IETF Logo Mail Archive

Re: [Masque] Comments on draft-age-masque-connect-ip-01

Tommy Pauly <tpauly@apple.com> Mon, 08 November 2021 18:04 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C2023A0C6E for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 10:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cczvHhgS4E_X for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 10:04:09 -0800 (PST)
Received: from rn-mailsvcp-ppex-lapp35.apple.com (rn-mailsvcp-ppex-lapp35.rno.apple.com [17.179.253.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 281973A0C71 for <masque@ietf.org>; Mon, 8 Nov 2021 10:04:09 -0800 (PST)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp35.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp35.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 1A8I2lG1020875; Mon, 8 Nov 2021 10:04:08 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=/zynrbpjp5mo4UmL+B61iUCTbqpOB89KOASapej72jQ=; b=GyDf4UjYQmuaeLVUiNHyvghtW/SJ8aF5Tox+oZprSvVxYPRtrynvDSAYvYHw9ZDIGs3S qjAY4NSbDL+MzjiIkufKpfr8RsOPPLdjpDXSD6wT+g7YpLoHn0o88TaCKK3DfvZ7eooK Nnf4R8pYfCLLDqKVm2VVFjEJWN3cxljmzjCSTTXhLzFvW3YqSZo5xsR0NZ4hky4yrDmg NRdm4njKG35N5aA9QhiA7JWVPJjUkMEp07ZN8gCU5KMigxvDu11VtL/XEqRhVjQ8X1SQ YzVGaWwoRw62ekE5ZQNv0Z0iHd5z/O+wgU/MlCyxmYMnYFIEMVQJ6yOdikcDSAnCfCm1 MQ==
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by rn-mailsvcp-ppex-lapp35.rno.apple.com with ESMTP id 3c5n8702pr-10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 08 Nov 2021 10:04:08 -0800
Received: from rn-mailsvcp-mmp-lapp01.rno.apple.com (rn-mailsvcp-mmp-lapp01.rno.apple.com [17.179.253.14]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPS id <0R2900ZN2M6BJJF0@rn-mailsvcp-mta-lapp04.rno.apple.com>; Mon, 08 Nov 2021 10:03:47 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp01.rno.apple.com by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) id <0R2900H00M1GRA00@rn-mailsvcp-mmp-lapp01.rno.apple.com>; Mon, 08 Nov 2021 10:03:47 -0800 (PST)
X-Va-A:
X-Va-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-Va-E-CD: a61b26eed4e61b2c405a2b1c0712ee7f
X-Va-R-CD: 623019d6aa5019d09887d7e1d6a7d948
X-Va-CD: 0
X-Va-ID: cb4d7a36-0cdd-4b64-b437-a0e57f21c45f
X-V-A:
X-V-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-V-E-CD: a61b26eed4e61b2c405a2b1c0712ee7f
X-V-R-CD: 623019d6aa5019d09887d7e1d6a7d948
X-V-CD: 0
X-V-ID: 17677f87-bee5-494a-a433-21170ae868ad
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-08_05:2021-11-08, 2021-11-08 signatures=0
Received: from smtpclient.apple (unknown [17.234.36.4]) by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPSA id <0R2900YGJM6AIZ00@rn-mailsvcp-mmp-lapp01.rno.apple.com>; Mon, 08 Nov 2021 10:03:46 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <F6EC2485-95BD-4D8A-BF8E-12E9B1F74253@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_74955FB9-3D7D-459B-8699-5DB3536DA352"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3691.0.3\))
Date: Mon, 08 Nov 2021 10:03:45 -0800
In-reply-to: <CABcZeBN1Q00hLijF9D1Wu7eGVDe_8jRR=QZ9t3gc-xtkee0=rw@mail.gmail.com>
Cc: MASQUE <masque@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBMSe7JJ41EC+f1pyAFrm_+9TU2h=SY-_Xy5vX5wu8TgOQ@mail.gmail.com> <7C41DE50-EE9B-4084-8A1D-88471664E23E@apple.com> <CABcZeBN1Q00hLijF9D1Wu7eGVDe_8jRR=QZ9t3gc-xtkee0=rw@mail.gmail.com>
X-Mailer: Apple Mail (2.3691.0.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-08_06:2021-11-08, 2021-11-08 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/ew0p1Ahaza-16MCJgpMVlDD-zV0>
Subject: Re: [Masque] Comments on draft-age-masque-connect-ip-01
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 18:04:13 -0000


> On Nov 8, 2021, at 8:43 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Mon, Nov 8, 2021 at 7:52 AM Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> 
> 
>> On Nov 7, 2021, at 3:12 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> This document seems like a reasonable starting point. Good to see
>> the authors converging. Some technical comments below.
> 
> Thanks for the comments!
>> 
>> Overall, I wonder if we should actually forbid the client from
>> using IP addresses in packets when the target is specified.
>> That would avoid goofy situations in which the client does
>> 
>>    CONNECT 192.0.2.1
>> 
>> And then sends to 192.0.2.2.
> 
> I think it’s more consistent to define the behavior of what error the sender receives when it sends a packet for which it didn’t have an assigned source address or a valid destination route. Is this cause for dropping the packet silently, sending an error capsule, or closing the request stream with an error?
> 
> I filed this to discuss: https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43 <https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43>
> 
> I could live with that, though I do like to make it impossible to do bad things.

Okay, let’s discuss on the issue.
> 
> 
>> 
>> S 4.1.
>> 
>>    target:  The variable "target" contains a hostname or IP address of a
>>       specific host to which the client wants to proxy packets.  If the
>>       "target" variable is not specified, the client is requesting to
>>       communicate with any allowable host.  If the target is an IP
>>       address, the request will only support a single IP version.  If
>>       the target is a hostname, the server is expected to perform DNS
>>       resolution to determine which route(s) to advertise to the client.
>>       The server SHOULD send a ROUTE_ADVERTISEMENT capsule that includes
>>       routes for all usable resolved addresses for the requested
>>       hostname.
>> 
>> This treatment of DNS names seems like it's going to create a lot of
>> additional complexity: for instance, how does the client know which IP
>> to put in the dst field. You don't specify that the
>> ROUTE_ADVERTISEMENT MUST *only* include valid addresses. For instance,
>> suppose that the DNS name resolves to
>> 
>>   192.0.2.1
>>   192.0.2.2
>>   192.0.2.4 <-- No 192.0.2.3!
>>   192.0.2.5
>>   192.0.2.6
>>   192.0.2.7
>> 
>> and the server advertises 192.0.2.1-192.0.2.7.
>> 
>> Given that this is an IP layer mechanism, I would simply remove the
>> DNS option; clients can always do DNS over the tunnel.
> 
> 
> I can see this either way.
> 
> For cases where I don’t want a full tunnel, but just want to talk to one host, I would need to open an IP flow for a DNS server. I could of course open one, and then open a proxied flow to each target address, and request the same local address I got on the first.
> 
> This would work, but is more back-and-forth, and also doesn’t give me a way to just ask the proxy to use it’s own DNS cache. For cases like CONNECT and CONNECT-UDP, we’ve found it very useful for latency to have the DNS cache run on the proxy, so that we benefit from all clients going through the proxy sharing the same cache, and not needing a round trip back to the client. To that end, I’d like to at least allow connecting by a hostname in the protocol (even if some proxies wouldn’t choose to support that).
> 
> I would make several points here.
> 
> First, while it's desirable to be able to use the proxy's DNS cache, it's increasingly insufficient to simply get the A/AAAA records, for reasons such as SVCB. For instance, you wouldn't be able to do ECH using the DNS version alone because you would need to look up the SVCB. So, while it does incur a round trip, it seems like you are going to need to do a DNS resolution for this case.

Yes, ECH does require doing a DNS lookup, but (a) ECH may not be applicable to the type of connection I’m doing with CONNECT-IP and (b) the records for A / AAAA / HTTPS / SVCB may have different TTLs and thus have different caching benefits.

> 
> Second, even taken on its own terms, if I understand this mechanism correctly, I think it's still broken for the reason I mentioned above. The problem is that you are using the ROUTE_ADVERTISEMENT as an implicit DNS resolution--to tell you what to put in the dst-addr. If that's true, then I think you need to require that the ROUTE_ADVERTISEMENT to be strict.

Yes, I agree that the route advertisement needs to be strict if this is allowed.
> 
> 
>> 
>> 
>> 
>> S 4.2.
>> Is the server required to send ADDRESS_ASSIGN? If not, what is the
>> client supposed to use as it's source address? Also, what happens
>> if you only get a v6 address but need to talk to a v4 endpoint,
>> or vice versa.
> 
> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42 <https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42>
> 
> Probably the best thing to say is that any peer that can send packets MUST first have received an ADDRESS_ASSIGN capsule.
> 
> Regarding v4 and v6, yes, you do need the right family assigned.
> 
>> 
>> 
>> S 4.2.3.
>> You should probably say something here about how in many cases
>> you shouldn't trust a ROUTE_ADVERTISEMENT. For instance, it's
>> incoherent for an ordinary consumer VPN client to start
>> advertising routes.
> 
> A full-tunnel VPN server may not have a complex routing table, but it’s still possible to have some “excluded” routes that won’t be allowed (private subnets, etc). Traditionally, most VPN protocols do always include the route information. The “trust” here is just about what the endpoint is willing to route/forward.
> 
> What kind of warning were you imagining?
> 
> "Note: peers MUST NOT blindly trust ROUTE_ADVERTISEMENT. They MUST filter it through local policy"

Hm, OK. What would “local policy” be here? I guess in the case of personal VPN, my client may expect a full tunnel, but if the server tells me I can’t route to a specific subnet (maybe it doesn’t allow 10.0.0/24, reasonably), my only recourse would be to fail the connection, not to try to send to addresses that are disallowed.

Tommy

> 
> -Ekr
> 
> 
> Best,
> Tommy
> 
>> 
>> 
>> 
>> 
>> -- 
>> Masque mailing list
>> Masque@ietf.org <mailto:Masque@ietf.org>
>> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>
> 
> -- 
> Masque mailing list
> Masque@ietf.org <mailto:Masque@ietf.org>
> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>

v2.23.0 | Report a Bug | By Email