
>>
>> Thanks,
>> Chris and Eric
>>
>> On Mon, Jun 7, 2021, at 12:54 PM, Alex Chernyakhovsky wrote:
>> > Hi Martin,
>> >
>> > Thanks for weighing in, and I agree with your interpretation that there
>> > is no tension between these two points.
>> >
>> > I agree that should we run into timeline issues with the implementation
>> > drafts, it is possible to split out the section 2.4 implementation into
>> > its own document. We should cross that bridge if/when we get there.
>> >
>> > Sincerely,
>> > -Alex
>> >
>> > On Mon, Jun 7, 2021 at 3:39 PM Martin Duke <martin.h.duke@gmail.com>
>> wrote:
>> > > To clarify what I meant, I'm suggesting the the future IP proxy
>> document can split out the network-network use case specification if that
>> proves to be problematic.
>> > >
>> > > I am not saying we should have two requirements documents.
>> > >
>> > > On Mon, Jun 7, 2021 at 12:25 PM Martin Duke <martin.h.duke@gmail.com>
>> wrote:
>> > >> I'd like to step in here as AD and make sure we are not talking past
>> each other here. IIUC:
>> > >>
>> > >> (1) Magnus and Mirja do not want to implement 2.4.
>> > >> (2) The authors want to make sure the design is extensible to
>> support 2.4, but are OK with some endpoints not supporting it.
>> > >>
>> > >> It does not appear that there is tension between these points.
>> However, I understand that Magnus is concerned that 2.4 will hold up the
>> core proxy-ip draft unnecessarily.
>> > >>
>> > >> As AD, if we come to that point, I see no requirement in the charter
>> that this be one or two documents; if the option is holding everything up,
>> it can go to the IESG while 2.4 has further refinement in the WG. I don't
>> see that we have to make this decision now.
>> > >>
>> > >> Regarding the document at hand, the existing Sec 2 offers the
>> possibility that all of the use cases are optional. It does not preclude
>> the path that appears to have consensus.
>> > >>
>> > >> Is that consistent with others' understanding?
>> > >>
>> > >> Martin
>> > >>
>> > >> On Mon, Jun 7, 2021 at 5:06 AM Spencer Dawkins at IETF <
>> spencerdawkins.ietf@gmail.com> wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Jun 7, 2021, 03:15 Magnus Westerlund <magnus.westerlund=
>> 40ericsson.com@dmarc.ietf.org> wrote:
>> > >>>> Hi David and WG,
>> > >>>>
>> > >>>> Let me attempt to clarify a bit why I have made the comments I
>> have made. I think they do stem from interepreting the network to network
>> use cases as a very general technology and from the perspective of
>> deploying this with clients which the server has limited trust in. I
>> realize that you are likely comming from another perspective that you only
>> intended to use this in cases where you have fairly high mutual trust in
>> the client and the server. I think that is actually the major difference
>> here and why you below think I am making a circular arguments. I think it
>> all stem from lack of discussion of this use cases and what operational
>> limitations we intended to have on the protocol.
>> > >>>
>> > >>> I don't know if this would have helped, but I do wish we could tell
>> (explicitly, in the requirements draft) which requirements arose from
>> various use cases.
>> > >>>
>> > >>> I'm pretty sure that most participants think they know that
>> (likely), but also think that other participants have the same
>> understanding (perhaps less likely). I think that's what Magnus is saying
>> here, if I'm reading the thread correctly.
>> > >>>
>> > >>> Do The Right Thing, of course.
>> > >>>
>> > >>> Best,
>> > >>>
>> > >>> Spencer
>> > >>>
>> > >>>> So if the goal here is to have high mutual trust between client
>> and server then I think a protocol solution may be able to be defined with
>> such an applicability statement and less mandate on necessary protocol
>> mechanisms to protect against malicous peers. I think that is in stark
>> contrast against some of the other use cases where the trust in the client
>> could be rather minimal. Like the client and server relationship is only
>> this is a paying customer that gets a VPN access and the server has no idea
>> what type of client or implementation that are the peer. This basic use
>> cases will deploy with an addressing architecture that makes it much less
>> vulnerable to malicous intent on the routing level.
>> > >>>>
>> > >>>> So, can we please discuss what assumption we have on the client
>> and server trust?
>> > >>>>
>> > >>>> I also think your attempt to sweep the addressing schemes to be
>> used by the servers under the rug and not disucss them have hurt the
>> understanding. I at least have been guessing on possible deployment
>> scenarios rather than that we have openly discussed them in the WG. Yes,
>> they maybe not need to be detailed in the protocol solution or an
>> arhcitecture document, however they would have made sense to have some
>> addressing deployment scenarios in this requirement documents use case
>> section to make clear what would have been intended. Because they do
>> influence what is needed for the solution.
>> > >>>>
>> > >>>> Cheers
>> > >>>>
>> > >>>> Magnus
>> > >>>> --
>> > >>>> Masque mailing list
>> > >>>> Masque@ietf.org
>> > >>>> https://www.ietf.org/mailman/listinfo/masque
>> > >>> --
>> > >>> Masque mailing list
>> > >>> Masque@ietf.org
>> > >>> https://www.ietf.org/mailman/listinfo/masque
>> > > --
>> > > Masque mailing list
>> > > Masque@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/masque
>>
>

v2.23.0 | Report a Bug | By Email