[Masque] Filtering function of the Masque server for traffic incoming to the client
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 27 July 2020 12:32 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC6763A1931 for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 05:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wkHkGk9iIrOb for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 05:32:08 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2087.outbound.protection.outlook.com [40.107.21.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C74923A192D for <masque@ietf.org>; Mon, 27 Jul 2020 05:32:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OZrBEW6dC/vcPOwfrng3JN6gQY9v3bKR+Ye0aWxWY6E/BgP0/IUcw0n7AMHebyZZ5fgatULYv6FJGAuBzu+M1bPlPPnNPWAYquUMX4+C6rf30DSScoQe2kVUeOwU0ki0vv44FfDVGM4vo5vA4SVpZ6bBcMdY7Qj+Tri44Oqcnswjl8cBBmtk9847ggl9NM+3Gw3Gz1D1oN9nGUElw66jQjINcNipE9Jrtj9QbnuoR0XX/d1n1J8Outwopeuc/HIHHEEFWwwa4575mp5GEOlJg6UFIX8L4zg9Y5l30rkuB5Y3KglSRqkMR6pINm4fLN+nXCTXggGyC+82roHFWO47IA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iTKfNjjbM5HaHzhFTeduh6Xv/6PStXF51RGvnd3Zca4=; b=b7wUI48t3wSQgXAJpN4sTeHSqvc3KuTbr2GmEYF/OHSbGcM5oSNd/IFgiFfQBM0zjI+h4Kq2kHVNUQO3NTeFJt4Ujjaf3G/eg3jqS7A+1efVi0aoZGhSj92ouZ5ohGgXKECFN7B4bbBOOP63XRO8MDLGPGWtXjaRMmauZRYeEKIs5dInCP9I7ZHZGKKHJd66engjBChEaBN8okJMCfqYUttGiKzIKqsnbeYdTZ+rNpu+y5OHq1b86NCuZsxFPTXsKT4Y+2JZeDHUq9WcxbWq87XKhwIhvOwO9YlO7aMGo9uHNvN6P1cJNA/Ixiyms4WzGs9B1iumSqjh9RqPE2zgtA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iTKfNjjbM5HaHzhFTeduh6Xv/6PStXF51RGvnd3Zca4=; b=LeXJgNIG6uHuPP7wIva679iI+EgjZ4B40CLvkUkFvFPs0SxzBCfFIgb080lNWOI/VgJWBZTnRX6wEzTydrZ0P8Hz9GkdiUTyrPnEZ2KqVVjQVIGkxhQNL/Qft89eO6MMxqJzz6NydOVsjVLmsl32/EhtTYx2E0PdrQO9iPp4Gvg=
Received: from VI1PR0702MB3775.eurprd07.prod.outlook.com (2603:10a6:803:10::30) by VI1PR07MB3919.eurprd07.prod.outlook.com (2603:10a6:803:39::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.9; Mon, 27 Jul 2020 12:32:05 +0000
Received: from VI1PR0702MB3775.eurprd07.prod.outlook.com ([fe80::e8db:6218:4bd:1ce7]) by VI1PR0702MB3775.eurprd07.prod.outlook.com ([fe80::e8db:6218:4bd:1ce7%7]) with mapi id 15.20.3239.011; Mon, 27 Jul 2020 12:32:05 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "masque@ietf.org" <masque@ietf.org>
Thread-Topic: Filtering function of the Masque server for traffic incoming to the client
Thread-Index: AQHWZBHvaYNmk9XMQ0e65P+3GCMwmg==
Date: Mon, 27 Jul 2020 12:32:04 +0000
Message-ID: <6cc97d7064070453574c7549c2e8af3892fe023c.camel@ericsson.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.202]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8b212110-f0c3-4bb5-54a9-08d832291210
x-ms-traffictypediagnostic: VI1PR07MB3919:
x-microsoft-antispam-prvs: <VI1PR07MB39198A7721747746BA62721595720@VI1PR07MB3919.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rtZzmiejRHty6qaijY8KKLhWWiLzG/fnNctlMofo/lPZhlS6hv7BHgYJ7C6r1kqZkMYEvNdJTPBPA7E4He0ZKsPljayECV4ZBBcXVHcc+Y5Ww1WmyAW9QHkfK7SUMlQXVX5oM3X1oaZSo7+T06pL8AnPbT5P+yL3ihZXrD45hx05aR6p5+qm5cjX06MkjkDHL3iGxBQJaT2xnhBroDe6j5Y4taDH7BJP03r69WTv4bejZ8N5c1mSjEJQGb10wSL1MpFniy2q39VZkzaKsYB9o8DJOecy2Pp6cvk96RUb+y4nMms697JhIn+qmSSMrVshtMLhQvxp9+2SHa8yMLfVqsyPh6P5jhOqfdEKcbi91EvEpnBNUtAbOwPUFOu5t8Pr
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR0702MB3775.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(346002)(136003)(376002)(396003)(26005)(6512007)(2906002)(86362001)(76116006)(91956017)(186003)(64756008)(8676002)(66476007)(66556008)(6916009)(66446008)(66946007)(44832011)(83380400001)(36756003)(5660300002)(478600001)(6486002)(316002)(71200400001)(8936002)(2616005)(6506007)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: K1Rp+QVyKxZFskLvmORUEp9EN2cMgnweQk/Vmtv0MsopLcugSXEBFOuK9qaMKLSBLnbeHmnxN/ftbytwlATAejIyqsXBLOJPrg42Dzx/YQXNI8X04jrn4QZRg8s7rDzhLtHtZT79EOlv10B01VTZxXqGhkIXYgjILOjovQ1IegLnMmriBu9PAjZHLD4xlEx1hfW0lzyo0fZaZWRHXcSroVF4FXALhC0GkbONnubIM+JDi4Nyy0IZGpacDjR6f+CxNjtULqV9wutoT6M0hn+Q6C+nk8npx3DkYmv8kK5XG9UFi7JBkrzb2KZAzkcItvVzLhyRVcDFLYxHewP2qC3GbLJ2yLOxd/vo2jWKdqT8+iN1+xPlBRc+ixkuRIh1jNf7SoGFzhOh5gUbsvFNANoe3nK0OnX/Sp9blmtxmViXXvKi4ufokYxVKg5CPMewrQ8RkXGz8vzZ1s5TKqv4qgkFLXrTGxso0x1ZgceN3dYJw5OB2urLk2K1Wn2UsfXD54jzKQaURjaBuW+aj2OvqI/VTbYO2SuONfhFUKwK1Icb2M47JWtcCwyZ4t85zHs/QcIbW3pd4tZKg45SRhTbpZe9iHO6g/jBd7M1YDkod/G/xKnbVDAK6kns0tjRpHbvebF0qrZ0B6jCFmpQoaBfG8A7FQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <8771D62CDE5253479198DAE9645374F8@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR0702MB3775.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b212110-f0c3-4bb5-54a9-08d832291210
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2020 12:32:04.6935 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CmTC2/ZgIXmqeB29I0Y94Byh6spfMPG9dG6b3834lcZ4mpbztG7R3uZVznZdM+TygF+M4p16RTnerhLCW18o9sUl+17IEfPFgYsK4fxhkS0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3919
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/WVeTOkB8lKSK3inJ_FkuuuD2DS4>
Subject: [Masque] Filtering function of the Masque server for traffic incoming to the client
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 12:32:10 -0000
Hi, A question I have to the WG is how its view are on filtering function of the MASQUE server for incoming traffic from remote addresses. This comes from the perspective of what is in TURN for this. TURN requires the client to explcitly indicate the remote address (IP + Port) to receive traffic. So the question is what behavior we do expect from MASQUE for both UDP and for IP. For UDP I think only accepting traffic from the reverse 5-tuple that the client requested to communicate to. For IP I think the decision is tougher. But, I think the primary question is if one should be able to run a server as a client of the MASQUE server. If it does then any traffic to the leased IP address needs to be accepted. Thus questions about being open for any traffic and potential for attack traffic etc. A special case if one doesn't allow any remote source through to the client, is that some traffic that doesn't match IP 3-tuple still need forwarding. The best example I have is that a MASQUE server will need to look at the ICMP traffic comming in to the IP address and match the included header to existing context and forward it to the relevant client if it matches. So what are peoples opinion here? Cheers Magnus Westerlund ---------------------------------------------------------------------- Networks, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [Masque] Filtering function of the Masque server … Magnus Westerlund
- Re: [Masque] Filtering function of the Masque ser… David Schinazi
- Re: [Masque] Filtering function of the Masque ser… Alex Chernyakhovsky
- Re: [Masque] Filtering function of the Masque ser… Magnus Westerlund
- Re: [Masque] Filtering function of the Masque ser… Magnus Westerlund
- Re: [Masque] Filtering function of the Masque ser… Alex Chernyakhovsky