IETF Logo Mail Archive

Re: [Masque] Updated proposed charter text

Martin Thomson <mt@lowentropy.net> Mon, 06 April 2020 02:12 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76DB23A0BBD for <masque@ietfa.amsl.com>; Sun, 5 Apr 2020 19:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=eJ1AB08c; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=4ftm6ieV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmkFfW8JNEcD for <masque@ietfa.amsl.com>; Sun, 5 Apr 2020 19:12:16 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1971E3A0BB6 for <masque@ietf.org>; Sun, 5 Apr 2020 19:12:14 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 5D35B5C00EE for <masque@ietf.org>; Sun, 5 Apr 2020 22:12:13 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Sun, 05 Apr 2020 22:12:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=W4xuuOQM4Yf2NaupIvP2Qr4gAszrFuK X9SUsmDiUuak=; b=eJ1AB08cUyRLBOLxhmmAI73sj9HWMfevPk8W8nWeYrmfHxe l4rSQhyfWDHSnycqxLWsutK73zKqoWsK5s4jYhtJnzMQn6c5oo64IfU6NcgHrfuK p++jzgMoyk89LLkA6wMuJAZI8T1CVPDYjJPUOyVSMVfyCU8x5QiVxwsXPM/m2LXf 81Bmc/GLEYeamctg9l9FFo1V5/rfvBAlIg1NTwa1yc2PkH1WjsTYVXiF8VTjtSun CzvVWUpWZIzIKHXlQdSPZ1SQHQgvkknq69VKtpwTfir7IS/SKRF+J16nsMXEyeVS MS5LM/BMFvzOWzHRNx4qiSnPvXf6oyzRCHbCmHQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=W4xuuO QM4Yf2NaupIvP2Qr4gAszrFuKX9SUsmDiUuak=; b=4ftm6ieV75N+twG7ezYjt+ Vjwh9Tjxxs1duQIlxlaTiQlccMHFvCWUuKk8ZETI6iuWQsRqO9DJ56/c0QJrLpu0 CUnSzXz/B/C+if5w7xTrN8zz0Oo7rlYh5qoo/mTXiVRpRDpQv7CZnUfTcUjcuYGq 07LlrQytrbnCs+6VaBiYZCVSGzgKo/OTLETJOoAeUfuHD4zUO3WHCC8xu9XEHMBL TtfzUiNR3HDkFvzdAPWSZdxVQ98RO7pnpLQVDQeMemBXnofjlF4yWLuCpaDoyUuN DlzPMnlBQce/PPdg2IamNdPKaSL+mDzJo2EUkvP5eV6Ym2iBr9CPg3Qi6KigEOng ==
X-ME-Sender: <xms:_I-KXtJkbBuMeswGWezLOuYueJ8SrUJ5uElB4cNlQrhHJ6_1UFJqhg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddvgdehjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:_I-KXtaOeL6j36byULf_brMZjle70fF7jlo9KtCQTeBYHqa39u4F8w> <xmx:_I-KXgsCnGx9-UXFGRQTLfkiPIGRyi3fAxDg1nUU9QfJetaNAMnVAg> <xmx:_I-KXivKZeP5pbTFQK-aiVhflhqKhEoUdI-D4TdU7FRIMD6DnJMd1A> <xmx:_Y-KXljScqHPTNiaajqDOs3pUafExe0OuDXYbTUlFWFURZHPK-mlAQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D6CEFE00E1; Sun, 5 Apr 2020 22:12:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-1082-g13d7805-fmstable-20200403v1
Mime-Version: 1.0
Message-Id: <33a095a8-ad11-478a-8669-96e1d0d960dc@www.fastmail.com>
In-Reply-To: <CAHbWFkQ+J9HZfeAX0Z1_0+Nmaj9+NzU9Vf+_8T9o2ixqnwNKfA@mail.gmail.com>
References: <89136f8b-70bd-40a0-b6d1-0e8a62a50ece@www.fastmail.com> <CAKKJt-dJqTYJPj0u7mZvaJKoiRX7oXeQCSyQV9xN_zkzHY-LXQ@mail.gmail.com> <48dcc4c3-0039-4de4-9028-c2059b34140c@www.fastmail.com> <CABcZeBPiT+gWCV0QZyoUNzyAgQ_5MHgi+uk7aaAQ-t0te3f5tw@mail.gmail.com> <CAKKJt-fWC_6Cy-tB=chKUaECC1wXsbzArxK27E1AuvnaUUS9Qw@mail.gmail.com> <CAHbWFkTfUBbgeEMwMP_Gshp2MH2QFQ4fvBc3EHTu7gtRXWJpxg@mail.gmail.com> <CABcZeBNVFKyeCo2+7yXbOB66RMSBhwjip8+hpsz+a+a6R2sUsQ@mail.gmail.com> <CAHbWFkQ+J9HZfeAX0Z1_0+Nmaj9+NzU9Vf+_8T9o2ixqnwNKfA@mail.gmail.com>
Date: Mon, 06 Apr 2020 12:11:52 +1000
From: Martin Thomson <mt@lowentropy.net>
To: masque@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/j2SfDdGns2aguhUrvCcnIVlnk7I>
Subject: Re: [Masque] Updated proposed charter text
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 02:12:21 -0000

On Sat, Apr 4, 2020, at 00:17, Alex Chernyakhovsky wrote:
> I don't think this is a meaningful distinction. If I understand 
> correctly, you're identifying that CONNECT is actually two actions that 
> have to happen in sequence: establish a tunnel to some destination, 
> then relay bytes to that destination. The first step allows you to 
> connect to arbitrary destinations, unless you have some sort of 
> firewall or ACL system to limit the scope.

I think that this has less to do with the arbitrariness than it has to do with what level of prearrangement.

When I send an IP packet, I might set an arbitrary source and destination address.  The forwarding entity probably needs to have the source address prearranged or bad things happen.  But it might be happy to allow a range of different addresses to be used.  For destination addresses, the level of predetermination is something we could decide is attached to every unit of communication.  Or it might require that every possible destination be prearranged.

An advantage of prearrangement is that you can create a context and compress, reducing or maybe even reversing the overhead of tunneling.  And servers get a clearer channel for expressing their policy constraints.  The disadvantage is that you pay a round trip for the setup, and maybe the tunneling protocol pays in complexity for that ability to be expressive.

What we see with CONNECT is that the destination is prearranged.  The headers on CONNECT are that prearrangement.  That simplifies operation a great deal as the client doesn't have to provide TCP or IP headers on every frame it sends.  The round trip is parallel with the TCP socket establishment from proxy to server, so the latency hit is negligible; more so because clients can send a TLS ClientHello without waiting for the outcome of the CONNECT request.
 
> You can do the same with a VPN, you just need to have connection 
> tracking implemented in the VPN terminator. The only real difference I 
> see here is with a traditional TCP connection, you can't avoid having 
> the connection state, as that's inherent to the protocol, whereas with 
> a VPN one could choose to not implement connection tracking and 
> therefore not have an easy filtering capability. (You could, of course, 
> use stateless firewall rules, even without changing the VPN terminator 
> implementation and relying on the OS native features).

Whatever happens here, we will need to encode some of these assumptions either into limitations of a protocol specification, or as protocol elements that are signaled or negotiated.

v2.23.0 | Report a Bug | By Email