IETF Logo Mail Archive

Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

Martin Duke <martin.h.duke@gmail.com> Mon, 07 June 2021 19:25 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 680713A4282 for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 12:25:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6dZheCJNFWb for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 12:25:31 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A6B53A4281 for <masque@ietf.org>; Mon, 7 Jun 2021 12:25:31 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id b5so17271049ilc.12 for <masque@ietf.org>; Mon, 07 Jun 2021 12:25:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ehx8m3Efzq8xCPv7bVUpA2Ap1CNHlgrnfHPmn4nLzMY=; b=hXRKqYDcqnXhEPufdIva0pt16QtVpHe/4OJlsQic/jtuu/jfFhjvzI5qbdbt403ClL 2C9HQvOUPtLEdxIokFBPo8Ws8oliM8PbczAIuptdC+495rsXWMkJpj6XjvvLg24EAy4m CzvlSDfPQx+2K6vPvoewngnO3fVLfeltXf8x4CpR1WfWVlIdxLHs9Q6CwvYHvCl8T/O8 CTP35vte3eHTtZT+pIz38xmQLNcJpdJL+VLyOq+rOxf7Lq76swXFcMEvSEMo8xNYK0RN SUYGBZ6H41hhJNrqisu/etcBn30VVaA8Em6gum26PzUpzZydAO1Sups73RvbXd4u7/f5 Tshg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ehx8m3Efzq8xCPv7bVUpA2Ap1CNHlgrnfHPmn4nLzMY=; b=YzjXNWUEdH21eGf0ocXBKQTcX3mnrUsYMPRmEodsVj5Exo93qj0vPDtxsiDDLAsOCT y8+0Ws47pJEOvQFbaNRSsB0fq8RbD4Fvn2ix0QVi0CglQKRNDYoSY12vb15qNgn4u/4u YFAktOeDtL7a3TcYXaVRPioI3xVWRsB2q+3UCrmrfiiJgoJo4onDIuSn4lJAl6HlOkzP 6vR/55X3r8+jEKt+8JEabe2F1qpGmAAwtvsbTJNq656VOHZDFSd6jNoaPmiuhq2qaAas 9yPfRcqOEaAr/aG0eHWGfqj4S5Jsshfnta+2DU7VWa5Xnq5fihE8UJV9tuh3K6B629SO ulJg==
X-Gm-Message-State: AOAM533d9uE3gAOgJise9Xh1M7iCm9saLSGJNujJbOewA66O3n31iaxI E0XhebK/E87BPOkuaRTOzEbK7i7B8G50/q8rz/E=
X-Google-Smtp-Source: ABdhPJye9CAE3m19Y3ECwXCXRgKR1vkVbGO5NeDsmoxrjVISRoOxUVPoHaMF5c62+QCbvf+L45xHoduWypATE9e2a+s=
X-Received: by 2002:a92:ce82:: with SMTP id r2mr8813658ilo.272.1623093928426; Mon, 07 Jun 2021 12:25:28 -0700 (PDT)
MIME-Version: 1.0
References: <d314198b-6c01-4b15-84d8-9896b5fdee80@www.fastmail.com> <HE1PR0702MB3772355483E2771650C6D679953F9@HE1PR0702MB3772.eurprd07.prod.outlook.com> <746F7E16-37BD-49EF-896A-649D394CCB05@ericsson.com> <CAPDSy+6PjZk0Kea6154V3=GF-8bs+0Mr+FtFfi-girGh3uAVrQ@mail.gmail.com> <3deea8212d66731de5c81abae353f3e9322f2d57.camel@ericsson.com> <CAPDSy+68DoVrRiC7uEn1-Ze_5LDn9mt7-f+ZeovTTYAUh=w2Og@mail.gmail.com> <21d8fc788051b570768e53d6d9355ed51b423c0a.camel@ericsson.com> <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com>
In-Reply-To: <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 07 Jun 2021 12:25:23 -0700
Message-ID: <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>, Christopher Wood <caw@heapingbits.net>
Content-Type: multipart/alternative; boundary="0000000000000a843c05c432011d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/i2TlU6w-asaHWfhBwd6F2zAVXDQ>
Subject: Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 19:25:36 -0000

I'd like to step in here as AD and make sure we are not talking past each
other here. IIUC:

(1) Magnus and Mirja do not want to implement 2.4.
(2) The authors want to make sure the design is extensible to support 2.4,
but are OK with some endpoints not supporting it.

It does not appear that there is tension between these points. However, I
understand that Magnus is concerned that 2.4 will hold up the core proxy-ip
draft unnecessarily.

As AD, if we come to that point, I see no requirement in the charter that
this be one or two documents; if the option is holding everything up, it
can go to the IESG while 2.4 has further refinement in the WG. I don't see
that we have to make this decision now.

Regarding the document at hand, the existing Sec 2 offers the possibility
that all of the use cases are optional. It does not preclude the path that
appears to have consensus.

Is that consistent with others' understanding?

Martin

On Mon, Jun 7, 2021 at 5:06 AM Spencer Dawkins at IETF <
spencerdawkins.ietf@gmail.com> wrote:

>
>
> On Mon, Jun 7, 2021, 03:15 Magnus Westerlund <magnus.westerlund=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
>> Hi David and WG,
>>
>> Let me attempt to clarify a bit why I have made the comments I have made.
>> I think they do stem from interepreting the network to network use cases as
>> a very general technology and from the perspective of deploying this with
>> clients which the server has limited trust in. I realize that you are
>> likely comming from another perspective that you only intended to use this
>> in cases where you have fairly high mutual trust in the client and the
>> server. I think that is actually the major difference here and why you
>> below think I am making a circular arguments. I think it all stem from lack
>> of discussion of this use cases and what operational limitations we
>> intended to have on the protocol.
>>
>
> I don't know if this would have helped, but I do wish we could tell
> (explicitly, in the requirements draft) which requirements arose from
> various use cases.
>
> I'm pretty sure that most participants think they know that (likely), but
> also think that other participants have the same understanding (perhaps
> less likely). I think that's what Magnus is saying here, if I'm reading the
> thread correctly.
>
> Do The Right Thing, of course.
>
> Best,
>
> Spencer
>
> So if the goal here is to have high mutual trust between client and server
>> then I think a protocol solution may be able to be defined with such an
>> applicability statement and less mandate on necessary protocol mechanisms
>> to protect against malicous peers. I think that is in stark contrast
>> against some of the other use cases where the trust in the client could be
>> rather minimal. Like the client and server relationship is only this is a
>> paying customer that gets a VPN access and the server has no idea what type
>> of client or implementation that are the peer. This basic use cases will
>> deploy with an addressing architecture that makes it much less vulnerable
>> to malicous intent on the routing level.
>>
>> So, can we please discuss what assumption we have on the client and
>> server trust?
>>
>> I also think your attempt to sweep the addressing schemes to be used by
>> the servers under the rug and not disucss them have hurt the understanding.
>> I at least have been guessing on possible deployment scenarios rather than
>> that we have openly discussed them in the WG. Yes, they maybe not need to
>> be detailed in the protocol solution or an arhcitecture document, however
>> they would have made sense to have some addressing deployment scenarios in
>> this requirement documents use case section to make clear what would have
>> been intended. Because they do influence what is needed for the solution.
>>
>> Cheers
>>
>> Magnus
>>
>> --
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
>>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>

v2.23.0 | Report a Bug | By Email