IETF Logo Mail Archive

Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 29 June 2021 10:02 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CD653A2DC3 for <masque@ietfa.amsl.com>; Tue, 29 Jun 2021 03:02:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qA_36Edst7wS for <masque@ietfa.amsl.com>; Tue, 29 Jun 2021 03:02:05 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2041.outbound.protection.outlook.com [40.107.21.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 760183A2DC2 for <masque@ietf.org>; Tue, 29 Jun 2021 03:02:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VClIgaSYBXZou3zOqRYMM/NKqdl+WVQwcRs6wGwI5e0C1yGaGTaCQiaf4j+EPWhsFowWIyGh1hdiHUbqZ0Vxk2cjT/6/1adLdxm01UoflcbVZUijrLmLbSO2a01lTfoCCaXvktnwQ8+GRG6hkIiXAZU3ihuEMhG6NHBd76Pi5wr97SERVs0js4KIA5Jon1+c/pnfod9duF704ABFoqYIGKnM9pZy3Ld7EJ0702PhfBO00jScNrGqretsJQOSBaTeWceZsd9WCszKSrUjlzW0uVq3WUd5FfJIB/2N8/EskYiC645waBamUOmwIj80vohqkmB1awRTJmcK+lmEa5ucMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8gam0bQehwEtuu4VBTAcAGjU681hsETx2gZYot4N/cg=; b=N2/n61Z/24b7/IGY2mD9YD1m/vSeAbG+EQjPncR93Al9ZY9nxH/G9jz/HbdCO8Vj9qQIXeiHjjvv0686mstIKUDlwNTMQ7PZ9FmCSiZ324UVTY3miYksYbQ/phStX5Okwovkgj8ixEVomkykHlF6yVMJ9zNiFppjLQxBuj4LMk+zOcCrHntZ/0koAlk5kP84ISJFRfLEZU62ly3kWK3EqHFG/mdVihJiJ0Db+eVOhEilRbFCVy+6Pp0nyAXhGPOS7AIFHicYBcJ568N3hyJiNTRCeE1V0uWB1ZO9CAoxRcmIXbjdVHYD181QFBCbnWmsvyCGOqgfjm6KcDCEcuhncQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8gam0bQehwEtuu4VBTAcAGjU681hsETx2gZYot4N/cg=; b=NT1O4zp+wVrBpcMRU/eVOs4RS3svPRnjUlKC/9JNxrptIDhWMtufCYk+CCWIpoT0vxOs8CYIH8J70dTISTseiMhnpcLSXIzIiwKgn1C+ubbc87LZEcYFvSxkt6rpW2OOmxNXmRkAQ4vSVegqaaomYltcn5Xes8Xkk0WAtde32S4=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB3449.eurprd07.prod.outlook.com (2603:10a6:7:38::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.14; Tue, 29 Jun 2021 10:02:02 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::5c2c:3dc8:8947:e043]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::5c2c:3dc8:8947:e043%3]) with mapi id 15.20.4287.021; Tue, 29 Jun 2021 10:02:02 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dschinazi.ietf@gmail.com" <dschinazi.ietf@gmail.com>
CC: "masque@ietf.org" <masque@ietf.org>, "martin.h.duke@gmail.com" <martin.h.duke@gmail.com>, "caw@heapingbits.net" <caw@heapingbits.net>, "achernya@google.com" <achernya@google.com>
Thread-Topic: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
Thread-Index: AQHXUjxBf3ikf/VJnEKptAWJfzyNZKr9pm+QgALDNwCAAOyaAIACrmiAgAAGCgCABDtegIAAQG6AgAB6woCAAAPNgIAABHOAgAADggCAAMMrAIACuCGAgB1BsICAAAkQgIABJBQA
Date: Tue, 29 Jun 2021 10:02:02 +0000
Message-ID: <757d0b2b5828a7855f6bbdfcd8aa3ac7a6125334.camel@ericsson.com>
References: <d314198b-6c01-4b15-84d8-9896b5fdee80@www.fastmail.com> <HE1PR0702MB3772355483E2771650C6D679953F9@HE1PR0702MB3772.eurprd07.prod.outlook.com> <746F7E16-37BD-49EF-896A-649D394CCB05@ericsson.com> <CAPDSy+6PjZk0Kea6154V3=GF-8bs+0Mr+FtFfi-girGh3uAVrQ@mail.gmail.com> <3deea8212d66731de5c81abae353f3e9322f2d57.camel@ericsson.com> <CAPDSy+68DoVrRiC7uEn1-Ze_5LDn9mt7-f+ZeovTTYAUh=w2Og@mail.gmail.com> <21d8fc788051b570768e53d6d9355ed51b423c0a.camel@ericsson.com> <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com> <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com> <CAM4esxQatk4-ENdz+2jCbpRtr8hT0nLWbVLbb64RMJwvBf2qDA@mail.gmail.com> <CAHbWFkQ6YAhqgbbsAPC-i2Rv-_LRZ4R3NKTk4of200GUt38A_g@mail.gmail.com> <91475be5-dee4-435e-a65b-1cde43ffff0e@www.fastmail.com> <74934214da56424b57d7985f49e58b20482d6310.camel@ericsson.com> <CAPDSy+6JU9trGDDPpNa+2Xirq=q0FtpOaE9Sy0gUmdXs=N36bA@mail.gmail.com> <9287d53cbca722b586b4a7684f07bbf89717fa3f.camel@ericsson.com> <CAPDSy+4DMD65w5Cigqc8W09NjjmXq0krtGasSEVuz+kyJwzGGQ@mail.gmail.com>
In-Reply-To: <CAPDSy+4DMD65w5Cigqc8W09NjjmXq0krtGasSEVuz+kyJwzGGQ@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc0457c5-d67a-4fae-6290-08d93ae4f136
x-ms-traffictypediagnostic: HE1PR07MB3449:
x-microsoft-antispam-prvs: <HE1PR07MB3449A91C53978B4D886A8C8895029@HE1PR07MB3449.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +xnsEHc2ePPTpLwulh5LWeXrXJeP/ouMnEhcquhxP6dvSTmq57jNwRRJHHfazh7uVReez9aP/Vnpj7c9T8XnUYhRUhc0HlNDZS8Hp01QaH6us6OLx36WVgjjCWi97rMwFo93SlDlrhuor/Escjrpy072ELF1DTgqkLgWU9Lcp27v6Gw097UPAtvu99UqksDNAkvL0zmvd+MwEqiEUSK1CI9EdG/O5OAP4ikAjF+6FHlRgnMhjjnfFP4zVyuja9kipsqBFO7A0pIf25MUmTu01pT6NAugC9QmS+YQ4q1iMbg7SM5D9/8HIDe10e+YLyapZF5P/zS+tpKkGwfXHYi6ORKGR7IeQr8n0Np++O2Z4DSuokMOP24KKxgsJbni+jd4ECEQFfetlGZh7aD9Qr09rnHLZdBzI2wGKi3wyCA7VrPItlECfyJ1GsIwiQx18+L4f4OyXnD0bUZPVmbeywSbB+NpYU/reiUkv657qQ74vdM3y2Mi71/Qiu2fUyBGdAXOHPItjjMvHpOHvA3jZWk65NPsTRWrERqa27ovMxD0FbSplr461vykOhgeMOW5rrtNclauAAucnksH2heQOYD9ZbY11TiDLJKTGhctjYA0mtk//LjtX8OQbfa1ivDGnl4R6JTGpvptRsasIlqDLi4rd8dc+P63LQmen4/MsSSq8CREFcB7VxRTYCn1OlpPrDKKhCCRcCV7vYXNf0mk/QtsJA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(376002)(346002)(39860400002)(366004)(6512007)(26005)(122000001)(478600001)(316002)(2906002)(38100700002)(6916009)(5660300002)(8676002)(44832011)(83380400001)(186003)(86362001)(66946007)(71200400001)(36756003)(76116006)(2616005)(6486002)(66616009)(66476007)(66446008)(64756008)(66556008)(4326008)(8936002)(54906003)(99936003)(6506007)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kfr9uHsT29iKAiY670Islm/r048yEeZ5uIq7HKxn2OA40C1HzmbORUO74nvJzwjueQSgRpxoI4oKLeHSQEWZ5tvWrzeV34Sc10yhtc5gtvxKCY9OSdlXMJlFI6W1LJq504Au9A3TGNnG2i218MZFLuv4obOs3mJo+wEZqa7XiDOqPFsC9qRAGo8tmZc+0/UP+MhP14EL7wnjeUIAoMGVSRb5rVPeDUsqpaE5zV2FNtJqELNVhckakLACswMUrzJhCVOh7SJoveiG0AQGf7fnwwpLLf3rXdT3++zY9sjScr81LxOiL4ox+V2QV2/EYQ1l7PZ4umJhay6npKzKaJCTZfhpHa6LWEkHQRGb1yh+iW28JSZtr3B+D7P/WiIBiZeV1FgJeXrt1wIjwLjKZYc8r4NEvCOZSPOuZXRKJm+ImYKVFJVqksj4q1FC5jnEhKeJEBqsTmU+WmPjh1frjZWVDqaw5uPwYRWdngBihLpl6+wArpJuNxv3KFYbeZxyRULKYZfzQyNhPs6YwuehEFrEBM48AZwXYxjDklEqAl4OA7e/FUtXQ8keSHScbkCBOtK+dOxQjA6tLj946uFEsd0pYjq58XS8siGef+Ua1r4pBYnTczMwP0vR1+OoajUl2YVYLy1J7DJy3JII35TL26PmislT3qLpHgMA1r5bfuYWv1ZkpXDnNHXbeiaCk7VGpy8CPRqN2PF4gxcrU3HAs+KLJbeRe+q70WjzIPx64uLLkaTXTKXUK+EtCMDWHhiM1VjtriKuHjV0otQjIOhJLwYkvbDYWc/lbGUkz9TOUnNj4eBjxmiKjUQcvxU/RqBRaf2nqaujKmFdbvUEBoURjsJX83dc0VGVrlA0eaqx24iRY185T7Mijdle+zPpHGdsbnhnwjdCliCBHBr3Ofa9Scgwzt88j5hojU2eQzgvDDEUeS+kMErAZ3NDqZv/DoRp+PjKmloZWngiUU6BFaEUc81MWlbtPnNuHOrBcD7MD32FRGRpU2Te9Hpe0yd5PuiJvSlaWrcuqop3Oyqv2WUIFk6GgJNhkz+3pPL9o2Euv/OWZeljaF386mVGUX3Ow+e1yKf0NHz+BvBrAMzq0J/harDzmFFxbo1TjaUIK3VW691v/w8HbIOhM0FouCDlpzkNihieGUp+bXcDNEUqywN2TEVWlaAKf8qqNkb/UpSLLp9meK9otRoR7WGhEDe8vpfYGeG7r0T8RMcBC41ZAa9LEzyH7OJyvzsqWgOaB6EVzCSzR2/RcVNkTtGcKiOy342Vp2+fHHLe0Yt1Zxy6ISFrWgS/PTJrbEWcGFsU2pQ9wWQIw1o4szjOPdmE+PtHHlZYlpFx
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-6PabTEVwM4Ta3dkQHjKf"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bc0457c5-d67a-4fae-6290-08d93ae4f136
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2021 10:02:02.2444 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2YdgGh01ljH58Hk+hbh/cDcPM4tqyUkZtf7DtBPpFOONWLU95jR0pc/q/zwSM+mDrUYEGJSKoTQdDFrGT6Emx8OGozld/5F9rzBzTL+IT8g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3449
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/bZj1qaVRFIdqge9X0kBtjPIScro>
Subject: Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 10:02:10 -0000

Hi David,

On Mon, 2021-06-28 at 09:36 -0700, David Schinazi wrote:
> Hi Magnus,
> 
> Thank you for clarifying *what* you would prefer to see in scope.
> Can you explain *why* you are advocating for those topics?

So the reason I am advocating for additional care in relation to routing
information is the fact that a malicous and successful injection of a route into
a network can be used as an tool to attack third parties. You could potentially
divert traffic to perform other attacks or monitoring for survailence or
information gathering. 

And I think the main difference between the network to network VPN case compared
to the customer VPN, is that the later only forwards traffic with a destination
of the address/network the MASQUE Server lent to the MASQUE client. That makes
the threat model match the leaf node, not a transit or multihomed network which
network to network VPN easily create.  

And with that change to the threat model the mitigations and security
considerations are impacted. Which in terms is what I fear will delay the
specification additionally. Do you think you can write a specification without
bringing up the security considerations for the protocol field that carries
route prefix information? 

The requirements document is very clear in Section 3.5 that a protocol mechanism
is needed for route negotiation. That negotiation will be used to affect the
MASQUE endpoints routing state. Which in its tern requires the implementation to
consider which traffic it should accept. Yes, there is a trust question here in
regards to authenticy and identity of who makes a statement about that
authenticity in the request. But it is also a question of what threats are
inherent in this mechanism and what each endpoint needs to consider when using
this mechanism to safely use it to forwards traffic through the tunnel. 

> In particular, you seem to be treating the routing table as
> something unique that needs to be handled differently, and I
> don't understand that. Many HTTP methods involve changing
> local state - if I click the Like button on a website, a database
> gets updated somewhere, for example. The routing table is a
> database, and it's unclear to me why it needs to be treated
> differently. It seems absolutely reasonable to have text in the
> security considerations section that states that servers shouldn't
> let unauthenticated clients modify any server databases without
> checks, but it sounds like you're suggesting that the protocol
> solution document be opinionated about trust, and that would
> severely limit the applicability of the protocol - various use-cases
> will have different means of authenticating clients and picking
> policies for what a client is allowed to do, and we cannot preclude
> those.


The routing information carried in a MASQUE specific mechanism that directly
impact what traffic that MASQUE endpoint will forward and what mechanisms will
be needed to mitigate threats is the same as any HTTP application. So this is
not the same as a general HTTP using applicaiton. The HTTP using application
will have to evaluate the risks with the implemented function in that
application, just like I asking us to carefully consider the impact of the
application MASQUE. 

And when it comes to authentication mechanism I think for interoperability it
will be necessary for the MASQUE application to require something to be
mandatory to implement, even if that is the Mandatory to implement by the
targeted HTTP versions. However, MASQUE service clearly have similar
considerations to TURN servers where the failure to early on consider if one had
mechanisms that was suited to the use cases. The issue with TURN was that for
example WebRTC services wanted to provision its users with user individual
credentials where the TURN services could be a contracted thrid party service
that supported many WebRTC services concurrently.

But to conclude all I am really expecting is that the security considerations
and the mitigations in the MASQUE protocol specification consider the MASQUE
application in all its use cases listed in the requirements. 

Cheers

Magnus Westerlund

v2.23.0 | Report a Bug | By Email