IETF Logo Mail Archive

Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

David Schinazi <dschinazi.ietf@gmail.com> Mon, 07 June 2021 22:41 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12D223A14F8 for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 15:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnFUshO5gz3Q for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 15:41:19 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 904FC3A14F9 for <masque@ietf.org>; Mon, 7 Jun 2021 15:41:19 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id k15so14206645pfp.6 for <masque@ietf.org>; Mon, 07 Jun 2021 15:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QlsOOhNopmS6WJPj6wNdTfcagMNUjpNZ/tD4yfjs6Ts=; b=n2jRdhjmO6aLprdYcECFMYN0vdzBoaEsBUUx3ErvBTrPlKLafZInCi7nqI3qZ2FHaZ o6Tnx+EpzozqPchHy5F+gdLC55Gv/6ZcZxaTs6srEGq+2NCesFmg8KgxPRhq4PRF9b58 HlsQzC/A/ebsUbBrDfs/2u5V2YAcFtEOpEZVRnvABiY128ondiXMzA+Vxo49JL+ufY4K lf5U17Susltu4p56T3Q+EU2R4dZFMkjey8eJfE+r5zfPkdmpS3pFNEjEf+NYj6yr7aKq QLoEBeAJPU7WCugOMxSHZPm8xgMK90Ee+etSV3XlXgX/w7AEWPdQiZMHDIIR4dgmlMyq eO+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QlsOOhNopmS6WJPj6wNdTfcagMNUjpNZ/tD4yfjs6Ts=; b=NWTMMrYyBz64iCNx20A4EUHK11o/pVM3l1sc3At1wCoEwkrbKx7poyKtS9kkloCYH3 7m9OhsYZJ5Fnxehf5kJL66g1eq3KpKlW7fuUOMmqhiaVtXy6gGMYZb2S0vKrpNyvy0GK 3xBzbF1qb2kkyjqPqbf9rPNSD3QAjFNiReFvaOCucZeyC9Jkk0Lhsr49WVtoXbJOAIpD BRovd0HMc8DfV6nmkCI2dFG8ypEQ7xKXcOtrB6BH9y39U7z3minZoP1mN+YByA9ETUHT A3I4JPcjvbrCT9XEqavifzA5rX4tMGMOC1tHwQ5uDRp+Qe80ngXumL3mGE/dO4yNHQ+Y vW5w==
X-Gm-Message-State: AOAM532Ehn7VeIUN7kFyK58akxpqeBpPZeu5fAzx2XM1crzLZJTIucCM 73WsAeEDcXZp1PWAnjhqNX9fEVwHt4uJFTfnBoQ=
X-Google-Smtp-Source: ABdhPJwrm6Q9WXfy+KK2xQfwg5rBv7js4jfJ+O3tik/EknEBLhhWbhBs8cL9nw/HtnHdc5Vy/xfnmMTFA29sGwLd08I=
X-Received: by 2002:a05:6a00:1515:b029:2f2:2ab6:1399 with SMTP id q21-20020a056a001515b02902f22ab61399mr1468448pfu.22.1623105677641; Mon, 07 Jun 2021 15:41:17 -0700 (PDT)
MIME-Version: 1.0
References: <d314198b-6c01-4b15-84d8-9896b5fdee80@www.fastmail.com> <HE1PR0702MB3772355483E2771650C6D679953F9@HE1PR0702MB3772.eurprd07.prod.outlook.com> <746F7E16-37BD-49EF-896A-649D394CCB05@ericsson.com> <CAPDSy+6PjZk0Kea6154V3=GF-8bs+0Mr+FtFfi-girGh3uAVrQ@mail.gmail.com> <3deea8212d66731de5c81abae353f3e9322f2d57.camel@ericsson.com> <CAPDSy+68DoVrRiC7uEn1-Ze_5LDn9mt7-f+ZeovTTYAUh=w2Og@mail.gmail.com> <21d8fc788051b570768e53d6d9355ed51b423c0a.camel@ericsson.com> <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com> <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com> <CAM4esxQatk4-ENdz+2jCbpRtr8hT0nLWbVLbb64RMJwvBf2qDA@mail.gmail.com> <CAHbWFkQ6YAhqgbbsAPC-i2Rv-_LRZ4R3NKTk4of200GUt38A_g@mail.gmail.com> <91475be5-dee4-435e-a65b-1cde43ffff0e@www.fastmail.com>
In-Reply-To: <91475be5-dee4-435e-a65b-1cde43ffff0e@www.fastmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 07 Jun 2021 15:41:05 -0700
Message-ID: <CAPDSy+4w_SCR5G5LFrpefsNPpu=od1JH0JGcP86nAsEmAvJTig@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Alex Chernyakhovsky <achernya@google.com>, Martin Duke <martin.h.duke@gmail.com>, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005949d105c434bd90"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/SUSTnDLFVP_Oe0u5XExm4Wh3Lk8>
Subject: Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 22:41:25 -0000

That makes sense to me. The requirements document states that the
network-to-network use-case will be optional to implement, so it won't be a
burden. As we make progress on building the actual protocol, we'll find out
whether the network-to-network use-case adds delays or not. If it does,
then we'll split it off to its own document. Alternatively, I think Magnus
has offered a great suggestion in his latest message: a separate
architecture document. This way we can keep the protocol document shorter
and tackle the policy/address-validation/trust/addressing questions in the
architecture document. Either way, it does sound like we have a good path
forward to wrap up the requirements document.

David

On Mon, Jun 7, 2021 at 1:07 PM Christopher Wood <caw@heapingbits.net> wrote:

> As Martin points out, the solution for the network-to-network use case in
> Section 2.4 can be split out into a separate document should we run into
> timeline issues down the road.
>
> To that end, we'd like to reiterate that the purpose of this WGLC is to
> determine if we can we move forward with this understanding and consensus
> on this document in its current state, plus or minus maybe some editorial
> cleanup. If not, what specific requirements in the document are
> problematic, and why?
>
> Thanks,
> Chris and Eric
>
> On Mon, Jun 7, 2021, at 12:54 PM, Alex Chernyakhovsky wrote:
> > Hi Martin,
> >
> > Thanks for weighing in, and I agree with your interpretation that there
> > is no tension between these two points.
> >
> > I agree that should we run into timeline issues with the implementation
> > drafts, it is possible to split out the section 2.4 implementation into
> > its own document. We should cross that bridge if/when we get there.
> >
> > Sincerely,
> > -Alex
> >
> > On Mon, Jun 7, 2021 at 3:39 PM Martin Duke <martin.h.duke@gmail.com>
> wrote:
> > > To clarify what I meant, I'm suggesting the the future IP proxy
> document can split out the network-network use case specification if that
> proves to be problematic.
> > >
> > > I am not saying we should have two requirements documents.
> > >
> > > On Mon, Jun 7, 2021 at 12:25 PM Martin Duke <martin.h.duke@gmail.com>
> wrote:
> > >> I'd like to step in here as AD and make sure we are not talking past
> each other here. IIUC:
> > >>
> > >> (1) Magnus and Mirja do not want to implement 2.4.
> > >> (2) The authors want to make sure the design is extensible to support
> 2.4, but are OK with some endpoints not supporting it.
> > >>
> > >> It does not appear that there is tension between these points.
> However, I understand that Magnus is concerned that 2.4 will hold up the
> core proxy-ip draft unnecessarily.
> > >>
> > >> As AD, if we come to that point, I see no requirement in the charter
> that this be one or two documents; if the option is holding everything up,
> it can go to the IESG while 2.4 has further refinement in the WG. I don't
> see that we have to make this decision now.
> > >>
> > >> Regarding the document at hand, the existing Sec 2 offers the
> possibility that all of the use cases are optional. It does not preclude
> the path that appears to have consensus.
> > >>
> > >> Is that consistent with others' understanding?
> > >>
> > >> Martin
> > >>
> > >> On Mon, Jun 7, 2021 at 5:06 AM Spencer Dawkins at IETF <
> spencerdawkins.ietf@gmail.com> wrote:
> > >>>
> > >>>
> > >>> On Mon, Jun 7, 2021, 03:15 Magnus Westerlund <magnus.westerlund=
> 40ericsson.com@dmarc.ietf.org> wrote:
> > >>>> Hi David and WG,
> > >>>>
> > >>>> Let me attempt to clarify a bit why I have made the comments I have
> made. I think they do stem from interepreting the network to network use
> cases as a very general technology and from the perspective of deploying
> this with clients which the server has limited trust in. I realize that you
> are likely comming from another perspective that you only intended to use
> this in cases where you have fairly high mutual trust in the client and the
> server. I think that is actually the major difference here and why you
> below think I am making a circular arguments. I think it all stem from lack
> of discussion of this use cases and what operational limitations we
> intended to have on the protocol.
> > >>>
> > >>> I don't know if this would have helped, but I do wish we could tell
> (explicitly, in the requirements draft) which requirements arose from
> various use cases.
> > >>>
> > >>> I'm pretty sure that most participants think they know that
> (likely), but also think that other participants have the same
> understanding (perhaps less likely). I think that's what Magnus is saying
> here, if I'm reading the thread correctly.
> > >>>
> > >>> Do The Right Thing, of course.
> > >>>
> > >>> Best,
> > >>>
> > >>> Spencer
> > >>>
> > >>>> So if the goal here is to have high mutual trust between client and
> server then I think a protocol solution may be able to be defined with such
> an applicability statement and less mandate on necessary protocol
> mechanisms to protect against malicous peers. I think that is in stark
> contrast against some of the other use cases where the trust in the client
> could be rather minimal. Like the client and server relationship is only
> this is a paying customer that gets a VPN access and the server has no idea
> what type of client or implementation that are the peer. This basic use
> cases will deploy with an addressing architecture that makes it much less
> vulnerable to malicous intent on the routing level.
> > >>>>
> > >>>> So, can we please discuss what assumption we have on the client and
> server trust?
> > >>>>
> > >>>> I also think your attempt to sweep the addressing schemes to be
> used by the servers under the rug and not disucss them have hurt the
> understanding. I at least have been guessing on possible deployment
> scenarios rather than that we have openly discussed them in the WG. Yes,
> they maybe not need to be detailed in the protocol solution or an
> arhcitecture document, however they would have made sense to have some
> addressing deployment scenarios in this requirement documents use case
> section to make clear what would have been intended. Because they do
> influence what is needed for the solution.
> > >>>>
> > >>>> Cheers
> > >>>>
> > >>>> Magnus
> > >>>> --
> > >>>> Masque mailing list
> > >>>> Masque@ietf.org
> > >>>> https://www.ietf.org/mailman/listinfo/masque
> > >>> --
> > >>> Masque mailing list
> > >>> Masque@ietf.org
> > >>> https://www.ietf.org/mailman/listinfo/masque
> > > --
> > > Masque mailing list
> > > Masque@ietf.org
> > > https://www.ietf.org/mailman/listinfo/masque
>

v2.23.0 | Report a Bug | By Email