IETF Logo Mail Archive

Re: [Masque] Comments on draft-age-masque-connect-ip-01

David Schinazi <dschinazi.ietf@gmail.com> Mon, 08 November 2021 18:08 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A74623A0CB0 for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 10:08:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUIHe58p2gfe for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 10:08:38 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F90C3A0CAF for <masque@ietf.org>; Mon, 8 Nov 2021 10:08:38 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id b11so3130419pld.12 for <masque@ietf.org>; Mon, 08 Nov 2021 10:08:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dvIm+X1JYFdEGpRw7lPLyV5Hb2SNidvlKgP/6gqYGuA=; b=f2wnDl9qYtUti6H7X6TynzSFiI3GAhcnS5gh/SI1OymQS55vKlwQy2eGeq56srMp7F nU+KH1zUQ3cR3CZcr4jCQzk2AiM97zqGoQmpfCEi/v+KmDzWmP0MTpPAE3xbDg5akf8e T+A84qJ7CnxOmvtkjMilFAD8E6o1OC1x3rtxqUm9/1/YhZmQ0lZ5JXemR42NpbHe/e+k 8Ttqu5fnqGzzn5P0TosRX7S3SI0y6OcbzXljJDK9HQE91/7ZXy7kCDR/cwqa16UH+hyB c+sLsi8Eh/chiAkCKQ8WQpxVadXuwwBQN6RwGBu4yKIhw6ZxK1kIdH+tvIh9cIbsph2v Go1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dvIm+X1JYFdEGpRw7lPLyV5Hb2SNidvlKgP/6gqYGuA=; b=d2qFt3GbnrMRlMR5sD0fvsjgusUy22Q88SEdHD35pa+6cD/s22Pw1gVRm9JHwNp2nk XZ+FMuzA2dr4oBc7jjWIxpYPKckNYbqR0+CuA5vDSlJz8yDki7Ced90ygIPfaMOhZDTM a+7dU21+o7T5o6NQ53AjgYiMPlmW8+2rI7ROF2u3lJePA53cul/EROK0/QmLGdUs9dIL bu/b3C8iuqbomXvJhE0125uAhd3km2MAMkd/AsLQsS2w5z2Da1uyF9m0LvyEx8ST8k9R z0ygjw3B4LAUEXrthReVaWrZAFd8OoCh5eO18xdWsbMQnKgRgfENxomrmum9olV1eh/I WKmA==
X-Gm-Message-State: AOAM532k99dViBXTcEfJHrNkyNScRbiwwQoa9967uEQRH9cW+cWjm/S1 3CAl33nJHQ0YWd2mtUqnOFCMv4Eo0dd3gWTqdJW3F+/KZjA=
X-Google-Smtp-Source: ABdhPJyNypkXmWr4pYjuVwzJ9g2PB/e5liY4lyzlARHLirmxZ5fHbZfWSZ4loUOveodbG4Wh2ZWMgqxmGmD78+Zi+Ic=
X-Received: by 2002:a17:90b:1bca:: with SMTP id oa10mr288875pjb.20.1636394915721; Mon, 08 Nov 2021 10:08:35 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMSe7JJ41EC+f1pyAFrm_+9TU2h=SY-_Xy5vX5wu8TgOQ@mail.gmail.com> <7C41DE50-EE9B-4084-8A1D-88471664E23E@apple.com> <CABcZeBN1Q00hLijF9D1Wu7eGVDe_8jRR=QZ9t3gc-xtkee0=rw@mail.gmail.com> <F6EC2485-95BD-4D8A-BF8E-12E9B1F74253@apple.com>
In-Reply-To: <F6EC2485-95BD-4D8A-BF8E-12E9B1F74253@apple.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 08 Nov 2021 10:08:24 -0800
Message-ID: <CAPDSy+7wtrnM73phoM1oniW9jwPoqW00Q0ybuUKNdOhmEV96Kg@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Eric Rescorla <ekr@rtfm.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a9f56505d04ae12d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/RybYwcht4808v-scnoWq-CweTqM>
Subject: Re: [Masque] Comments on draft-age-masque-connect-ip-01
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 18:08:44 -0000

If I may jump in, Tommy I think you misunderstood EKR's point. EKR is
saying that in the common consumer VPN scenario it doesn't make sense for
the CLIENT to send routes to the SERVER. I think we can resolve EKR's
concern by taking this text from draft-cms-masque-connect-ip and copying it
to draft-age-masque-connect-ip:

   In theory, endpoints could use ROUTE_ADVERTISEMENT capsules to divert
   traffic from naive endpoints.  To avoid this, receivers of
   ROUTE_ADVERTISEMENT capsules MUST check their local policy before
   acting on such capsules, see Section 5.

https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-01#section-8

On Mon, Nov 8, 2021 at 10:04 AM Tommy Pauly <tpauly=
40apple.com@dmarc.ietf.org> wrote:

>
>
> On Nov 8, 2021, at 8:43 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Mon, Nov 8, 2021 at 7:52 AM Tommy Pauly <tpauly@apple.com> wrote:
>
>>
>>
>> On Nov 7, 2021, at 3:12 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>> This document seems like a reasonable starting point. Good to see
>> the authors converging. Some technical comments below.
>>
>>
>> Thanks for the comments!
>>
>>
>> Overall, I wonder if we should actually forbid the client from
>> using IP addresses in packets when the target is specified.
>> That would avoid goofy situations in which the client does
>>
>>    CONNECT 192.0.2.1
>>
>> And then sends to 192.0.2.2.
>>
>>
>> I think it’s more consistent to define the behavior of what error the
>> sender receives when it sends a packet for which it didn’t have an assigned
>> source address or a valid destination route. Is this cause for dropping the
>> packet silently, sending an error capsule, or closing the request stream
>> with an error?
>>
>> I filed this to discuss:
>> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43
>>
>
> I could live with that, though I do like to make it impossible to do bad
> things.
>
>
> Okay, let’s discuss on the issue.
>
>
>
>
>> S 4.1.
>>
>>    target:  The variable "target" contains a hostname or IP address of a
>>       specific host to which the client wants to proxy packets.  If the
>>       "target" variable is not specified, the client is requesting to
>>       communicate with any allowable host.  If the target is an IP
>>       address, the request will only support a single IP version.  If
>>       the target is a hostname, the server is expected to perform DNS
>>       resolution to determine which route(s) to advertise to the client.
>>       The server SHOULD send a ROUTE_ADVERTISEMENT capsule that includes
>>       routes for all usable resolved addresses for the requested
>>       hostname.
>>
>> This treatment of DNS names seems like it's going to create a lot of
>> additional complexity: for instance, how does the client know which IP
>> to put in the dst field. You don't specify that the
>> ROUTE_ADVERTISEMENT MUST *only* include valid addresses. For instance,
>> suppose that the DNS name resolves to
>>
>>   192.0.2.1
>>   192.0.2.2
>>   192.0.2.4 <-- No 192.0.2.3!
>>   192.0.2.5
>>   192.0.2.6
>>   192.0.2.7
>>
>> and the server advertises 192.0.2.1-192.0.2.7.
>>
>> Given that this is an IP layer mechanism, I would simply remove the
>> DNS option; clients can always do DNS over the tunnel.
>>
>>
>>
>> I can see this either way.
>>
>> For cases where I don’t want a full tunnel, but just want to talk to one
>> host, I would need to open an IP flow for a DNS server. I could of course
>> open one, and then open a proxied flow to each target address, and request
>> the same local address I got on the first.
>>
>> This would work, but is more back-and-forth, and also doesn’t give me a
>> way to just ask the proxy to use it’s own DNS cache. For cases like CONNECT
>> and CONNECT-UDP, we’ve found it very useful for latency to have the DNS
>> cache run on the proxy, so that we benefit from all clients going through
>> the proxy sharing the same cache, and not needing a round trip back to the
>> client. To that end, I’d like to at least *allow* connecting by a
>> hostname in the protocol (even if some proxies wouldn’t choose to support
>> that).
>>
>
> I would make several points here.
>
> First, while it's desirable to be able to use the proxy's DNS cache, it's
> increasingly insufficient to simply get the A/AAAA records, for reasons
> such as SVCB. For instance, you wouldn't be able to do ECH using the DNS
> version alone because you would need to look up the SVCB. So, while it does
> incur a round trip, it seems like you are going to need to do a DNS
> resolution for this case.
>
>
> Yes, ECH does require doing a DNS lookup, but (a) ECH may not be
> applicable to the type of connection I’m doing with CONNECT-IP and (b) the
> records for A / AAAA / HTTPS / SVCB may have different TTLs and thus have
> different caching benefits.
>
>
> Second, even taken on its own terms, if I understand this mechanism
> correctly, I think it's still broken for the reason I mentioned above. The
> problem is that you are using the ROUTE_ADVERTISEMENT as an implicit DNS
> resolution--to tell you what to put in the dst-addr. If that's true, then I
> think you need to require that the ROUTE_ADVERTISEMENT to be strict.
>
>
> Yes, I agree that the route advertisement needs to be strict if this is
> allowed.
>
>
>
>
>>
>>
>> S 4.2.
>> Is the server required to send ADDRESS_ASSIGN? If not, what is the
>> client supposed to use as it's source address? Also, what happens
>> if you only get a v6 address but need to talk to a v4 endpoint,
>> or vice versa.
>>
>>
>> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42
>>
>> Probably the best thing to say is that any peer that can send packets
>> MUST first have received an ADDRESS_ASSIGN capsule.
>>
>> Regarding v4 and v6, yes, you do need the right family assigned.
>>
>>
>>
>> S 4.2.3.
>> You should probably say something here about how in many cases
>> you shouldn't trust a ROUTE_ADVERTISEMENT. For instance, it's
>> incoherent for an ordinary consumer VPN client to start
>> advertising routes.
>>
>>
>> A full-tunnel VPN server may not have a complex routing table, but it’s
>> still possible to have some “excluded” routes that won’t be allowed
>> (private subnets, etc). Traditionally, most VPN protocols do always include
>> the route information. The “trust” here is just about what the endpoint is
>> willing to route/forward.
>>
>> What kind of warning were you imagining?
>>
>
> "Note: peers MUST NOT blindly trust ROUTE_ADVERTISEMENT. They MUST filter
> it through local policy"
>
>
> Hm, OK. What would “local policy” be here? I guess in the case of personal
> VPN, my client may expect a full tunnel, but if the server tells me I can’t
> route to a specific subnet (maybe it doesn’t allow 10.0.0/24, reasonably),
> my only recourse would be to fail the connection, not to try to send to
> addresses that are disallowed.
>
> Tommy
>
>
> -Ekr
>
>
>> Best,
>> Tommy
>>
>>
>>
>>
>>
>> --
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
>>
>>
>> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>
>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>

v2.23.0 | Report a Bug | By Email