IETF Logo Mail Archive

Re: [Masque] Comments on draft-Pauly-masque-quic-proxy

Martin Duke <martin.h.duke@gmail.com> Tue, 09 March 2021 14:35 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D358D3A0E0A for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 06:35:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQxBK6ZtunzR for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 06:35:40 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5EF33A0E01 for <masque@ietf.org>; Tue, 9 Mar 2021 06:35:40 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id k2so12356337ili.4 for <masque@ietf.org>; Tue, 09 Mar 2021 06:35:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=twTP++WYVu5cDkzT7qREzDvkOe6GDwb8gi5Bu88mB7s=; b=RvQHYA/qF1yOHwCcm+RWGEH8Fv9Cpzk8XnBgKcGUUI5GrBusyi8qt+LgQYn8REIgsy I2XBL7lbTQjVCZyY6dzIa+Z2TFSxV1VuI6yTgEwtFbImSAofLXTSzHs0pecoiEZLnFE5 Xr2WB/6kY70RCCWXUC6ueMgEnkAWAfeL5GDPAUKijIQeY/yskE9IgkJDOLRviC7cQ9oh nas1hFG103yeOiI7ZehZhNc454KMFPg+8UYX5XFLVeGM4EVQSF5VNDvn8ij9fpntV0V0 7kYz3U8+jPQIBApvYH7o0I6e6NPux30fI7b0QDPATjy6TbdMyOLutLUP/BbSRs03ky/0 kBHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=twTP++WYVu5cDkzT7qREzDvkOe6GDwb8gi5Bu88mB7s=; b=ErdyRDCdKWtWSnwMmKQkpZ6Hf/Uyyr2XkqUFHYH62BShiD81cBn0qTw4D51LnWDuSk KiqbBahNYeV5iKyY3FzLeBnIHRItdnKu6R7RGknk2zRV8KLloIcOSkFpw389dd7j+KPM LDUN0N4hYrCf8HvrpI03PU+a10Hd9drmHF9bt6BGf8ifwByE6nrANrWSgM12/ouhGaSl MvXXWK/jdOhRjwygZPFkvnx1gJbRwlKzmre/n39GzKrqkINa30+aMC6ZUwHZTDsQUaXJ XSUs/cHv2uv2J/mLJIV7lR2OwVHwXs0ItQCI3t9izLq4uuL8nH6ZXn5eNdDhw6WkHCNA j+Vg==
X-Gm-Message-State: AOAM532lSLzA/NP/FpFj3FpPdbyY1k/VkW8k9Q2QseIWSq5pB3NiTqiK /HOJSVGAB/3SixANNtae/btzLq3WAwdg5VXGfNM=
X-Google-Smtp-Source: ABdhPJwvNQa4Ikt0LLw8R30JMbsbqyabc48moMHKcH4QKyeYVQJjCYzvT/me8gF1XRTwYZTHgozC5dHJc5BfHt4zufA=
X-Received: by 2002:a05:6e02:f06:: with SMTP id x6mr22691220ilj.287.1615300540144; Tue, 09 Mar 2021 06:35:40 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxR1RVMBsbb-OsX0RUMHH4XbSBdrgBFP4oUAs=ws3at_wQ@mail.gmail.com> <438EC9D4-76D0-4639-ADB6-BD9C77ABC9F8@apple.com>
In-Reply-To: <438EC9D4-76D0-4639-ADB6-BD9C77ABC9F8@apple.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 09 Mar 2021 06:35:33 -0800
Message-ID: <CAM4esxSoWVXtF-CXL-uptmA+iYnBr8AoG1W7ZnxBTzC0aP_PWw@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e69e3a05bd1b76f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/XKg_DLkwmFhqBbW4Rk0T6tzd-CI>
Subject: Re: [Masque] Comments on draft-Pauly-masque-quic-proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 14:35:44 -0000

I don't think this applies to base CONNECT-UDP. If the client changes its
address, the MASQUE connection will do all the verification necessary to
mitigate any attacks.

The difference in your draft is the UDP packets are not entirely part of
the MASQUE connection anymore. In fact, it would be good to clarify to what
extent they do count as part of the connection. Do they:
1) have (implied?) packet numbers?
2) if so, can they be acknowledged?
3) If not, how can they count against congestion control?
4) Can they trigger address change events, or will the proxy get a new
socket to make the server handle it?

I'm sure there are several other similar questions.

On Tue, Mar 9, 2021 at 5:10 AM Tommy Pauly <tpauly@apple.com> wrote:

> Hi Martin,
>
> On Mar 8, 2021, at 3:51 PM, Martin Duke <martin.h.duke@gmail.com> wrote:
>
> Thanks for writing this draft! I have some comments mostly focused on
> migration.
>
> I conceptualize this design as the proxy falling back to NAT behavior
> after the handshake is done. If that’s correct, I suggest you take a look
> at the (rapidly evolving!) NAT section of the quic-managability draft.
>
>
> You’re quite correct that this ends up being quite similar to some NAT
> considerations, or almost a client-side load balancer.
>
> Specifically:
>
> 1) you should discuss the implications of the client receiving
> NEW_CONN_ID. I gather the client would have to request it from the proxy
> and revert to tunneling for that CID if rejected?
>
>
> That is correct! It’s described a bit in section 4, but we could expand
> upon it:
>
>    A client sends new CONNECT-UDP requests when it wants to start a new
>    QUIC connection to a target, when it has received a new Server
>    Connection ID for the target, and before it advertises a new Client
>    Connection ID to the target.
>
>
>
>
> 2) It’s important that any address or port change by the client translate
> to a new UDP socket in the server direction. To do otherwise would break
> the path validation mechanisms that protect against a variety of attacks.
> To the maximum extent possible, port changes should beget port changes and
> address changes lead to address changes, as QUIC implementations may use
> this as a heuristic.
>
>
> Yes, I agree, and will be adding that to the next version:
>
> https://github.com/tfpauly/quic-proxy/issues/41
>
> I do think this plays into the base CONNECT-UDP as well:
>
> https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/issues/42
>
> Best,
> Tommy
>
>
> Martin
>
>
>

v2.23.0 | Report a Bug | By Email