[Masque] comments on draft-schinazi-masque [was:Re: Splitting MASQUE Obfuscation out of MASQUE]
Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Mon, 13 January 2020 17:40 UTC
Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8584D120915 for <masque@ietfa.amsl.com>; Mon, 13 Jan 2020 09:40:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUtgKxiN85Rm for <masque@ietfa.amsl.com>; Mon, 13 Jan 2020 09:39:59 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2078.outbound.protection.outlook.com [40.107.20.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43198120913 for <masque@ietf.org>; Mon, 13 Jan 2020 09:39:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E7nsmVBBCdl1364jJXcJI1JM2Om1dfCLZK4Oe+31GOIUjv/Qs3TL2SSXhC4Pzwo+ouabOvgeL0/9PqRIeXqRJZMskW4uG438MbKiyD6WW9/bXrZBed/zOXZgs1JDfDKK8ZnHFXkEoKgMSgnXHcenlbDK36ARywLlCRhcacEIz4bMXrM+P+MlnJKQLw+ARflcLayjWQr+WiIfwUiuNyE5l6KdKCoBB2h89zXBTIsbBPgLNI9ue6Jhk36f9aFt8Ohca8N99gWGKWA5Qd1hlc5zrPtVh9Tk5JixwkmQZaM7yP6q/rSvdLJzza4lEfh4zOhnbcqHxxNMvnjOPDahCUfEag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pULxVeNDqbCMyv3xT0FCH/RPv8+zppGDQjucmGGkOwY=; b=M+v+6bF9LKaVT2Fh4s8EVwxN9ZPVSjk1tT9R+9bRMToYCjq1asnHkkKHlftjSP/ljEexIJwpVfvvvgHfZlu3xp7w4UIosFdu6dfhx2PapxhRLfImQqwdV7o4V54ympdVHUg+wwMmh1QRNYystHK7WZMewZ7gpUM5/vlpHQAkCd6S8jyZ0NYJ97VdN14qDhFV0fShZxjnOg62GnOg8s7GmLiBn7m1g8GuakaCNlcgMFasQagPzNo7mfVYuamNui2W+EUuEWdySk0w/kF8oQditQbcC4wFFvMZGZGps8JIgsORqvazt3Rmpn7PS6iVgRBiod6F6dX4bNxV7Xg/24rj+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pULxVeNDqbCMyv3xT0FCH/RPv8+zppGDQjucmGGkOwY=; b=OST68BpAubbthETE7feVL5LWkLhouNEsLKEO7UoobqXL3MtbLyIGrzPyxiO02w3eF4oJsMTNZNoVyecQf1+WjtgGcxCYYn7r13DPA0UDVKSP3jV05Dfde3ZngUWpN8cRsfw+Queq9EU1L/wVl163yVukv34Tg4GkCYwYGGLHLWA=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB5604.eurprd07.prod.outlook.com (20.178.82.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.6; Mon, 13 Jan 2020 17:39:56 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7%7]) with mapi id 15.20.2644.015; Mon, 13 Jan 2020 17:39:56 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: David Schinazi <dschinazi.ietf@gmail.com>, "masque@ietf.org" <masque@ietf.org>
CC: "maxime.piraux@uclouvain.be" <maxime.piraux@uclouvain.be>, Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be>
Thread-Topic: comments on draft-schinazi-masque [was:Re: [Masque] Splitting MASQUE Obfuscation out of MASQUE]
Thread-Index: AQHVyjh4MT/aHM32KESuKte+j5q+Fg==
Date: Mon, 13 Jan 2020 17:39:56 +0000
Message-ID: <1AD99831-1AFB-482A-ADEA-24C7AE04C419@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [2001:16b8:2c8f:f800:120:9f01:13a8:3d8c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 146db660-b845-4438-c2a0-08d7984f9b23
x-ms-traffictypediagnostic: AM0PR07MB5604:
x-microsoft-antispam-prvs: <AM0PR07MB56049AF1FFF01AC0AB1F43EDF4350@AM0PR07MB5604.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 028166BF91
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(136003)(396003)(346002)(376002)(189003)(199004)(2616005)(6506007)(53546011)(81166006)(81156014)(33656002)(6512007)(186003)(2906002)(66476007)(91956017)(66946007)(66446008)(71200400001)(64756008)(76116006)(66556008)(8676002)(36756003)(8936002)(54906003)(6486002)(5660300002)(4326008)(478600001)(966005)(316002)(110136005)(44832011)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB5604; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ck36LeZ5fXGF/h5vIJmue5MdMXx48E1wJny8k9bWf2jjRXrnWyy7B130Ak1usJBaW2in7rqC+iBOxQ/24TF3X85PfG5k51Cn46xLzTnCFwVC5C+vKNwWIrpPRCcpeEr/DUD2gtJeuxrUeQQc0ixwDZEn/4wYSlQf6O98JjLaBnEuXmizHUaswjXaEf67YmVhN9BzSsx/imGCNFRJ6KxaP2jDbPE0/wMolrjWZj94l57FJTMthiktUS9x9lFNXu3LxZon/96Fjf+UhkrxHiDVJ9i05kakM5RNqjZ9M0+YptRsc9OmnbTKJhc+AE3+5AnVqJZGIRm/ZQgoGw0EVMiUjgKDPJQ3jqozXc38ez3FJ60amCnkJBlUzyyVPAjmOejeqdJl72S2oCfKGUQDfQ6pU6q9uoSlPHAN+ITRHVFYdc0Er/IZSX7QKRhOmm5zBJKyHTl1hpHNXd04Kxn3YtPqXUJmhD/vkjPPAPUVWFfd3w1eBUpYuujKbXlLSESom8d6gxBWqzPVTPOqAXbzinhrTg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_1AD998311AFB482AADEA24C7AE04C419ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 146db660-b845-4438-c2a0-08d7984f9b23
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2020 17:39:56.7835 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GcInPNXLtHn14Qko6j3QXPXH3mBoi0cIL5nd3/CvV8DYXAu+E5q/tje4ZO+V2hu9yrOwMGRcYAiLGKSZYN8gVY2QPwrw6c3zHoIbfk9S35I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5604
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/eHYpBi9FMhAjhH8Dd9vBNR6jXyc>
Subject: [Masque] comments on draft-schinazi-masque [was:Re: Splitting MASQUE Obfuscation out of MASQUE]
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 17:40:03 -0000
Hi David, thanks for splitting the document up! I guess the last paragraph in section 4, as well as section 6 and the IANA considerations in draft-schinazi-masque-obfuscation-00 could/should have also been moved to/left in draft-schinazi-masque-02…? A couple of comments/questions on draft-schinazi-masque-02: 1) The draft say at the beginning of section 3 “As soon as the server has accepted the client's MASQUE initial request, it can advertise support for MASQUE Applications, which will be multiplexed over this HTTP/3 connection.“ I wondering what you actually mean by “multiplexed over HTTP/3”. I believe the idea here is that you would always send a HTTP connect first, however, I would assume that you then leverage multiplexing on the QUIC layer, especially when you proxy (non-http) QUIC traffic or other UDP traffic…? Can you further explain?! 2) And also regarding the proxying of QUIC/UDP traffic: As far as I understand you propose to only use QUIC datagrams for this (+ potentially one QUIC stream as control channel?)? My thinking was that you can also instruct a MASQUE server to forward all data on one QUIC stream to a specific server. Yes, this would make the MASQUE proxying reliable but e.g. in case of a high loss link between the client and the MASQUE server this could actually be beneficial. Further I understand that more work is needed on the mapping of datagram-ID to target server but just mapping a certain stream ID to a target server would also be easier. In our work at Ericsson, we assume the first stream opened to be some control stream that then can be used to indicate forwarding requests/mappings for other streams as well as any additional data that the client and MASQUE server may want to exchange at any other time during the connection life time. 3) There is also work in draft-piraux-quic-tunnel-00 (adding authors in cc’ed in case there are not on this list) which I think is related. They also use QUIC as tunneling protocol to an immediate proxy. On each stream they first negotiate the forwarding capabilities based on a TLV-based protocol and then, after an end TLV message, switch over to the actual payload data that is supposed to be forwarded. I think this is align with the TCP converter working in tcpm, however, given QUIC supports multiplexing I think it is actually not necessary to prepend the negotiation part on the same stream, rather than using a separate control stream for that. In any case I think both proposals are indented to support similar functionality and therefore the signaling protocols should probably be aligned. Any thoughts here? Mirja From: Masque <masque-bounces@ietf.org> on behalf of David Schinazi <dschinazi.ietf@gmail.com> Date: Wednesday, 8. January 2020 at 23:01 To: MASQUE <masque@ietf.org> Subject: [Masque] Splitting MASQUE Obfuscation out of MASQUE Hi MASQUE enthusiasts, One piece of feedback I've gotten about MASQUE was that there is more community interest in working on the "how do we make better proxies running over QUIC?" question than on the "how can I hide a VPN behind an HTTPS server?" question. Therefore I've split out the hidden VPN use-case into its own draft, named MASQUE Obfuscation: https://tools.ietf.org/html/draft-schinazi-masque-obfuscation The core MASQUE draft is now more focused on laying out a generic mechanism for multiplexing applications over QUIC: https://tools.ietf.org/html/draft-schinazi-masque Conceptually, MASQUE Obfuscation is now just a single use-case for MASQUE among others. In terms of next steps, I'll be working on fleshing out the specific protocol bits of MASQUE, and on a draft charter to discuss the potential creation of a MASQUE working group. More details to follow. Thanks, David
- [Masque] comments on draft-schinazi-masque [was:R… Mirja Kuehlewind
- Re: [Masque] comments on draft-schinazi-masque [w… Maxime Piraux