IETF Logo Mail Archive

Re: [Masque] Filtering function of the Masque server for traffic incoming to the client

Alex Chernyakhovsky <achernya@google.com> Mon, 27 July 2020 17:31 UTC

Return-Path: <achernya@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A010C3A1B42 for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 10:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGgcD9Ml9bVf for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 10:31:17 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD0273A1D9F for <masque@ietf.org>; Mon, 27 Jul 2020 10:30:23 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id k6so14991733oij.11 for <masque@ietf.org>; Mon, 27 Jul 2020 10:30:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bi/haqR8PJinIHvKcnMYyDoST9LgF8l+Sr4ZsfGp6Kw=; b=agUKFJy3reFqgfgsv1BOLiPaAbSGV/p1Zo+yygRaJ6suYamgfRti1d1HwSDanMQLFY bmna430gyZ3YRs0+z3Qee43UIPnBEjs47lPqevJ2uArR4ojA0aND8KgfGnEsj+VFcQri xLm/dwf8sFAgQ3nlbZjyKJUc7O7ppQbqjwIC28HCzKp4wVaL+eEb586CeKqbyayQu2BJ ptK2Zu9lYGDWRI2mhhXWJN/AvGrj0D0I3YzACQ5m/heOel7R/W2lwzrLaybGIcNK7Jfu ot6hNq7FZhE28u3EhQDYMeMxq059Wx1c3eRMKcVIVKygxbV8hT0EruFjMVvAbUy8aOqB vbNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bi/haqR8PJinIHvKcnMYyDoST9LgF8l+Sr4ZsfGp6Kw=; b=sb8DvViV92W1Q2uL+JCiAu2E+5Vw69uX/TSnueg4JI8NAYVZJmhDDRh0RAlzUDAuBR h7BebwQAaiC1/I5QIj7fatFpaFkunlJEF5FT6eWeVwJFzFfBDgWr3XzD4Ta2nPLCft5I Onq0mFErRIcPjrupjPh/6oitpbSbet1n87/aqVIeqUmO+YZk1nMUdu/8CSuKoyT5CpWo JW28Sw9gE+xUp5xO1GBVMrt2ZHPWGWOfgzoyyoY8gBdjIhT+2DMZYzzk8AJpKJeNEyrc 49fAExycUX40MPVQFd2dUuu5wqe3C4+7yT2dwhdyG593fYNkbsv8ixs3nFmgZBsMVlKI x2lA==
X-Gm-Message-State: AOAM532FIZnpbv9UFYsDt2AmmdGxejQhUj4sklSj4EY/xoNDKJPVbAAm Nkty5Nqk5rwC7mwvFEQU8XPDQ3HcGmtEl2k4D83gtg==
X-Google-Smtp-Source: ABdhPJwZJyJscbBuELs9pwplAXk+/GHpVUdFxf+FrnQ+vI5E4LjZ1PUTCAEHzfg+nNags5h4xeKb8vEFhTFVoFsh3To=
X-Received: by 2002:aca:bcd6:: with SMTP id m205mr286220oif.149.1595871022644; Mon, 27 Jul 2020 10:30:22 -0700 (PDT)
MIME-Version: 1.0
References: <6cc97d7064070453574c7549c2e8af3892fe023c.camel@ericsson.com> <CAPDSy+7wR_rkY2BESYFr4wU57EokkXjR7LXi_ouOp=LZOR2EyA@mail.gmail.com>
In-Reply-To: <CAPDSy+7wR_rkY2BESYFr4wU57EokkXjR7LXi_ouOp=LZOR2EyA@mail.gmail.com>
From: Alex Chernyakhovsky <achernya@google.com>
Date: Mon, 27 Jul 2020 13:30:11 -0400
Message-ID: <CAHbWFkQkc5Uo8stu60SmoGuEP_MNSf0kESdGdP7KmtTVSJD=tw@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "masque@ietf.org" <masque@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069fc4405ab6fad89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/Q9jmwuvqCDYFru6Q-aAPmZuhz7Q>
Subject: Re: [Masque] Filtering function of the Masque server for traffic incoming to the client
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 17:31:21 -0000

Hi,

I'd like to add some more thoughts to the IP-specific tunnel aspects that
David outlined. In our experience with QBONE, the important thing is to
make sure that the packets from both endpoints are routable. That means
that if a packet appears, either on the server or client, for a destination
that is not exposed through the tunnel, then the packet should be dropped
(or accepted by some other route other than the tunnel itself).

Suppose that you have a case with server-assigned IP addresses to all
clients. The server can easily ensure that all packets destined towards the
client are the only ones it routes into the tunnel. For defense in depth,
the client implementation should drop any packet that is to a destination
that is not exposed through the tunnel, as we should defend against a
buggy/malicious server implementation.

This gets a bit more complicated with advertised routes, since there's not
a single IP address (or range) to check, but nonetheless the same ideas
hold: both sides of the tunnel should drop packets that are not to valid
destinations, either from the tunnel or from the outside interface.

For the ICMP example, the client should have routes installed for the IP
address that's sourcing the IP packets. The server should also know these
routes, and be able to prevent the ICMP packet from traversing the tunnel
if it's not to an allowed source or destination range.

If we did allow packets with IPs not advertised across the tunnel to
traverse the tunnel, then the response packets would go through a different
path, and likely be blackholed.

To David's point about "[ensuring] that two clients do not offer
overlapping subnets": I actually think we should allow this case, for
load-balancing across multiple client instances, particularly for the
network-to-network (site-to-site) use case. But then the complexity becomes
ensuring that the overlaps are from authenticated clients permitted to do
so.

Sincerely,
-Alex

On Mon, Jul 27, 2020 at 9:51 AM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> Hi Magnus,
>
> Some thoughts inline below.
>
> On Mon, Jul 27, 2020 at 5:32 AM Magnus Westerlund <magnus.westerlund=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>> A question I have to the WG is how its view are on filtering function of
>> the
>> MASQUE server for incoming traffic from remote addresses. This comes from
>> the
>> perspective of what is in TURN for this. TURN requires the client to
>> explcitly
>> indicate the remote address (IP + Port) to receive traffic.
>>
>
> From the discussions we had during the chartering of MASQUE, I really
> think that
> we should keep TURN out of scope for MASQUE. I adds significant complexity
> that is not warranted for all use-cases, and can be added on top of MASQUE
> later.
>
> So the question is what behavior we do expect from MASQUE for both UDP and
>> for
>> IP. For UDP I think only accepting traffic from the reverse 5-tuple that
>> the
>> client requested to communicate to.
>>
>
> Yes, I would keep CONNECT-UDP as simple as possible, and that means that
> one CONNECT-UDP request maps to a given 5-tuple on the proxy-server leg,
> and all other packets are dropped.
>
> For IP I think the decision is tougher. But, I think the primary question
>> is if
>> one should be able to run a server as a client of the MASQUE server. If
>> it does
>> then any traffic to the leased IP address needs to be accepted. Thus
>> questions
>> about being open for any traffic and potential for attack traffic etc.
>>
>
> Similarly to UDP, I don't think we need to solve all aspects of this
> question within
> MASQUE itself. MASQUE needs to negotiate the specifics of the IP tunnel it
> creates - such as IP addresses in use by both endpoints, and authorized
> routes
> in both directions.
>
> A special case if one doesn't allow any remote source through to the
>> client, is
>> that some traffic that doesn't match IP 3-tuple still need forwarding.
>> The best
>> example I have is that a MASQUE server will need to look at the ICMP
>> traffic
>> comming in to the IP address and match the included header to existing
>> context
>> and forward it to the relevant client if it matches.
>>
>
> Can you elaborate on your example please? Which IP addresses are used on
> the
> ICMP packet, and on the packet that triggered the ICMP?
>
> I think all we need for this in MASQUE is for the endpoints to negotiate
> which
> subnets they are offering as routable via MASQUE. All the server then
> needs to
> do is ensure that two clients do not offer overlapping subnets. Or are you
> envisioning some complexity that I'm not seeing?
>
> Cheers,
> David
>
> So what are peoples opinion here?
>>
>>
>> Cheers
>>
>> Magnus Westerlund
>>
>>
>> ----------------------------------------------------------------------
>> Networks, Ericsson Research
>> ----------------------------------------------------------------------
>> Ericsson AB                 | Phone  +46 10 7148287
>> <+46%2010%20714%2082%2087>
>> Torshamnsgatan 23           | Mobile +46 73 0949079
>> <+46%2073%20094%2090%2079>
>> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
>> ----------------------------------------------------------------------
>>
>>
>> --
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
>>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>

v2.23.0 | Report a Bug | By Email