Re: [Masque] Comments on draft-age-masque-connect-ip-01
Tommy Pauly <tpauly@apple.com> Mon, 08 November 2021 15:52 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3F93A109E for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 07:52:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SceHjWWjg5Or for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 07:52:06 -0800 (PST)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E3E13A109F for <masque@ietf.org>; Mon, 8 Nov 2021 07:52:06 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 1A8Fi592044933; Mon, 8 Nov 2021 07:52:04 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=5WVD8d4M3FaEcQ6A0ia/5rBSwt4ZqAbyImuslIIW9Rk=; b=OQhBV6xRFCzBYyccKU9F32t3WCfE1i+i4sDv/r6fulMWbVQVW8cHcyWEcFRkMAVpH01b AO5UGwtz669zoxhuPFVgZj59nDWDTJhLa4fIO9JgXc1Uzu0ROg0kEtqyqu5tCF3e44i7 vPJEHpHM9/l1ZTUT6NA8ALPnIphC241bdMviKRovRbqy+BMl9cvxowX6AuJpUXO7QyO3 fQHnYfd7b+iIDT2bxK1DUSak4kg1IcJURvij3vpYCIi0a8XKh5YRGTyZ+UAOn+C6rb0i FpqOumS4qzWhmy5/6k/EYRDKfqxKNt947CIf7kQStbU7rG2IPDe1TwnS+XZdL13D3+EZ 5A==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 3c5rc2s49a-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 08 Nov 2021 07:52:04 -0800
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPS id <0R2900DS9G2QPO80@rn-mailsvcp-mta-lapp03.rno.apple.com>; Mon, 08 Nov 2021 07:52:02 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) id <0R2900K00FXVZU00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Mon, 08 Nov 2021 07:52:02 -0800 (PST)
X-V-A:
X-V-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-V-E-CD: a61b26eed4e61b2c405a2b1c0712ee7f
X-V-R-CD: 623019d6aa5019d09887d7e1d6a7d948
X-V-CD: 0
X-V-ID: 9a21e31b-0809-4c61-bade-596d05b5d54d
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-08_05:2021-11-08, 2021-11-08 signatures=0
Received: from smtpclient.apple (unknown [17.234.36.4]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPSA id <0R2900O3KG2M5U00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Mon, 08 Nov 2021 07:52:02 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <7C41DE50-EE9B-4084-8A1D-88471664E23E@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_8C1767ED-9F38-405A-ABE2-27315E88E4D5"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3691.0.3\))
Date: Mon, 08 Nov 2021 07:51:58 -0800
In-reply-to: <CABcZeBMSe7JJ41EC+f1pyAFrm_+9TU2h=SY-_Xy5vX5wu8TgOQ@mail.gmail.com>
Cc: MASQUE <masque@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBMSe7JJ41EC+f1pyAFrm_+9TU2h=SY-_Xy5vX5wu8TgOQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3691.0.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-08_05:2021-11-08, 2021-11-08 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/T1W-it0GbDd1SUjU8EV_UEU9bQQ>
Subject: Re: [Masque] Comments on draft-age-masque-connect-ip-01
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 15:52:11 -0000
> On Nov 7, 2021, at 3:12 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > This document seems like a reasonable starting point. Good to see > the authors converging. Some technical comments below. Thanks for the comments! > > Overall, I wonder if we should actually forbid the client from > using IP addresses in packets when the target is specified. > That would avoid goofy situations in which the client does > > CONNECT 192.0.2.1 > > And then sends to 192.0.2.2. I think it’s more consistent to define the behavior of what error the sender receives when it sends a packet for which it didn’t have an assigned source address or a valid destination route. Is this cause for dropping the packet silently, sending an error capsule, or closing the request stream with an error? I filed this to discuss: https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43 <https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43> > > > S 4.1. > > target: The variable "target" contains a hostname or IP address of a > specific host to which the client wants to proxy packets. If the > "target" variable is not specified, the client is requesting to > communicate with any allowable host. If the target is an IP > address, the request will only support a single IP version. If > the target is a hostname, the server is expected to perform DNS > resolution to determine which route(s) to advertise to the client. > The server SHOULD send a ROUTE_ADVERTISEMENT capsule that includes > routes for all usable resolved addresses for the requested > hostname. > > This treatment of DNS names seems like it's going to create a lot of > additional complexity: for instance, how does the client know which IP > to put in the dst field. You don't specify that the > ROUTE_ADVERTISEMENT MUST *only* include valid addresses. For instance, > suppose that the DNS name resolves to > > 192.0.2.1 > 192.0.2.2 > 192.0.2.4 <-- No 192.0.2.3! > 192.0.2.5 > 192.0.2.6 > 192.0.2.7 > > and the server advertises 192.0.2.1-192.0.2.7. > > Given that this is an IP layer mechanism, I would simply remove the > DNS option; clients can always do DNS over the tunnel. I can see this either way. For cases where I don’t want a full tunnel, but just want to talk to one host, I would need to open an IP flow for a DNS server. I could of course open one, and then open a proxied flow to each target address, and request the same local address I got on the first. This would work, but is more back-and-forth, and also doesn’t give me a way to just ask the proxy to use it’s own DNS cache. For cases like CONNECT and CONNECT-UDP, we’ve found it very useful for latency to have the DNS cache run on the proxy, so that we benefit from all clients going through the proxy sharing the same cache, and not needing a round trip back to the client. To that end, I’d like to at least allow connecting by a hostname in the protocol (even if some proxies wouldn’t choose to support that). > > > > S 4.2. > Is the server required to send ADDRESS_ASSIGN? If not, what is the > client supposed to use as it's source address? Also, what happens > if you only get a v6 address but need to talk to a v4 endpoint, > or vice versa. https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42 <https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42> Probably the best thing to say is that any peer that can send packets MUST first have received an ADDRESS_ASSIGN capsule. Regarding v4 and v6, yes, you do need the right family assigned. > > > S 4.2.3. > You should probably say something here about how in many cases > you shouldn't trust a ROUTE_ADVERTISEMENT. For instance, it's > incoherent for an ordinary consumer VPN client to start > advertising routes. A full-tunnel VPN server may not have a complex routing table, but it’s still possible to have some “excluded” routes that won’t be allowed (private subnets, etc). Traditionally, most VPN protocols do always include the route information. The “trust” here is just about what the endpoint is willing to route/forward. What kind of warning were you imagining? Best, Tommy > > > > > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque
- [Masque] Comments on draft-age-masque-connect-ip-… Eric Rescorla
- Re: [Masque] Comments on draft-age-masque-connect… Tommy Pauly
- Re: [Masque] Comments on draft-age-masque-connect… Eric Rescorla
- Re: [Masque] Comments on draft-age-masque-connect… Tommy Pauly
- Re: [Masque] Comments on draft-age-masque-connect… David Schinazi
- Re: [Masque] Comments on draft-age-masque-connect… Ben Schwartz
- Re: [Masque] Comments on draft-age-masque-connect… Eric Rescorla
- Re: [Masque] Comments on draft-age-masque-connect… Eric Rescorla