Re: [Masque] MASQUE extensibility
Martin Duke <martin.h.duke@gmail.com> Wed, 06 January 2021 22:18 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982503A1340 for <masque@ietfa.amsl.com>; Wed, 6 Jan 2021 14:18:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kg1NTa4jD71 for <masque@ietfa.amsl.com>; Wed, 6 Jan 2021 14:18:42 -0800 (PST)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1ED83A133A for <masque@ietf.org>; Wed, 6 Jan 2021 14:18:42 -0800 (PST)
Received: by mail-io1-xd2e.google.com with SMTP id w18so4255857iot.0 for <masque@ietf.org>; Wed, 06 Jan 2021 14:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B/CfmN6jZhB5R21F7/Qlk5rOfWsjjp5nze7s1q6VGho=; b=AdT0OsRuRjM/WazKIHJHuDKGPEWgSR/3DabWdaq7U+B3CYIjjC/Ui07wVvdc1jxQan ggsyVCE5VrfKxkPg9AteqXP4RoNSPboFcKEyWx61WK5uxU4zRPsSTHcFimfqRbWZ3D9C geRhQX2Oa2azTPRbjl19Tnrjp+d0sww4+kdWrk1TGtqQkTHROjzm5XIaKXXjhRJ5EUwU UXW5V+sfcIXIbeqKv6jLE1RmFCWTu3Se1Vmo3aVIlv4t3mEq+yFvnH2gf33f6fYIBZv7 4wHUb2Hb1P/79Upyxl/Sy2p1Zo/Ml9ZwbooA87YLRdw+qhTVBD36M0v8KPcfVFGQqpBI wv3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B/CfmN6jZhB5R21F7/Qlk5rOfWsjjp5nze7s1q6VGho=; b=eHq5KGsC5ggJ8W6kEBfM44RreB3169z9pNotNUKG+WpEABGts27MBVsbEISDZpPx1W CuKChJnKKq/I3j4UvfKOkdjcdlqHsP6d6eFDmqiP68+ycjIA2lMKXh9CpfEPPH0Zubsk hQh5P9IduNCJHQI9dJC3R2C/zKnDrlBpcd8IGfmRcL6hZ7AbA+BwkTZ6j/SRhhoIAFP3 y3ZLFzROTCAkyUsKoE0qRon0iniv3sHkZs7Hm67wD9U4N9+3N2lu6S/d6MKZ2TCVILDm t1Zx/3XH+0HgJp7krblII+IRYJq8D9BumTVEUz07QmzkJEX63/8U0k/3TAVwtXBie5oU LD4Q==
X-Gm-Message-State: AOAM532hiJIRw4mfDSZQVAwOym+adIyA+TVn5wnNQZLxzfH16dQe2W/x wJuOqdhHiKeFEibnx3jU2V6DfsRf8gH69KgesK0=
X-Google-Smtp-Source: ABdhPJy1tlbUrzwRseAMpqK4jy0snWX5F2pyUKVwmp0z8P2tsTw24RXWveLQFX+tPAONvtm31kGuYYL9Q4tNfQtl7hw=
X-Received: by 2002:a6b:c94c:: with SMTP id z73mr4459015iof.95.1609971521900; Wed, 06 Jan 2021 14:18:41 -0800 (PST)
MIME-Version: 1.0
References: <c0c5a81a-4b96-4d8e-87b6-958323cda14d@www.fastmail.com> <DB1145E2-F51E-46BB-9E06-0E87416E8715@ericsson.com> <CAM4esxQOVpkwb4SFiZhg_SRhEwV9QThaBiAT_LOUVsNRkBDkWA@mail.gmail.com> <de4f5b94-3bdb-4a18-bfc3-9c864e47041a@www.fastmail.com> <CAPDSy+5hJvP=i5SEzMczsxT-OixwU54sdCJoAd6Nmrfj-OBc4A@mail.gmail.com> <8f1e39b4-afde-4cf4-8168-61d6c52c4271@www.fastmail.com> <CAPDSy+7o3K_4RnijrOmrrs=DaJeGKRz35H2OBjaGsuj-SgC6aw@mail.gmail.com> <CAHbrMsBECD7oFP+VMWcesS+OtUBsotyd=3B3kyw8VYPEfpzUiA@mail.gmail.com>
In-Reply-To: <CAHbrMsBECD7oFP+VMWcesS+OtUBsotyd=3B3kyw8VYPEfpzUiA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 06 Jan 2021 14:18:30 -0800
Message-ID: <CAM4esxQurncJfpBSmWNueZ2imedALcQNnZ7r699U9JOGmAPWpQ@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, Christopher Wood <caw@heapingbits.net>, Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>, "masque@ietf.org" <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a953eb05b842b490"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/TN8gLKFx7ZliDPKAt0D63tav7gA>
Subject: Re: [Masque] MASQUE extensibility
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 22:18:47 -0000
I'm not sure I understand, Ben. I imagine binding a client port to each of those endpoints is a separate UDP-CONNECT exchange -- they are different IP flows. Or are you asking for a "UDP Listen" where the peer IP/Port is unknown? On Wed, Jan 6, 2021 at 8:15 AM Ben Schwartz <bemasc@google.com> wrote: > One important use case that I think is missing here is WebRTC (i.e. ICE). > For ICE to work efficiently, the user needs to be able to bind a single > "client port" and use it to communicate with several (~3-10) distinct > endpoints. These endpoints are typically not known until _after_ > connection setup. > > At a minimum, this would require a way to add new flow IDs, bound to > distinct destinations, after the tunnel is up. That would exactly parallel > TURN's ChannelBind request. This is possible within the current > CONNECT-UDP draft's framework. > > My main concern with using flow IDs for metadata is that it invites a > combinatorial explosion: encoding N bits of metadata requires allocating > O(2^N) flow IDs in the Datagram-Flow-Id header. With 2 bits of ECN, we're > OK, but it's not hard to see how we could get to 10+ bits over time. > However, if flow IDs can be allocated as needed via new commands in Stream > Chunks, this makes the problem much less pressing (only combinations > actually used must be allocated). > > Regarding lifetimes, cleaning up unused flow IDs can also be handled > within the current framework, by adding another new command in a Stream > Chunk. > > On Wed, Jan 6, 2021 at 9:31 AM David Schinazi <dschinazi.ietf@gmail.com> > wrote: > >> Thanks! Yes, that's exactly what I meant by "repeatable" - perhaps >> "repeated" would have been a better choice of word here. >> >> David >> >> On Wed, Jan 6, 2021 at 3:26 PM Christopher Wood <caw@heapingbits.net> >> wrote: >> >>> On Wed, Jan 6, 2021, at 1:06 AM, David Schinazi wrote: >>> > Hi Chris, >>> > >>> > Thanks for your note, I think that we should strive to reach consensus >>> > on extensibility goals, requirements, and means around our upcoming >>> > interim. However, I don't understand all of your individual questions >>> > (for example, I don't understand what the word "fixed" means in the >>> > first question). Perhaps allow me to try to phrase these questions >>> > differently, to attempt to distill fundamental concepts. >>> > >>> > What we're mainly building is a way to convey data (e.g. the payload >>> of >>> > a UDP packet) and metadata (e.g. the UDP port number); I'll further >>> > subdivide metadata into two categories: repeatable-metadata (e.g. the >>> > IP address of the target-server, ECN-ECT(0) vs CE) and >>> > non-repeatable-metadata (e.g. the timestamp of when the UDP packet was >>> > received). One way we could have built CONNECT-UDP was to send all >>> > repeatable-metadata and non-repeatable-metadata in every single >>> packet, >>> > i.e. every single DATAGRAM frame carries the target-server IP and >>> port. >>> > But, in order to improve efficiency and simplify management on the >>> > proxy, we decided to associate repeatable-metadata with a flow ID, and >>> > then only transmit the flow ID in DATAGRAM frames. This introduced the >>> > need for managing lifetimes (how long does the proxy maintain the >>> > mapping between flow ID and target-server IP+port?). We decided to tie >>> > this lifetime to the existence of the bidirectional stream that >>> carried >>> > the CONNECT-UDP request. We did this because it resembled how CONNECT >>> > worked, but also because it was efficient and relatively simple to >>> > implement. >>> >>> Am I correct in assuming that "repeatable" here means "possibly sent >>> more than once across different packets"? I assume so, given that the >>> target address is one such example. >>> >>> Either way, this is a *much better* phrasing of the fundamental problem. >>> Thanks for writing it up. :-) >>> >>> > Now, to dive into your questions, let's focus on the example of >>> > CONNECT-UDP with ECN support. ECN adds two more bits of metadata per >>> > packet, and those bits are repeatable-metadata. From my point of view, >>> > the most logical way to encode those is to reuse the mechanism we >>> built >>> > for vanilla CONNECT-UDP: we associate this repeatable-metadata with a >>> > flow ID. The latest version of the drafts (see links below) does this >>> > by having the CONNECT-UDP request/response negotiate four flow IDs. >>> But >>> > we could have built this differently. >>> > >>> > Question 1: should repeatable-metadata be sent in each DATAGRAM frame, >>> > or associated with something like a flow ID? >>> > The efficiency benefits lead me to conclude that associated is >>> > preferable. >>> > >>> > Question 2: should the lifetimes of these mapping be distinct or tied? >>> > I.e., should we be able to get in a state where we have a mapping for >>> > ECN-CE but not for ECN-ECT(0)? >>> > Separate lifetimes can lead to odd bugs, so I'd prefer to tie >>> them. >>> > This means not using four bidirectional streams per CONNECT-UDP with >>> > ECN flow. >>> > >>> > Question 3: Where do we encode this mapping? Flow ID or new QUIC or H3 >>> > frames? >>> > The flow ID is a simple concept that is simple to implement, >>> > especially if you don't control the underlying QUIC stack, so I prefer >>> > those. >>> > >>> > With this reasoning, I think that the current proposal is a good >>> > solution to our constraints. But if someone disagrees with these >>> > conclusions, please let me know - perhaps there are other concerns >>> that >>> > I'm not aware of. >>> > >>> > draft-schinazi-masque-h3-datagram-04 >>> > <https://tools.ietf.org/html/draft-schinazi-masque-h3-datagram-04> >>> > draft-ietf-masque-connect-udp-03 >>> > <https://tools.ietf.org/html/draft-ietf-masque-connect-udp-03> >>> > draft-schinazi-masque-connect-udp-ecn-01 >>> > <https://tools.ietf.org/html/draft-schinazi-masque-connect-udp-ecn-01> >>> > >>> > Cheers, >>> > David >>> > >>> > On Tue, Jan 5, 2021 at 9:05 PM Christopher Wood <caw@heapingbits.net> >>> wrote: >>> > > Happy New Year, all! >>> > > >>> > > Thanks to everyone who chimed in on this thread! To summarize >>> responses we received so far, it seems clear that we want extensibility for >>> CONNECT-UDP and the future IP proxying mechanism, and that these should >>> exist in separate documents. David’s draft specifying an ECN extension [1] >>> is one such example. It also seems clear that HTTP headers make for a >>> perfectly fine extension point for CONNECT-X requests. >>> > > >>> > > What remains unclear is how to support extensions within a proxy >>> context, i.e., a CONNECT-UDP stream. Martin nicely outlined some of the >>> variants, such as encoding things in per-datagram framing bits, negotiating >>> and encoding information in flow IDs, or using different frame types >>> entirely. We should try to converge on which of these options we need for >>> generic tunneling or proxying use cases. >>> > > >>> > > To that end, here’s a couple questions that might help us get there: >>> > > >>> > > - Should flow ID interpretation be negotiated as part of an >>> extension, or should it be fixed for CONNECT-UDP? (The latter is the >>> approach taken in [1].) >>> > > - What are the tradeoffs between per-datagram signalling state >>> versus, say, a different datagram frame type for different use cases? And >>> which of these is maximally useful for CONNECT-UDP use cases? >>> > > - What are the tradeoffs between per-datagram and flow ID signalling? >>> > > >>> > > We hope these (or related questions) can be discussed before and >>> during the interim. >>> > > >>> > > Thanks, >>> > > Chris and Eric >>> > > >>> > > [1] >>> https://tools.ietf.org/html/draft-schinazi-masque-connect-udp-ecn-00 >>> > > >>> > > On Wed, Dec 9, 2020, at 12:03 PM, Martin Duke wrote: >>> > > > Thanks for starting this discussion, Chris. >>> > > > >>> > > > With my AD hat on, I would personally interpret the charter to >>> allow >>> > > > CONNECT-UDP to provide all the functionality one might have in a >>> UDP >>> > > > socket, except those (like multicast) explicitly forbidden. This >>> > > > includes ECN, DSCP, etc, although the WG is welcome to decide that >>> some >>> > > > or all of these functions aren't important. As AD, I don't have a >>> > > > strong opinion today as to whether these end up as one draft or >>> > > > multiple drafts. Certainly, it makes sense to spell out the design >>> in a >>> > > > separate draft first and later decide whether or not to integrate >>> it >>> > > > into the base design, as quicwg did with the spin bit and ECN >>> support. >>> > > > >>> > > > If the CONNECT-UDP method is designed so as to be literally not >>> > > > extensible to support these use cases, I would consider that a >>> > > > significant flaw. I don't think that's the case. >>> > > > >>> > > > Speaking as an individual, the hardest extensibility problem would >>> seem >>> > > > to be per-datagram information. There are four different resources >>> we >>> > > > could use for this: >>> > > > - an additional QUIC frame type codepoint, with the second type >>> having >>> > > > additional per-datagram information >>> > > > - an additional H3 frame type codepoint, with the second type >>> having >>> > > > additional per-datagram information >>> > > > - flow ID codepoints, as David suggests. If we want to support >>> DSCP, >>> > > > this means we need 8 bits per flow just for this (but then, we >>> have >>> > > > 2^62 of them!) >>> > > > - Make every H3 datagram frame encode this information -- if we >>> were to >>> > > > choose this option, we will probably end up using more H3 frame >>> types >>> > > > as Webtransport, etc. will probably not want the overhead. >>> > > > >>> > > > To me, the first two are the least profligate, and the second >>> option >>> > > > (another H3 frame) is the right layer to do it. But none of these >>> > > > resources are scarce and this is mainly an aesthetic preference. >>> > > > >>> > > > Broadening from the per-datagram issue, we are likely filling up >>> some >>> > > > sort of HTTP or H3 registry with whatever extension points we >>> specify, >>> > > > so that community's opinion is valuable here. >>> > > > >>> > > > Martin >>> > > > >>> > > > On Wed, Dec 9, 2020 at 10:01 AM Mirja Kuehlewind >>> > > > <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org> wrote: >>> > > > > 1) Yes, every new protocol should be extensible. Lucas and >>> others mentioned that H3 provides already some extensibility, however, as >>> soon as you have send the CONNECT there is not much H3 "left" and therefore >>> we should make sure that we consider options for additional extension >>> mechanisms later in the life time of a CONNECT request. >>> > > > > >>> > > > > 2) People did mention in-stream (or I would say >>> in-forwarding-association - I think we need to agree on terminology here >>> to make sure we talk about the same thing) control data. So I think there >>> is information that you want to signal that is associated to a forwarding >>> stream or even a certain packet, where it probably make sense to send this >>> data within the respective forwarding stream, however, there might be other >>> cases where you want to signal something based on some event in the proxy, >>> including negotiation when or before the CONNECT is sent, or general >>> information about proxy state or capabilities which maybe be independent of >>> any active forwarding association. We also need to consider appropriate >>> ways to signal such information and I think all (new) signaling we define >>> should be extensible. >>> > > > > >>> > > > > 3) I think the extension points itself need to be described in >>> the base spec. I also still think that ECN handling should be part of the >>> base spec as this is an important functionality that is in my view not >>> optional if we ever want to see it used. However we can of course start >>> with separate documents and merge in when ready. Still, we first must agree >>> about the kind of extension points we want to use. >>> > > > > >>> > > > > Mirja >>> > > > > >>> > > > > >>> > > > > On 04.12.20, 21:19, "Masque on behalf of Christopher Wood" < >>> masque-bounces@ietf.org on behalf of caw@heapingbits.net> wrote: >>> > > > > >>> > > > > One point raised during our IETF 109 meeting was >>> extensibility. A number of different extensions have already been >>> discussed, including: IP header compression, ECN signals, and QUIC-aware >>> proxy support. It seems clear that the MASQUE use-cases require some amount >>> of extensibility in the core mechanism. What we’d like to determine is how >>> much extensibility is needed. >>> > > > > >>> > > > > Given that our charter is somewhat vague on what extensions >>> are in scope [1], there seem to be (at least) three questions we should >>> answer if we are to embark on this extension work: >>> > > > > >>> > > > > 1) Do we want CONNECT-UDP and a future mechanism for IP >>> proxying to be extensible? >>> > > > > 2) If yes, which parts of each protocol need extensibility, >>> and to what extent? >>> > > > > 3) If yes, do we want to adopt these extensions as distinct >>> documents? (An ECN signal, for example, might be included as an extension >>> in the CONNECT-UDP document, or it might be part of a separate document. >>> Conversely, extensions for QUIC-aware proxying seem likely to be a separate >>> document.) >>> > > > > >>> > > > > We'd like to hear answers to these three questions from the >>> WG. Converging here will help us better determine what is in scope going >>> forward. To that end, please share your thoughts on these questions before >>> December 18. We'll assess and see where we are at that time. >>> > > > > >>> > > > > Thanks, >>> > > > > Chris and Eric >>> > > > > >>> > > > > [1] Relevant text in the charter ( >>> https://datatracker.ietf.org/doc/charter-ietf-masque/) reads as follows: >>> > > > > >>> > > > > The primary goal of this working group is to develop >>> mechanism(s) that allow configuring and concurrently running multiple >>> proxied stream- and datagram-based flows inside an HTTPS connection. These >>> mechanism(s) are collectively called MASQUE. ***The group will specify HTTP >>> and/or HTTP/3 extensions to enable this functionality.*** >>> > > > > >>> > > > > (emphasis ours) >>> > > > > >>> > > > > -- >>> > > > > Masque mailing list >>> > > > > Masque@ietf.org >>> > > > > https://www.ietf.org/mailman/listinfo/masque >>> > > > > >>> > > > > -- >>> > > > > Masque mailing list >>> > > > > Masque@ietf.org >>> > > > > https://www.ietf.org/mailman/listinfo/masque >>> > > >>> > > -- >>> > > Masque mailing list >>> > > Masque@ietf.org >>> > > https://www.ietf.org/mailman/listinfo/masque >>> >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> >
- [Masque] MASQUE extensibility Christopher Wood
- Re: [Masque] MASQUE extensibility David Schinazi
- Re: [Masque] MASQUE extensibility Lucas Pardue
- Re: [Masque] MASQUE extensibility Eric Rescorla
- Re: [Masque] MASQUE extensibility Martin Thomson
- Re: [Masque] MASQUE extensibility Tommy Pauly
- Re: [Masque] MASQUE extensibility Mirja Kuehlewind
- Re: [Masque] MASQUE extensibility Martin Duke
- Re: [Masque] MASQUE extensibility Christopher Wood
- Re: [Masque] MASQUE extensibility David Schinazi
- Re: [Masque] MASQUE extensibility Christopher Wood
- Re: [Masque] MASQUE extensibility David Schinazi
- Re: [Masque] MASQUE extensibility Ben Schwartz
- Re: [Masque] MASQUE extensibility Martin Duke
- Re: [Masque] MASQUE extensibility David Schinazi
- Re: [Masque] MASQUE extensibility Martin Duke
- Re: [Masque] MASQUE extensibility Ben Schwartz
- Re: [Masque] MASQUE extensibility Mirja Kuehlewind