Re: [Masque] Proposed draft charter
Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Mon, 03 February 2020 15:05 UTC
Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01FBB1200C4 for <masque@ietfa.amsl.com>; Mon, 3 Feb 2020 07:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Govrx3KkjW_W for <masque@ietfa.amsl.com>; Mon, 3 Feb 2020 07:05:24 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60083.outbound.protection.outlook.com [40.107.6.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5479D120098 for <masque@ietf.org>; Mon, 3 Feb 2020 07:05:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n79MGxsdKNBvQ3F1Wej70JwjxPh+bfJox09d2gUMy81650IMAspVI0UZulRw0ade1YKWzeCEZr0b6GtZM22myey37DcoKSfYZq008Z9ppOXr4opZOoFQnyt63BIv154kH9OlJajVC6gQk4TH3+yhGhMGt3Dj9gRCP8PvX7J4f7F1XHbiSGzgPxUG++E0YMq9JXXaR7PxHiKxb+1tN14vJ0NjGj1CeO4bvjoVgOpGKTD0s+QQKJNmZ8F4ctH1XGZ7Eesw0BM1v9V0+S0S/1hZhYvVCT4amub/VU6esd8vGBMKyVmDuGpBoldDHvThn+qdp4Tvt0pljx4yCUGBAnbHkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kTB5AyLr3yOrKU4X0mjYr64RzC98jPlbgvqUxkxcdjY=; b=X7Ug+mqgbXPd+f3hQx7L71EOzpEY7jUzZLdD6R7OdtwGHRn0IQOtWMk3Hu5Z0i9ZTuZBcliyyCZcURqDa2WHAhPtmX5g6+/PPRANatzE3DjOpt0uvMCaK8Ay5rB9YFsY8JuA+8G12Kr1eqiahGBMXJ2plNC9jKYWkV3oAGSDDi7sM8ZIwl8iZS5p3sfRLr5tskED3/RgFDhMhXcJyYSLsAr5WsdLuymBv6ndm7neIAwk1R6Oo04uPKBYI/dIyZwRUi/oLN0Eg5lLe6t/7DNaho+se9KScSNl13x84Q0UXZSScSs9c15CTCDIpzPkVixjqodJMkUiEGNC5Uolr9TkXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kTB5AyLr3yOrKU4X0mjYr64RzC98jPlbgvqUxkxcdjY=; b=AK+U1XBu9dtUqV12E+eBlOQaTvzV/0czTKvI3de4sJycSOxhTa2W2WNr7CAZEqw+vrYwfNGGLh5dBK5je/cSID8gmeIa1YcKqY7U0lopsFADmC4uPWwDmeFl8+MNvHcRyKFKIEdqWYP0mlWaQmnNBgoDkwt1naj1bQoJBQPadnI=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB4802.eurprd07.prod.outlook.com (20.178.19.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.18; Mon, 3 Feb 2020 15:05:22 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7%7]) with mapi id 15.20.2707.018; Mon, 3 Feb 2020 15:05:22 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>, Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>
CC: "masque@ietf.org" <masque@ietf.org>
Thread-Topic: [Masque] Proposed draft charter
Thread-Index: AQHV0w4aBWkpAZDWB0m+dMAczIB7OKgJUBEAgABhS4A=
Date: Mon, 03 Feb 2020 15:05:22 +0000
Message-ID: <E68FB662-F6E5-49EE-AD92-AFCCCEA0CCE9@ericsson.com>
References: <845946C2-EB98-4F3A-966E-968AE349302C@ericsson.com> <CABcZeBOJtyaa+J9PqoEZ7n8QahFy4n8nbBaCwUd0W+1BoMNnZQ@mail.gmail.com>
In-Reply-To: <CABcZeBOJtyaa+J9PqoEZ7n8QahFy4n8nbBaCwUd0W+1BoMNnZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [2a00:79e1:abc:301:5816:11c5:461d:3738]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c5123a32-e823-4173-5d23-08d7a8ba7db4
x-ms-traffictypediagnostic: AM0PR07MB4802:
x-microsoft-antispam-prvs: <AM0PR07MB4802EE810396D209DDF02B27F4000@AM0PR07MB4802.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0302D4F392
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(376002)(346002)(366004)(396003)(189003)(199004)(316002)(110136005)(6512007)(44832011)(4326008)(478600001)(36756003)(81156014)(81166006)(8936002)(8676002)(6486002)(2616005)(2906002)(186003)(66946007)(91956017)(66556008)(66476007)(66446008)(64756008)(76116006)(5660300002)(6506007)(33656002)(71200400001)(53546011)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4802; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wzX38ldaZe3f2P02slfevGtgZtEcIS4zXzKXS9KSby6XsgJLjbKE7WqzTGz9xGi+7Rt256kveKBJSwuq0Yw9+dJyFBeimAmZLycajrQKNq4PUNFx4yIMbn96vw+si9y+VnZtD5dydjZkF0tJEwXr7eqwxSz6LdXf9mhGj77vPeWhO+VLYtIiqeAFbZBQkiERGgH9g4OqHgwpPaoOU3NWnyNwmZ+1hWZ2SxBaKqeDkQAW98JvHX+MCda3A+cngWjJpV5OixChafF+Qll90iEwZJV8wCOn6Svm7NfYlEX3/65W4nQHRE15goIXf7Reh/nOxV60FVol5BHFWDt4gR2Nk9rSnnIOT+8pMOSuP/XY2CP03Frxuj2r1yqsey1FUQGzTixzoWhCumLQk/tvp6/7vWD3wvE8CqiZLZUwIxus4OYO67jo1PkIG0e3kTwOeTNV0gwC+WFCNmPBgbIUEoCDGeX2fKP55QBD6hLysjY5XjoY2VoYKUfR93ui+wmyRTh2Pb3hhqDVFFYX9YjGIYY05Q==
x-ms-exchange-antispam-messagedata: ca6j1r9SX8Z4VAKiwHMd1OJcsR8+50zIXn3cRB8qHDEeU8hCTKQBsPYwSUhaeEWrMa4GVUWrJ0mUjwAy0Vufii7tmoBjpVxLo4hDnq2zV2VoT7AbK140WsMiq7tUIqs+Q6bXzfabKNxy9Dm46faFPsR6uEB8burOLzNh3QTW4ISq/6KZOz6v6CIZ/90OiG43TpzwyV78UakqiDhgnuyU1g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E68FB662F6E549EEAD92AFCCCEA0CCE9ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c5123a32-e823-4173-5d23-08d7a8ba7db4
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2020 15:05:22.1650 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kjRJFNnV+d6vVugdLdEmyeugfQ6B+Ta0DmUZUl8XFTNIizlqkyZ3GmD+vsTseD0RHgDdnjTzTyQNjI67epSWKHjqoyKR5g5oafaAkwIdyec=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4802
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/US3tb_c9ql1gQK0yNoD2lTQGf_g>
Subject: Re: [Masque] Proposed draft charter
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 15:05:28 -0000
Hi Ekr, the reason why we extended the use cases is because we think the requirement are not that different, however, the whole point is to move away from transparent proxies that interfere with the end-to-end connection to a setup where the client actively decides to use a proxy to a request a service. So the QUIC tunnel is actually just used for forwarding traffic (and not modifying the traffic) but then the tunnel connection can also be used to exchange information between the endpoint and the proxy You wrote: „In the tunnel-type case, the point of the proxy is to a great extent to protect client-server connection from interference by the local network (as well as to conceal the client/server IP addresses). However, in the PEP style case, the purpose appears to be to reestablish the control that these network-level devices had prior to the advent of QUIC's end-to-end encryption.“ What you call “PEP-style” is explicitly not supported by any solution we are looking for in MASQUE. However, PEP stands for “Performance Enhancing Proxy”. So what we have in mind is still aiming at enhancing performance but in a way where the proxy provides information to the endpoints and the control sits at the endpoint to do anything with this information. So all thatb is needed is forwarding and a signal channel. Mirja From: Masque <masque-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com> Date: Monday, 3. February 2020 at 11:18 To: Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org> Cc: "masque@ietf.org" <masque@ietf.org> Subject: Re: [Masque] Proposed draft charter Hi folks, I have reviewed this charter and I fear that it is going in the wrong direction. When MASQUE was first proposed, it was conceptually simple: effectively an HTTP CONNECT tunnel but (1) Implemented over QUIC/H3 rather than H1/H2 (2) Allowing for non-TCP protocols to be carried over the tunnel. IOW, it was an application-level VPN.. This is something that clearly has a number of valuable uses cases. To name two real-world applications where this would be valuable: 1.. Tor has repeatedly discussed converting from their TCP-based protocol to something DTLS or QUIC-like. 2. Firefox Private Network (https://fpn.firefox.com/<https://protect2.fireeye.com/v1/url?k=f414024d-a89dd870-f41442d6-0cc47ad93c0c-0fde56b3d9745760&q=1&e=4e88e632-cdec-4643-be39-12b7bdc3e6aa&u=https%3A%2F%2Ffpn.firefox.com%2F>) has an H2-based secure proxy mode, and running it over QUIC would have some obvious advantages. However, when I read this charter, that simple application is sort of buried under a bunch of other stuff that seems more appropriate for some other use cases, such as performance-enhancing proxies. proxy caches, etc. While I appreciate that something like tunnel (as in FPN/Tor) and PEPs are both technically proxies, they're fundamentally dissimilar even though they occupy the same position in the data stream (though not the same position in the network, given that PEPs are typically on-path between endpoints whereas tunnel-type systems typically are not). It's not necessarily bad to charter work that handles multiple use cases, but in this case, I think that it would be a severe distraction because the requirements are totally different. In the tunnel-type case, the point of the proxy is to a great extent to protect client-server connection from interference by the local network (as well as to conceal the client/server IP addresses). However, in the PEP style case, the purpose appears to be to reestablish the control that these network-level devices had prior to the advent of QUIC's end-to-end encryption. This is readily apparent from the text in this proposed charter that says: As use-cases for deploying MASQUE have different security or performance requirements, the working group may define multiple MASQUE services for proxying to suit these disparate use-cases. This actually seems like an understatement. IMO, we should simply strike all these use cases and focus on a simple tunnel protocol, which seems comparatively straightforward. Such a protocol should be designed to be extensible. In parallel, those who are interested in designing protocols to re-establish access by network intermediaries can work on those separately, and, if there is sufficient implementor interest we can then discuss whether those use cases should be served by Masque extensions or by some other protocol. -Ekr
- [Masque] Proposed draft charter Mirja Kuehlewind
- Re: [Masque] Proposed draft charter Lars Eggert
- Re: [Masque] Proposed draft charter Paul Vixie
- Re: [Masque] Proposed draft charter Magnus Westerlund
- Re: [Masque] Proposed draft charter Lucas Pardue
- Re: [Masque] Proposed draft charter Derek Fawcus
- Re: [Masque] Proposed draft charter Mirja Kuehlewind
- Re: [Masque] Proposed draft charter Lars Eggert
- Re: [Masque] Proposed draft charter Mirja Kuehlewind
- Re: [Masque] Proposed draft charter Marcus Ihlar
- Re: [Masque] Proposed draft charter Magnus Westerlund
- Re: [Masque] Proposed draft charter Lars Eggert
- Re: [Masque] Proposed draft charter Marcus Ihlar
- Re: [Masque] Proposed draft charter Mirja Kuehlewind
- Re: [Masque] Proposed draft charter Paul Vixie
- Re: [Masque] Proposed draft charter Eric Rescorla
- Re: [Masque] Proposed draft charter Mirja Kuehlewind
- Re: [Masque] Proposed draft charter Eric Rescorla
- Re: [Masque] Proposed draft charter Eric Kinnear
- Re: [Masque] Proposed draft charter Eric Rescorla
- Re: [Masque] Proposed draft charter David Schinazi
- Re: [Masque] Proposed draft charter Mirja Kuehlewind
- Re: [Masque] Proposed draft charter Eric Kinnear
- Re: [Masque] Proposed draft charter Spencer Dawkins at IETF
- Re: [Masque] Proposed draft charter Eric Rescorla
- Re: [Masque] Proposed draft charter Spencer Dawkins at IETF
- Re: [Masque] Proposed draft charter Christian Huitema
- Re: [Masque] Proposed draft charter Eric Rescorla
- Re: [Masque] Proposed draft charter Spencer Dawkins at IETF
- Re: [Masque] Proposed draft charter Spencer Dawkins at IETF
- Re: [Masque] Proposed draft charter Eric Rescorla
- Re: [Masque] Proposed draft charter Spencer Dawkins at IETF