IETF Logo Mail Archive

Re: [Masque] Proposed draft charter

Lars Eggert <lars@eggert.org> Mon, 27 January 2020 14:54 UTC

Return-Path: <lars@eggert.org>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4272120829 for <masque@ietfa.amsl.com>; Mon, 27 Jan 2020 06:54:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6oyWzlGzLPy for <masque@ietfa.amsl.com>; Mon, 27 Jan 2020 06:54:38 -0800 (PST)
Received: from vs22.mail.saunalahti.fi (vs22.mail.saunalahti.fi [193.64.193.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5B2D12083B for <masque@ietf.org>; Mon, 27 Jan 2020 06:54:37 -0800 (PST)
Received: from vs22.mail.saunalahti.fi (localhost [127.0.0.1]) by vs22.mail.saunalahti.fi (Postfix) with ESMTP id DD06C20252; Mon, 27 Jan 2020 16:54:35 +0200 (EET)
Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi [195.197.172.116]) by vs22.mail.saunalahti.fi (Postfix) with ESMTP id C7863201C8; Mon, 27 Jan 2020 16:54:35 +0200 (EET)
Received: from eggert.org (unknown [62.248.255.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eggert@elisanet.fi) by gw02.mail.saunalahti.fi (Postfix) with ESMTPSA id BC52C40092; Mon, 27 Jan 2020 16:54:33 +0200 (EET)
Received: from stickers.eggert.org (Stickers.eggert.org [172.24.110.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by eggert.org (Postfix) with ESMTPSA id A924260052D; Mon, 27 Jan 2020 16:54:28 +0200 (EET)
From: Lars Eggert <lars@eggert.org>
Message-Id: <0A22B1D4-3517-44B6-B8C0-ED8965CF548B@eggert.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_B1F7D15E-BB96-45B1-8CC8-76C8B373BBF5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Mon, 27 Jan 2020 16:54:28 +0200
In-Reply-To: <17638BD9-3EA7-4026-A543-130281CB3978@ericsson.com>
Cc: "masque@ietf.org" <masque@ietf.org>
To: Mirja Kühlewind <mirja.kuehlewind@ericsson.com>
References: <845946C2-EB98-4F3A-966E-968AE349302C@ericsson.com> <B5A0CBC5-6127-4F47-B1CC-2BFF4934EA62@eggert.org> <0E417F05-7EB0-42DE-B120-51873E9F464C@ericsson.com> <CC941298-36BC-4C97-AB3D-5993A3F2FB73@eggert.org> <17638BD9-3EA7-4026-A543-130281CB3978@ericsson.com>
X-MailScanner-ID: A924260052D.A108F
X-MailScanner: Found to be clean
X-MailScanner-From: lars@eggert.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/VPaSu2bn3T14alMRkYAas2GixtY>
Subject: Re: [Masque] Proposed draft charter
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 14:54:45 -0000

Hi,

On 2020-1-27, at 16:34, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> wrote:
> [MK] Only the outer client to proxy connection would be "eliminated".

thanks for clarifying.

So if the concern is for the client-to-proxy part, why does this outer connection need to be QUIC at all? (I think this is also what Marcus described in his reply, i.e., that you could simply run a non-QUIC protocol between the client and proxy on the same five-tuple.)

> >Would clients need to ship with unencrypted QUIC stacks and need to trust that their proxy throws on the crypto for them?
> 
> [MK] As I just said for the current charter I think that should be excluded and we can find a way to make that clear.

That would be very helpful.

> [MK] There are two impacts: processing power and per packet overhead.

The two are directly related?

> We did a very quick test with multiple layer of TLS (on top of one TCP connection) and saw a significant decrease.

The decrease should be pretty much 50% if you use the same AES cipher. If you use something else (= non-AES) that doesn't have CPU support, the overhead will be much higher of course.

> Of course as you said this will get better but the overhead could also be reduce by some form of compression, however, if there is a good way to reduce this even more or get rid of it completely, this could still be very import for various use cases, especially when the client is on a mobile device (to increase battery life).

You can use a non-QUIC tunnel protocol between the client and proxy, without encryption.

But the proposed charter talks about wanting to use QUIC as this tunneling protocol, which again makes me wonder how double-encryption here is supposed to be avoided without changing the QUIC security model.

Lars

v2.23.0 | Report a Bug | By Email