Re: [Masque] Benjamin Kaduk's No Objection on charter-ietf-masque-00-00: (with COMMENT)
Martin Duke <martin.h.duke@gmail.com> Wed, 20 May 2020 22:11 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC4F3A07C3; Wed, 20 May 2020 15:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMFNecqitW7G; Wed, 20 May 2020 15:11:16 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8D03A07BC; Wed, 20 May 2020 15:11:13 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id r145so2765416iod.12; Wed, 20 May 2020 15:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m3+17T+C71IuMZY8Auw2XVRHYe8OyathdAm1fvBJsTA=; b=BuWe9hvR/MTQHT/Uv7Mi0Nj/UiSMVw3hdIl5pti/YJ7Ul1kEJfdBCZwoZwYuTaQ2UJ 2rmj/RAFSawnZ9NVpWg5pWIuo8XhbjeaXEvFf20uJvIyi47SlOaEhKcOdgN/Vmg/oMsx nSZ0tA/GFod/Tot0GfB62HM6bNF6Jm105SGZuH3Kg+S2+mL9yHsPJCamWaj56vAPSuAK HlDNpGibzz5PPeOMtm/+ccCrIKTY5u5o6u92VLQhVuUftfjPjzcvr9278R2iQJCEyWlc bgAAjbTRkEYq6fpkGkOKsJdj0wRbSz/uL3rrk+ltpr0BkKC1a2SqVm2xFUSOFu6B+o7w aoNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m3+17T+C71IuMZY8Auw2XVRHYe8OyathdAm1fvBJsTA=; b=YVXXWlsiuhu0CSGOEHY1juz/+oHEGx6866+Hqo1wuOtIjOhwA4x4hqO5+OaCyDYVY8 uVfgqq4c32/2PvIbvXi87k03jlIlRTMcfSbizWvGYoJG+sOdEne7ruSpm7pTOfQhI7p8 +mMrhv6Q9paEoKUvLIL4z7mIh1CZ9LUdYKNBazbHiy3JN9FAd9uP0J3TguciAnbLHCxR qM3Kz7L9k4+HXD7ek4OplYssgpE69oKld+NmUDYKStGiHgeptBoKWZq84rsYcnDJL8DH 4UxuhL49tA2LZ9Bow9dbRLdRx5Ezszyu9ya7pp5Zytv2tTQrgjsAJQpgA3mGc5pzTGNX 2TDg==
X-Gm-Message-State: AOAM532e2CidZtfUYatY/mb1tVUlD6qqOWeOxsDv6ZskCHTajHzFPOUI QrWtMFs3tAhuEEuJ5wdaTBcfYOalX4AR2WH/wzo=
X-Google-Smtp-Source: ABdhPJzsI2uxtdIYl0f9JqWxglzXGsf3vcjE6E20BDIoLX4ev9rqBvf9E2/ArMmUuu569G9W9A4f+M2PAWjMlIhBO1k=
X-Received: by 2002:a6b:e009:: with SMTP id z9mr5054980iog.97.1590012672826; Wed, 20 May 2020 15:11:12 -0700 (PDT)
MIME-Version: 1.0
References: <158999499543.12397.7137358356514385454@ietfa.amsl.com>
In-Reply-To: <158999499543.12397.7137358356514385454@ietfa.amsl.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 20 May 2020 15:11:01 -0700
Message-ID: <CAM4esxT0Cr46QLa_8fKqk8XE19gvY8t=5sJg1w6W06HGmAj+CQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, masque-chairs@ietf.org, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008d606405a61bacd8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/b3vXDNddFlWOV9odr_GnQBsCoYY>
Subject: Re: [Masque] Benjamin Kaduk's No Objection on charter-ietf-masque-00-00: (with COMMENT)
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 22:11:24 -0000
Thanks Ben, replies inline. Please see this PR to see the changes in context: https://github.com/chris-wood/ietf-masque/pull/7 On Wed, May 20, 2020 at 10:16 AM Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Just "HTTP" does not imply any particular level of security mechanism, > though > "HTTP/3" would. I think we need to say something about what security > properties we expect MASQUE to provide, even if it's just "equivalent to > HTTP/3 > or better". (This would be a BLOCK at external-review time but may not > need to > hold up asking for external review.) > [MD] Shall I simply change HTTP to HTTPS? There is not an intent to run this over plaintext HTTP. > > Proxying technologies such as SOCKS and HTTP(S) CONNECT exist, albeit > with > their own shortcomings. For example, SOCKS signalling is not encrypted > and HTTP > CONNECT is currently limited to TCP. In contrast, HTTP/3 is a viable > candidate > protocol for proxying arbitrary traffic, as it provides secure > connectivity, > multiplexed streams, and migration for a single connection while taking > advantage of a unified congestion controller. An HTTP/3 datagram > construct > > Am I parsing this properly that the last thing in the list of what HTTP/3 > provides is just "migration", and that the "for a single connection [...]" > stuff applies to all of it? I'm not sure if another comma would help make > that separation more clear. > [MD] Clarified to make it clear "for a single connection" applies to all of it. > > The primary goal of this working group is to develop mechanisms that > allow > > nit: maybe "mechanism(s)"? > [MD] done and/or HTTP/3 extensions to enable this functionality. The group will > focus on > a limited set of client-initiated services: (1) UDP CONNECT and (2) IP > proxying. Server-initiated services are out of scope. The working group > will > first deliver a protocol solution for UDP CONNECT and a requirements > document > for IP proxying. Once both are complete, the working group will focus on > a > protocol solution for IP proxying. > > I assume there's a reason to do UDP separately instead of just letting UDP > run on top of proxied IP. (Expediency?) > [MD] Yes, IP proxying raises a number of issues about addresses, etc. that make it much more challenging. UDP proxying covers most use cases, likely neatly corresponds to HTTP CONNECT, and has less packet overhead. > > The working group will consider fallback to versions of HTTP that > operate over > TCP as a mitigation to UDP or HTTP/3 blocking. Moreover, the working > group will > consider implications of tunneling protocols with congestion control and > loss > recovery over MASQUE, and may issue recommendations accordingly. New > congestion > > This sounds like "nested congestion controllers". Is that more of a > research > question or an engineering one? > [MD] A true nested congestion controller would indeed be research into a new algorithm, which is forbidden in the charter. Instead, the WG will make some sensible recommendations to tune existing congestion controls, e.g. "turn off the outer congestion control" or "raise the reordering threshold on the inner loss recovery". > Multicast UDP and multicast IP support are out of scope. However, the > group may > specify extension points that would enable future work on multicast. > Specifying > proxy server discovery mechanisms is also out of scope, but the group may > specify techniques for identifying proxy servers to aid future discovery > mechanisms. > > How do "techniques" differ from "mechanisms"? > [MD] One is a service discovery protocol, the other is some sort of server identifier and capability report that a future service might use. IIUC DoH had a similar split. I changed it to "... but the group may specify identifiers and capability reports for proxy servers to aid future discovery mechanisms." > > Impacts on address migration, NAT rebinding, and future multipath > mechanisms of > QUIC are not anticipated. However, the working group should document > these > impacts if they arise. > > Presumably we also want to pay attention to any other developments in QUIC > that would be impacted by MASQUE, and document those, too. > [MD] added > > > > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque >
- [Masque] Benjamin Kaduk's No Objection on charter… Benjamin Kaduk via Datatracker
- Re: [Masque] Benjamin Kaduk's No Objection on cha… Martin Duke
- Re: [Masque] Benjamin Kaduk's No Objection on cha… Martin Duke
- Re: [Masque] Benjamin Kaduk's No Objection on cha… Benjamin Kaduk