[Masque] Initial look at draft-cms-masque-ip-proxy-reqs-00.txt
Eric Rescorla <ekr@rtfm.com> Tue, 28 July 2020 00:57 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF163A0908 for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 17:57:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vSENwPL77pm for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 17:57:56 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD24E3A0913 for <masque@ietf.org>; Mon, 27 Jul 2020 17:57:55 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id f5so19261914ljj.10 for <masque@ietf.org>; Mon, 27 Jul 2020 17:57:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=e45QIwwHND2z3DxIbpkNNuDTFPXxmu1DWwJ04LLy04A=; b=szKjsSwvmUNoxE9MeQZGr6SgDRcR0m2tl6T4zcns6nkAO8Zii5u3PAfSN94gKjUl6E wRX4yVqTfjvztBYIU5J4G642pEMAt3A5KteBahgNx5agyghWT0My4ZAE6PFpZk1iV4bz zGCS6bAkxXHoQU3BnhzWk5K0/l6zhwVJPtFqCWb0okDQzkWqLL8E8UH21L6NyDbcB+6S 0JOc1Goo7zttKzTJhTaJCfZff+STn2OP2i54aTnFYyAiHt3UiX3ZDOt8YVRSN0+JkBDN 8lzsKWa+MUVNIlScommjfnZjaTxoLagos+AScSMpP3gY3+DvQktQWWSfaN0A557WyZCl VWOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=e45QIwwHND2z3DxIbpkNNuDTFPXxmu1DWwJ04LLy04A=; b=fMH2Y+ebZIJadCum+8KR1S5CS5ejFst2yCCllCZYoX9+V7KMamz2ED0k5qr1+gQRdj cx8K3xfoH7fCr/iOvWqYN4AXgJ8K/SN9EP59KEtVgSzmBoBcEUjv1yNto+wFYBFXqIPE yYgn4vFFJPkEUeobs0QWhgUXGOEfl1XOl9eiXv2LcxFWv/ytGAGzR/Sjyt6yq9lHJhX9 bT5mbz7EeaEMbDdMqni9VZHelAm8kB+o8bciBh92/wH5QwChK6SaIwuL/EDoWYoTEG+3 ofc+ogwOazctlyhABzMKDTTHijaEc2jyH1yzWt0gnMQiJgh3HqCGemc0hlKsuVNHhLL4 EKfA==
X-Gm-Message-State: AOAM530tHsCVQGzamw7OlD4huYHoy/Qa6yXR16F516m3BDmAeaUnaJhB kF5VTzaWK5Mmz5zYFRw/PqxQevO/kbwdO9ALFDGPSajQ+DT8Wg==
X-Google-Smtp-Source: ABdhPJyQVFoCP7pkrFAiR6KVED3aipSNKd+gNg7paXhGjdAeo9qTbXwHJvJRRmAdoMQkchXqdw/5+JKRcOQ5g962pE4=
X-Received: by 2002:a2e:3311:: with SMTP id d17mr12232427ljc.13.1595897873411; Mon, 27 Jul 2020 17:57:53 -0700 (PDT)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 27 Jul 2020 17:57:17 -0700
Message-ID: <CABcZeBM94sdL-Ocw+Whca+WR9haC1ircgA6GxefQQ8eed319jg@mail.gmail.com>
To: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d7c63905ab75ed21"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/O4Mp320DACYZDsT3jh2asI8HmzY>
Subject: [Masque] Initial look at draft-cms-masque-ip-proxy-reqs-00.txt
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 00:57:59 -0000
I took an initial look at this document. Comments below. S 2. I'm surprised to not see the common consumer use case where someone VPNs onto the Internet. I suppose you could argue that this is "Point to Network" but the way you phrase this in 2.2 suggests otherwise. S 3.2. The protocol will establish Data Transports, which will be able to forward IP packets, in their unmodified entirety. The protocol will support both IPv6 [IPV6] and IPv4 [IPV4]. This doesn't seem correct. At minimum you should be decrementing the TTL and you might also be doing IP translation. S 3.3. The protocol will allow endpoints to negotiate the Maximum Transmission Unit (MTU) in use over a given Data Transport. This will allow avoiding IP fragmentation, especially as IPv6 does not allow IP fragmentation by nodes along the path. This is an unusual use of the term "negotiate" because as a general matter, the egress point will have a fixed external MTU and thus the MTU becomes that minus overhead. S 3.4/3.5. Both the client or server may request to be assigned an IP address range. In response to the request, the peer will respond with an IP address range of its choosing. This seems like a feature that is intended for Network to Network VPNs that doesn't make sense for a consumer-type VPN in which the assumption is that the VPN server is the default router. At any point in an IP Session (not limited to its initial negotiation), the protocol will allow both client and server to request routes to specific IP address ranges. In response to this request, the peer will have the ability to respond with a subset of routes that it is willing to accept, or deny the request. I don't understand what "request routes" means. Does it mean that I am asking the peer to be willing to route to those domains? Something else? S 3.6. When negotiating the creation of an IP Session, the protocol will allow both endpoints to exchange an identifier. For example, both endpoints will be able to identify themselves by sending a fully- qualified domain name. Is this identifier secure authenticated? S 3.8. Additionally to the authentication provided by the transport, the protocol will have the ability to authenticate both client and server during the establishment of the IP Session. In particular, it will be possible for the client to offer an OAuth Access Token [OAUTH] to the server when requesting IP proxying, potentially through an extension of the protocol. The protocol will also have the ability to support vendor-specific authentication mechanisms as extensions. This seems incomplete. First, the OAUTH access token doesn't authenticate the *server*. S 3.9. While it is desirable to transmit IP packets unreliably in most cases, the protocol will provide a mechanism to allow forwarding some packets reliably. For example, when using HTTP/3, this can be accomplished by allowing Data Transports to run over both DATAGRAM and STREAM frames. This seems like an odd feature to add in a VPN protocol. What's the rationale for this. -+
- [Masque] Initial look at draft-cms-masque-ip-prox… Eric Rescorla
- Re: [Masque] Initial look at draft-cms-masque-ip-… David Schinazi
- Re: [Masque] Initial look at draft-cms-masque-ip-… Eric Rescorla