IETF Logo Mail Archive

Re: [Masque] Proposed draft charter

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Mon, 03 February 2020 15:05 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01FBB1200C4 for <masque@ietfa.amsl.com>; Mon, 3 Feb 2020 07:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Govrx3KkjW_W for <masque@ietfa.amsl.com>; Mon, 3 Feb 2020 07:05:24 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60083.outbound.protection.outlook.com [40.107.6.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5479D120098 for <masque@ietf.org>; Mon, 3 Feb 2020 07:05:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n79MGxsdKNBvQ3F1Wej70JwjxPh+bfJox09d2gUMy81650IMAspVI0UZulRw0ade1YKWzeCEZr0b6GtZM22myey37DcoKSfYZq008Z9ppOXr4opZOoFQnyt63BIv154kH9OlJajVC6gQk4TH3+yhGhMGt3Dj9gRCP8PvX7J4f7F1XHbiSGzgPxUG++E0YMq9JXXaR7PxHiKxb+1tN14vJ0NjGj1CeO4bvjoVgOpGKTD0s+QQKJNmZ8F4ctH1XGZ7Eesw0BM1v9V0+S0S/1hZhYvVCT4amub/VU6esd8vGBMKyVmDuGpBoldDHvThn+qdp4Tvt0pljx4yCUGBAnbHkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kTB5AyLr3yOrKU4X0mjYr64RzC98jPlbgvqUxkxcdjY=; b=X7Ug+mqgbXPd+f3hQx7L71EOzpEY7jUzZLdD6R7OdtwGHRn0IQOtWMk3Hu5Z0i9ZTuZBcliyyCZcURqDa2WHAhPtmX5g6+/PPRANatzE3DjOpt0uvMCaK8Ay5rB9YFsY8JuA+8G12Kr1eqiahGBMXJ2plNC9jKYWkV3oAGSDDi7sM8ZIwl8iZS5p3sfRLr5tskED3/RgFDhMhXcJyYSLsAr5WsdLuymBv6ndm7neIAwk1R6Oo04uPKBYI/dIyZwRUi/oLN0Eg5lLe6t/7DNaho+se9KScSNl13x84Q0UXZSScSs9c15CTCDIpzPkVixjqodJMkUiEGNC5Uolr9TkXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kTB5AyLr3yOrKU4X0mjYr64RzC98jPlbgvqUxkxcdjY=; b=AK+U1XBu9dtUqV12E+eBlOQaTvzV/0czTKvI3de4sJycSOxhTa2W2WNr7CAZEqw+vrYwfNGGLh5dBK5je/cSID8gmeIa1YcKqY7U0lopsFADmC4uPWwDmeFl8+MNvHcRyKFKIEdqWYP0mlWaQmnNBgoDkwt1naj1bQoJBQPadnI=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB4802.eurprd07.prod.outlook.com (20.178.19.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.18; Mon, 3 Feb 2020 15:05:22 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7%7]) with mapi id 15.20.2707.018; Mon, 3 Feb 2020 15:05:22 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>, Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>
CC: "masque@ietf.org" <masque@ietf.org>
Thread-Topic: [Masque] Proposed draft charter
Thread-Index: AQHV0w4aBWkpAZDWB0m+dMAczIB7OKgJUBEAgABhS4A=
Date: Mon, 03 Feb 2020 15:05:22 +0000
Message-ID: <E68FB662-F6E5-49EE-AD92-AFCCCEA0CCE9@ericsson.com>
References: <845946C2-EB98-4F3A-966E-968AE349302C@ericsson.com> <CABcZeBOJtyaa+J9PqoEZ7n8QahFy4n8nbBaCwUd0W+1BoMNnZQ@mail.gmail.com>
In-Reply-To: <CABcZeBOJtyaa+J9PqoEZ7n8QahFy4n8nbBaCwUd0W+1BoMNnZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [2a00:79e1:abc:301:5816:11c5:461d:3738]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c5123a32-e823-4173-5d23-08d7a8ba7db4
x-ms-traffictypediagnostic: AM0PR07MB4802:
x-microsoft-antispam-prvs: <AM0PR07MB4802EE810396D209DDF02B27F4000@AM0PR07MB4802.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0302D4F392
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(376002)(346002)(366004)(396003)(189003)(199004)(316002)(110136005)(6512007)(44832011)(4326008)(478600001)(36756003)(81156014)(81166006)(8936002)(8676002)(6486002)(2616005)(2906002)(186003)(66946007)(91956017)(66556008)(66476007)(66446008)(64756008)(76116006)(5660300002)(6506007)(33656002)(71200400001)(53546011)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4802; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wzX38ldaZe3f2P02slfevGtgZtEcIS4zXzKXS9KSby6XsgJLjbKE7WqzTGz9xGi+7Rt256kveKBJSwuq0Yw9+dJyFBeimAmZLycajrQKNq4PUNFx4yIMbn96vw+si9y+VnZtD5dydjZkF0tJEwXr7eqwxSz6LdXf9mhGj77vPeWhO+VLYtIiqeAFbZBQkiERGgH9g4OqHgwpPaoOU3NWnyNwmZ+1hWZ2SxBaKqeDkQAW98JvHX+MCda3A+cngWjJpV5OixChafF+Qll90iEwZJV8wCOn6Svm7NfYlEX3/65W4nQHRE15goIXf7Reh/nOxV60FVol5BHFWDt4gR2Nk9rSnnIOT+8pMOSuP/XY2CP03Frxuj2r1yqsey1FUQGzTixzoWhCumLQk/tvp6/7vWD3wvE8CqiZLZUwIxus4OYO67jo1PkIG0e3kTwOeTNV0gwC+WFCNmPBgbIUEoCDGeX2fKP55QBD6hLysjY5XjoY2VoYKUfR93ui+wmyRTh2Pb3hhqDVFFYX9YjGIYY05Q==
x-ms-exchange-antispam-messagedata: ca6j1r9SX8Z4VAKiwHMd1OJcsR8+50zIXn3cRB8qHDEeU8hCTKQBsPYwSUhaeEWrMa4GVUWrJ0mUjwAy0Vufii7tmoBjpVxLo4hDnq2zV2VoT7AbK140WsMiq7tUIqs+Q6bXzfabKNxy9Dm46faFPsR6uEB8burOLzNh3QTW4ISq/6KZOz6v6CIZ/90OiG43TpzwyV78UakqiDhgnuyU1g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E68FB662F6E549EEAD92AFCCCEA0CCE9ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c5123a32-e823-4173-5d23-08d7a8ba7db4
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2020 15:05:22.1650 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kjRJFNnV+d6vVugdLdEmyeugfQ6B+Ta0DmUZUl8XFTNIizlqkyZ3GmD+vsTseD0RHgDdnjTzTyQNjI67epSWKHjqoyKR5g5oafaAkwIdyec=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4802
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/US3tb_c9ql1gQK0yNoD2lTQGf_g>
Subject: Re: [Masque] Proposed draft charter
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 15:05:28 -0000

Hi Ekr,

the reason why we extended the use cases is because we think the requirement are not that different, however, the whole point is to move away from transparent proxies that interfere with the end-to-end connection to a setup where the client actively decides to use a proxy to a request a service. So the QUIC tunnel is actually just used for forwarding traffic (and not modifying the traffic) but then the tunnel connection can also be used to exchange information between the endpoint and the proxy

You wrote:
„In the tunnel-type case, the point of the proxy is to a great extent to protect client-server connection from interference by the local network (as well as to conceal the client/server IP addresses). However, in the PEP style case, the purpose appears to be to reestablish the control that these network-level devices had prior to the advent of QUIC's end-to-end encryption.“
What you call “PEP-style” is explicitly not supported by any solution we are looking for in MASQUE. However, PEP stands for “Performance Enhancing Proxy”. So what we have in mind is still aiming at enhancing performance but in a way where the proxy provides information to the endpoints and the control sits at the endpoint to do anything with this information. So all thatb is needed is forwarding and a signal channel.

Mirja




From: Masque <masque-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com>
Date: Monday, 3. February 2020 at 11:18
To: Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>
Cc: "masque@ietf.org" <masque@ietf.org>
Subject: Re: [Masque] Proposed draft charter

Hi folks,

I have reviewed this charter and I fear that it is going in the wrong
direction. When MASQUE was first proposed, it was conceptually simple:
effectively an HTTP CONNECT tunnel but (1) Implemented over QUIC/H3
rather than H1/H2 (2) Allowing for non-TCP protocols to be carried
over the tunnel. IOW, it was an application-level VPN.. This is
something that clearly has a number of valuable uses cases. To name
two real-world applications where this would be valuable:

1.. Tor has repeatedly discussed converting from their TCP-based
   protocol to something DTLS or QUIC-like.

2. Firefox Private Network (https://fpn.firefox.com/<https://protect2.fireeye.com/v1/url?k=f414024d-a89dd870-f41442d6-0cc47ad93c0c-0fde56b3d9745760&q=1&e=4e88e632-cdec-4643-be39-12b7bdc3e6aa&u=https%3A%2F%2Ffpn.firefox.com%2F>) has an
   H2-based secure proxy mode, and running it over QUIC would
   have some obvious advantages.

However, when I read this charter, that simple application is sort of
buried under a bunch of other stuff that seems more appropriate for
some other use cases, such as performance-enhancing proxies. proxy
caches, etc. While I appreciate that something like tunnel (as in
FPN/Tor) and PEPs are both technically proxies, they're fundamentally
dissimilar even though they occupy the same position in the data
stream (though not the same position in the network, given that PEPs
are typically on-path between endpoints whereas tunnel-type systems
typically are not).

It's not necessarily bad to charter work that handles multiple use
cases, but in this case, I think that it would be a severe distraction
because the requirements are totally different. In the tunnel-type
case, the point of the proxy is to a great extent to protect
client-server connection from interference by the local network
(as well as to conceal the client/server IP addresses). However, in
the PEP style case, the purpose appears to be to reestablish the
control that these network-level devices had prior to the advent
of QUIC's end-to-end encryption. This is readily apparent from the
text in this proposed charter that says:

  As use-cases for deploying MASQUE have different security or
  performance requirements, the working group may define multiple
  MASQUE services for proxying to suit these disparate use-cases.

This actually seems like an understatement.

IMO, we should simply strike all these use cases and focus on a
simple tunnel protocol, which seems comparatively straightforward.
Such a protocol should be designed to be extensible.

In parallel, those who are interested in designing protocols to
re-establish access by network intermediaries can work on those
separately, and, if there is sufficient implementor interest we
can then discuss whether those use cases should be served by
Masque extensions or by some other protocol.

-Ekr

v2.23.0 | Report a Bug | By Email