Re: [Masque] DNS in connect-ip
Ben Schwartz <bemasc@meta.com> Tue, 19 March 2024 05:16 UTC
Return-Path: <prvs=8808b73314=bemasc@meta.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0080AC14F68F for <masque@ietfa.amsl.com>; Mon, 18 Mar 2024 22:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id df3x0m-W3Odq for <masque@ietfa.amsl.com>; Mon, 18 Mar 2024 22:16:23 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FE0FC14F61E for <masque@ietf.org>; Mon, 18 Mar 2024 22:16:23 -0700 (PDT)
Received: from pps.filterd (m0001303.ppops.net [127.0.0.1]) by m0001303.ppops.net (8.17.1.19/8.17.1.19) with ESMTP id 42IJiEL1025108; Mon, 18 Mar 2024 22:16:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=D10XOcLg7K8nPyHgHanx1fPhH4HGslSwiUTkIAALCFU=; b=OcO6qX/4ohxhLiGZYtUinn1HMULJ40u3O18Hrc0n4311Q8gF/vXRpa/Dluk2Z2Uk/JvE iwHP/O5Np+orfjucSjuS2piWY5LX6juCmYRBX0E4zw4Ih7hjfZ+f2R04Z4BvmtndWqt+ Szd4nq8Roy5wa1c2wvaj59m8lNcml596UpERcQ5JcBy6vl7O6EhM1iXKXFlbdC224EYP 8c8FRfq19oCxZKXYwNGBR0bEbwbE0tzX2rbHR5gP9ksDtnqGPHbChu4WBHEn0qRU1VR5 2wrgQfcmvZttRdsq1kqnScBw1rjK9tc1wxG+pE89vSrl30l0ogbyuCIOoI6jJqJrO4jl 6A==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by m0001303.ppops.net (PPS) with ESMTPS id 3wxn3gn84p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Mar 2024 22:16:21 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QvekDg+PDUSzaMg96pxh/F2GwuZ4haSfbHkDvbM+fjBz9t2sGAWPZ/RbtrBi/t6nVnVs4BR5OH/pUPjeRltGxrLHo/TuQlz7UDHWgV9CZhRWMi11RBgn17ncMnvjZQFyqVAX3ssyKYFkCQgqHX7vZq9s1wtEBJMTjohUST+tMoJl3inI/A6sXGY6AOjH7PhaGZ+CiUWWumQTi3FeRbjVLWYSLLp9fjrIkvIs4VpPK3tiPpR0YmpK5hkgD1cIo3ApCJUiWq9LTBsqeC+Qlsc9wuXJgp2O5k9QSoFPFJDSJIVXa0vXRqId+aoufUwllsry3NUROx3/KX0koBmD7qt97A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gEB8PN6AgrEJ/nQQe1AUO+BslIl+ygz/MKy/JtfHnp4=; b=KV2nzm6GeruRAgl4/Vautz/yo/6n24aDqcZiF7ZVETboTft5U27nLrocQG8f8gxwAAsnncG35zFZQwgEAxaWrStg8Upuwyy2ucbON/zN9fS48bhwRY5r9qnDfbT522ded7bGoaXmNJj0bi7QPNE9d5yXrh2bNizIqdJ3kRaEubKNz37k8WBaExYgvNwK3vMAb8cckfx6dBBnAV7Ipk9pbczH/qHVYipZvWr6jAfUSAjjtSeeSpdpibNgSr8uxoAdjIFgM0D4Ul8x8VNYn6MSQLL2FkFkEsejivzErO3Fp9nuZDW2YhCl8xTjcB9YZDS+ZWEoPDdRTvSt4EGi73Bt2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by MW4PR15MB4697.namprd15.prod.outlook.com (2603:10b6:303:10a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.26; Tue, 19 Mar 2024 05:16:19 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7386.025; Tue, 19 Mar 2024 05:16:19 +0000
From: Ben Schwartz <bemasc@meta.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
CC: MASQUE <masque@ietf.org>
Thread-Topic: [Masque] DNS in connect-ip
Thread-Index: AQHaeZz/5IqFW8ptd0yFqh08i5mMy7E+ZGZKgAAZ8ACAAABZVw==
Date: Tue, 19 Mar 2024 05:16:19 +0000
Message-ID: <SA1PR15MB4370E0505044F972994D654DB32C2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <CAPDSy+7iCh9P5vzRSTgBeBPMGJaCzeQQFguh4to9=ZJqZhgULQ@mail.gmail.com> <SA1PR15MB4370BB203F7907568CF27C27B32C2@SA1PR15MB4370.namprd15.prod.outlook.com> <CAPDSy+4RTu6xo+o=25x1fFf34GZycnd6USKCMDu_-K5Eu1stVw@mail.gmail.com>
In-Reply-To: <CAPDSy+4RTu6xo+o=25x1fFf34GZycnd6USKCMDu_-K5Eu1stVw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|MW4PR15MB4697:EE_
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: S+uVuDLQznHFfntZU4teTIKdaF5vCrPSuQ2Ex7qWVcBBzbLkKEagvlRNf8rEd90zzaK6pkMnBfVggR1bWPkafsSE0QkArIutUEMuoFP6zOaqaN46L7U0oaUZM9YUADqK+R1HKS5B1AKfGUoou35+s0uZr7Dhdgx2hkSHYD2TlRF6sv+bmHISRpwgxAtIopdY8F9JKZ25eIjIvypnsPy2BnE/BiP82g0iqLgbqUrYfB7REQT4rM7MZnYwBpFc9w6PGNAoWjNjYwDf2rAN4XDOewHn5QKZuzxwXOErf1QTooOuc9jjXU5XYC/K6ZaBJT8cx4W/Kx9zFTwZub2HRkaQ9d/BsV/t+nmS02KN18P2cBIiOpLeJ2ONal1FDo58B+koLaM+R3wHuC1OdbjWKTKk9kN/e3p6gTnkWBE6iJx8ra7r6PHpoJlLkwcSxlzzPBFTIM/Q6yDIb8Pp3PM8s1jIUstXDJYFZt8lCfLirpr+5U4/RSSDi/o0WJ53BmZvVFcsPjPJ8NCWC9YOI8ZFIqzo6tA4K5VSvwYhVEHqDvTQ5T2TnlhZFKLsUMIGlnZ2OViOaD5PKb2siwnyYPhkUDQjJM5K7aXlxSzAbSgnm8UTprxUFFUcAuAhxOfHuQcwaT26
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR15MB4370.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(366007)(376005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 55Hf/dUSXTApmQ7ys650mW5VXQ/U1JeqDcxO5O6aZmPPH3nMghYj/xfJuUFCSFbuc75p5MtuMKRjY55RDYktmUZN3ON5zxQna+oAS30Lej3mOcskEiMK8eCnYguK16/BScPN/0TQWMpWJYFkqgWxK3fAOpEME4lQFpdBsTKC40zXO4adeAHm55OeX398oVnGbaea2Y6SC8XFVSYC5PsjGgPr7kJdOmtk9BgR+s1vfVMn4frlC1/t1QL7g8iezRaxl58Z4Kn7U4KQ703WqvRtGvKbUuPUeP7AQ/GJag2i4PRbWSwlSkMoqO1Oanor9PETMt9EkZakVEszoqGBwjZ8kUR5AjAmGj32WyVjMne+pvjx1Q8+knh3iWtHCHzX8FMlOWHwdlRjqEYz18idZ2SVqazgSbYWGscdmKFVbt2hFxL9RMOeUoiExpdGKtI+eSxaDCbIZsT6RodIVViZxf0RBF264zoeDwSuWOXVcWhofuFPNqbBfd2ZaAZak5DOk/EnWn8q148qQYOSf3TdIetilQyNisrug/2MCd+FM0OU8SVAuvHpIilnLOPzNMfgQvPTKk0nph8+mZU+kk4N6FCuuMMEFcFCgimCEpy/SBrWqOo071XUv6QH7N4uc3az5FHP0j24p5ORLxLKyZTg2MzuI6ADEwmvBFcBAPhFLMQ/s8gbCO758a33F9KWF2+L0Qv+IuA8NnDYoScx5UJMcnB7do/bZIiTMdklgqn+PqrKC9qXwC/16FKUVt+w2IcJiqxY5pzXxXZM5CJs0IjxC8uOUxihEVyaSdbNo8qxDyeZQcuXN10HzgbcIT2irNsj4bk+x+2TtY/hrhX3hJ4N8rB33FeBr23bmAPxclbcZjwdF9KvhAjDC6z7NAbsJ/MF2cQwDvT2RzJpqdO78AQOKW319sUnJQuj5bpHzzgXidXLxf8UPuS6ZQ1pjDswVLIaBhUlYNZ3AUzNHTxEU0Qyhbn+jhORDqsAkU2nfpoWs6467drTqleIBXXy3e8xOssFkLfZ2jjXwh7BieJRand6oDS+9b7pPXTMRykI9CqPLR/EuDHLkELLJy9qXT4oZJStYAPfbiUM0k9CbwsVkW2/rKtqDtlRTaeKUpeXDwIDBfP/x4r5Q0LsvQz66y4/GKxMQMY4y7ijGLeeOOEgN6Abbf3vwIyrap0TeHs/CnpwUjFqy6TmAzPrs0p2W2Bhs9NsqNDVDCXCz8goUXz7RhDkLNNhSBv7zIKNjf75134UEKj4iLfND28Z4wTWm08v1TzPHs44JwmA3YB6GbEC+hPGO9f1PjAh1OpjwlrCp/gjFYCRTvrYfWw5aJtn/gbqwtQwiObmV3WgdjPvizN5vGVsPw3sMDQN0Q7wOwI7NMqtUCUEl6NcDiz90bh4Vg8ToFWnjr5Xua56BivvqqdOZ33jadA0caRDM/cfa6bGB5l/wfLXsNDqASK2arF6Fa36XHIWbHR8VpgwQlIfm650a50xhjfeNQYqBGh/qGLGFI1hYloh6RlcuL3y4Ft5VFrcmdekqTcChDp3yuEXTzfpN5NGwTqPIPU2OfQA8kOsiExysvT92uGByr8jZMUjqz0bInMT1rCNRTrEeq4jMpHkQ5hBqkB/Mk3mafIAIQfFse9nDBpM5bM=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370E0505044F972994D654DB32C2SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e4ddcb7-c74e-409e-8d1d-08dc47d3b5a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2024 05:16:19.0881 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 25/VXAUBXZhj/0vR1+1JZuByjId+i0EIuhvzV7QAkXAtFdF75Ckxe0yyfybojmbO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4697
X-Proofpoint-ORIG-GUID: GloTaSvqO7qt6cpkGstZqbbDeTBHRKRi
X-Proofpoint-GUID: GloTaSvqO7qt6cpkGstZqbbDeTBHRKRi
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-18_12,2024-03-18_03,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/cUJR75J12qVmhg45a3Ghdp_BNHw>
Subject: Re: [Masque] DNS in connect-ip
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 05:16:28 -0000
Thanks for the context. I think ChromeOS is an interesting example. From the user's perspective, the distinction between Chrome and ChromeOS on the same device is generally uninteresting, and they likely wish to designate a single "VPN" for both. This could be done by configuring the system with a connect-ip proxy, connect-udp proxy, and DoH server. Chromium would use connect-udp and DoH directly, bypassing connect-ip entirely. The rest of the OS would use connect-ip, and non-browser DNS queries would be tunneled into DoH via a local transparent forwarder. (This is similar to how Chrome currently bypasses Android's transparent DoH forwarder, preferring direct DoH to the same DNS server.) If configuration provides only a connect-ip proxy, that will result in unnecessary transfer overhead, MTU loss, and redundant congestion control. The engineering necessary to avoid that seems straightforward, and if the standards are missing a piece for that then we should add it. ________________________________ From: David Schinazi <dschinazi.ietf@gmail.com> Sent: Tuesday, March 19, 2024 12:49 AM To: Ben Schwartz <bemasc@meta.com> Cc: MASQUE <masque@ietf.org> Subject: Re: [Masque] DNS in connect-ip Hi Ben, While your proposal sounds interesting, it doesn't match how we are implementing MASQUE in practice. That's because for most implementations, the application and OS are different entities. In particular, we're deploying ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd Hi Ben, While your proposal sounds interesting, it doesn't match how we are implementing MASQUE in practice. That's because for most implementations, the application and OS are different entities. In particular, we're deploying CONNECT and CONNECT-UDP in Chrome, but are interested in CONNECT-IP for ChromeOS. (And I do realize that those two products have similar names and are built by the same corporate entity, but that's still how they work.) Because of the realities of the platform, we do need a "90s style" DNS configuration mechanism for the OS. That said, I'm not saying I dislike your design - I think it's something we should also explore. But we can do that in parallel with what I'm proposing for DNS in connect-ip. One doesn't preclude the other. Thanks, David On Mon, Mar 18, 2024 at 9:30 PM Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>> wrote: I think this would be a good and logical design if we believe that connect-udp, DoH, DNR (RFC 9463), PvD, etc. should not be combined with connect-ip. In that case, connect-ip needs some kind of basic 1990s-style in-band DNS bootstrap mechanism, like DHCP or IPv6 RA, resulting in things like INTERNAL_IP4_DNS in IKEv2. I would prefer a design where these standards are combined into an integrated package, with DNS specified alongside connect-ip, connect-udp, etc. That would allow a variety of behaviors that are difficult or impossible in this draft: * Clients could do a DNS query, get an HTTPS record, and then choose between connect-ip and connect-udp based on the indicated ALPNs. * DNS could use a secure transport (without the delay of a DDR upgrade and reliance on IP certificates). * DNS queries could avoid various inefficiencies of conveyance over connect-ip. * Clients could use connect-ip's "target" and "ipproto" fields to connect to a destination selected via DNS. * Clients could avoid establishing a connect-ip tunnel that turns out not to be needed for any current destination. * connect-ip and connect-udp could share a DNS configuration (which logically applies to both). * Clients could be protected from domain hijacking by draft-ietf-add-split-horizon-authority. Overall, I think connect-ip, connect-udp, and DNS are all building blocks for a complete access service, and we should combine them via an overarching configuration, rather than trying to extend each of them as if it were the main "entry point". Vending a "connect-ip" template directly to a client should be viewed as an extremely low-level configuration flow, similar to manually entering an IP gateway. Not coincidentally, this is basically the argument for https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/<https://datatracker.ietf.org/doc/draft-schwartz-masque-access-descriptions/> --Ben ________________________________ From: Masque <masque-bounces@ietf.org<mailto:masque-bounces@ietf.org>> on behalf of David Schinazi <dschinazi.ietf@gmail.com<mailto:dschinazi.ietf@gmail.com>> Sent: Monday, March 18, 2024 9:29 PM To: MASQUE <masque@ietf.org<mailto:masque@ietf.org>> Subject: [Masque] DNS in connect-ip Hi fellow enthusiasts, Some colleagues recently reached out to me asking about implementing connect-ip into their platform as a VPN client, next to their IKEv2/IPsec implementation. However, they rapidly found that connect-ip didn't have ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd Hi fellow enthusiasts, Some colleagues recently reached out to me asking about implementing connect-ip into their platform as a VPN client, next to their IKEv2/IPsec implementation. However, they rapidly found that connect-ip didn't have a way to communicate DNS servers in-band, and that's a pretty important feature that almost every VPN protocol supports. Back when we standardized connect-ip, we had decided to not put it in RFC 9484 and that we'd do it later as an extension. Now that there's implementer interest, I think it would make sense for us to work on this. So I wrote up a quick draft about this: https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/<https://datatracker.ietf.org/doc/draft-schinazi-masque-connect-ip-dns/> The chairs have gracefully accepted that I present this in the as-time presents section of the agenda today. I wouldn't expect anyone to have read the draft by then, and I'll cover the overall idea in the presentation to gauge interest, but I thought I'd still post it in case someone's bored between now and the session later today. Cheers, David
- [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi
- Re: [Masque] DNS in connect-ip Ben Schwartz
- Re: [Masque] DNS in connect-ip David Schinazi