IETF Logo Mail Archive

Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

Alex Chernyakhovsky <achernya@google.com> Tue, 29 June 2021 18:07 UTC

Return-Path: <achernya@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B523A3C7B for <masque@ietfa.amsl.com>; Tue, 29 Jun 2021 11:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtNqeIyG6Qwd for <masque@ietfa.amsl.com>; Tue, 29 Jun 2021 11:07:53 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A773A3C79 for <masque@ietf.org>; Tue, 29 Jun 2021 11:07:53 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id u8so238643wrq.8 for <masque@ietf.org>; Tue, 29 Jun 2021 11:07:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h/M1GJZZ/ok2/UVSyfFVcaSTIZOaBR53pcSK8KREbS8=; b=TanORge6UCVBvhFk2c2oyNDwpJ/V+OFkjzbTf51nma+EnvEJFmwkWCuGtp9AxMaxC/ q/qEEU8SfiI4lXCIR1ico5j+4gkDI5FhgyE45271NbIEbtrbyQT3GRcx+koYPnpZOEVd UDbqAYIOAZu2dCd2ShafCrOeLp5pHuXZEyjX65OHXlrs+EEEUyS7WJYSV0IjHPCA1RU8 ZBFk+nwwvcX1z7ZQG7V6HCueY22RDEe3SpqFhvMISrJvE0r8Ct283tdKvON7YwOjB/Ws oKlIA8yYVoyq6YoAmVhadjPq/Bnpn4ltEm9QBc+WHA/SYuhYR6PQb3aHw3DI7wJtn4wv XlSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h/M1GJZZ/ok2/UVSyfFVcaSTIZOaBR53pcSK8KREbS8=; b=FM/BDYd12TAEOdZvxHvdMKtvalZPmwRa3ynWL0QUO9YeA0dyCM5aZCZToDotzBLka5 d5OTKQwm0a/IhDuLjxffQ3A0ge/pgrfByFnH9/mWnzd+UrwS83xIon/Xb70sjbTIy9pD iRplvozsk7jRIFyPy922qY2v/Ok/0icHri9nWY2XXNGNfpTgA+Uu/IzfPwlD1MbgFnny O1Z5VCsfCKfr4m/t/KmtZMr9YjmPQ6T1E0hGoBCap9cQ53peMx1T/hsWCjXbt9n36YSo jjoy5Rj38C4zRSZoa4n6BcZt2n3EY7J4anLL1ooIiE78HuAWZq4GT/xGOdnJWvuOSSdF GOzQ==
X-Gm-Message-State: AOAM5315AofDENmsL1D/WsfxYGhCv8gJ/jtd+BcAK8Ap+J3NI58wm7DD mjnDmWJpyM4cV9AvCNCIN8ghhTYnYJKJb7X2RTP3TA==
X-Google-Smtp-Source: ABdhPJw4sD24Q7lwr7GeqJRLF58gaXCjOZlor4YjldKjkKhcH0cJR+5OUeozoF0w8AZRGHA5zKwz4FliL0uSENUBc4E=
X-Received: by 2002:adf:cc87:: with SMTP id p7mr36560305wrj.105.1624990070330; Tue, 29 Jun 2021 11:07:50 -0700 (PDT)
MIME-Version: 1.0
References: <d314198b-6c01-4b15-84d8-9896b5fdee80@www.fastmail.com> <HE1PR0702MB3772355483E2771650C6D679953F9@HE1PR0702MB3772.eurprd07.prod.outlook.com> <746F7E16-37BD-49EF-896A-649D394CCB05@ericsson.com> <CAPDSy+6PjZk0Kea6154V3=GF-8bs+0Mr+FtFfi-girGh3uAVrQ@mail.gmail.com> <3deea8212d66731de5c81abae353f3e9322f2d57.camel@ericsson.com> <CAPDSy+68DoVrRiC7uEn1-Ze_5LDn9mt7-f+ZeovTTYAUh=w2Og@mail.gmail.com> <21d8fc788051b570768e53d6d9355ed51b423c0a.camel@ericsson.com> <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com> <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com> <CAM4esxQatk4-ENdz+2jCbpRtr8hT0nLWbVLbb64RMJwvBf2qDA@mail.gmail.com> <CAHbWFkQ6YAhqgbbsAPC-i2Rv-_LRZ4R3NKTk4of200GUt38A_g@mail.gmail.com> <91475be5-dee4-435e-a65b-1cde43ffff0e@www.fastmail.com> <74934214da56424b57d7985f49e58b20482d6310.camel@ericsson.com> <CAPDSy+6JU9trGDDPpNa+2Xirq=q0FtpOaE9Sy0gUmdXs=N36bA@mail.gmail.com> <9287d53cbca722b586b4a7684f07bbf89717fa3f.camel@ericsson.com> <CAPDSy+4DMD65w5Cigqc8W09NjjmXq0krtGasSEVuz+kyJwzGGQ@mail.gmail.com> <757d0b2b5828a7855f6bbdfcd8aa3ac7a6125334.camel@ericsson.com>
In-Reply-To: <757d0b2b5828a7855f6bbdfcd8aa3ac7a6125334.camel@ericsson.com>
From: Alex Chernyakhovsky <achernya@google.com>
Date: Tue, 29 Jun 2021 14:07:39 -0400
Message-ID: <CAHbWFkQp6KSeOitaXK-4=HCRqG24r3ayt00_oQ0D=XcwMQ6Wbg@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Cc: "dschinazi.ietf@gmail.com" <dschinazi.ietf@gmail.com>, "masque@ietf.org" <masque@ietf.org>, "martin.h.duke@gmail.com" <martin.h.duke@gmail.com>, "caw@heapingbits.net" <caw@heapingbits.net>
Content-Type: multipart/alternative; boundary="000000000000e86bad05c5eb7b32"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/dcj3uYCXVb9PbjMnkFVuRJC_-V4>
Subject: Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 18:07:59 -0000

Hi Magnus,

Inline.

Sincerely,
-Alex


On Tue, Jun 29, 2021 at 6:02 AM Magnus Westerlund <
magnus.westerlund@ericsson.com> wrote:

> Hi David,
>
> On Mon, 2021-06-28 at 09:36 -0700, David Schinazi wrote:
> > Hi Magnus,
> >
> > Thank you for clarifying *what* you would prefer to see in scope.
> > Can you explain *why* you are advocating for those topics?
>
> So the reason I am advocating for additional care in relation to routing
> information is the fact that a malicous and successful injection of a
> route into
> a network can be used as an tool to attack third parties. You could
> potentially
> divert traffic to perform other attacks or monitoring for survailence or
> information gathering.


These concerns are valid, but they apply to a system implementation, not
the protocol. As we've discussed numerous times, these sorts of things can
be accomplished with IPSec, yet the IPSec RFCs do not go into the details
that you are requesting. I am not saying that we shouldn't have such
guidance, but we have no requirement that it appear in the same document
nor be published at the same time as the rest of the work we are currently
discussing. I believe we're all in agreement there --- but I don't
understand what concretely you're concerned about delaying if we are going
to be able to break things up into separate documents, if/when that becomes
necessary.


>
>
> And I think the main difference between the network to network VPN case
> compared
> to the customer VPN, is that the later only forwards traffic with a
> destination
> of the address/network the MASQUE Server lent to the MASQUE client. That
> makes
> the threat model match the leaf node, not a transit or multihomed network
> which
> network to network VPN easily create.


Again, this is a system concern, not a protocol one. A sufficiently
extensible protocol, as we are aiming to design, can handle both of these
cases regardless of what policy and considerations we end up having in
place. Our goal is to design this sufficiently extensible protocol.


>
>
> And with that change to the threat model the mitigations and security
> considerations are impacted. Which in terms is what I fear will delay the
> specification additionally. Do you think you can write a specification
> without
> bringing up the security considerations for the protocol field that carries
> route prefix information?


Yes, I explicitly believe we can do so, and this is evidenced by the IPSec
RFCs. For example, RFC4301, which talks about the IPSec security
architecture, makes no mention of this.

We cannot operate without some abstractions, or else we will end up caught
up in discussions that can make no progress. It is sufficient for us to
begin implementation work and note that security considerations exist and
operators are responsible for validating these routes per their own policy.


>
>
> The requirements document is very clear in Section 3.5 that a protocol
> mechanism
> is needed for route negotiation. That negotiation will be used to affect
> the
> MASQUE endpoints routing state. Which in its tern requires the
> implementation to
> consider which traffic it should accept. Yes, there is a trust question
> here in
> regards to authenticy and identity of who makes a statement about that
> authenticity in the request. But it is also a question of what threats are
> inherent in this mechanism and what each endpoint needs to consider when
> using
> this mechanism to safely use it to forwards traffic through the tunnel.
>
> > In particular, you seem to be treating the routing table as
> > something unique that needs to be handled differently, and I
> > don't understand that. Many HTTP methods involve changing
> > local state - if I click the Like button on a website, a database
> > gets updated somewhere, for example. The routing table is a
> > database, and it's unclear to me why it needs to be treated
> > differently. It seems absolutely reasonable to have text in the
> > security considerations section that states that servers shouldn't
> > let unauthenticated clients modify any server databases without
> > checks, but it sounds like you're suggesting that the protocol
> > solution document be opinionated about trust, and that would
> > severely limit the applicability of the protocol - various use-cases
> > will have different means of authenticating clients and picking
> > policies for what a client is allowed to do, and we cannot preclude
> > those.
>
>
> The routing information carried in a MASQUE specific mechanism that
> directly
> impact what traffic that MASQUE endpoint will forward and what mechanisms
> will
> be needed to mitigate threats is the same as any HTTP application. So this
> is
> not the same as a general HTTP using applicaiton. The HTTP using
> application
> will have to evaluate the risks with the implemented function in that
> application, just like I asking us to carefully consider the impact of the
> application MASQUE.
>
> And when it comes to authentication mechanism I think for interoperability
> it
> will be necessary for the MASQUE application to require something to be
> mandatory to implement, even if that is the Mandatory to implement by the
> targeted HTTP versions. However, MASQUE service clearly have similar
> considerations to TURN servers where the failure to early on consider if
> one had
> mechanisms that was suited to the use cases. The issue with TURN was that
> for
> example WebRTC services wanted to provision its users with user individual
> credentials where the TURN services could be a contracted thrid party
> service
> that supported many WebRTC services concurrently.
>
> But to conclude all I am really expecting is that the security
> considerations
> and the mitigations in the MASQUE protocol specification consider the
> MASQUE
> application in all its use cases listed in the requirements.


Again, we have to operate at a reasonable level of abstraction. What you're
suggesting amounts to turning these documents into a massive compendium, to
which I see limited benefit.


>
>
> Cheers
>
> Magnus Westerlund
>

v2.23.0 | Report a Bug | By Email