IETF Logo Mail Archive

Re: [Masque] Unifying CONNECT-IP Proposals

David Schinazi <dschinazi.ietf@gmail.com> Sat, 28 August 2021 16:24 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2838E3A0845 for <masque@ietfa.amsl.com>; Sat, 28 Aug 2021 09:24:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YEffVM8nWR0 for <masque@ietfa.amsl.com>; Sat, 28 Aug 2021 09:23:58 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03CCF3A0841 for <masque@ietf.org>; Sat, 28 Aug 2021 09:23:57 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id n12so5986612plk.10 for <masque@ietf.org>; Sat, 28 Aug 2021 09:23:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X0ciS15Cf2y79RZestVMOwtccTLQ/7bY7AeHDnUy0aA=; b=InBesVlQiX3UaW/0gy9sKuyNxpLMuoyeUt+pq/KGMXcc5nmTb7mwUxgapxGkPKKwjB XMKraa1Ts6xGXXWln8kjUWODLi+bE6Rq3jc5kp7ER85qG42NZ7tjUdjhVYLlO8RKIp9Z VzYrvj9llpsJQvblitqj8lzJMm+PfS5+/qkhMCL7Nc3/33iautcxKXLN7EowwYbVEhAA yu34s2RDewYmN+NX9XNRcjuOWf2PmXOB16eW7INNpanrzycaGmHVzIhkiN8cYVY3P8D1 3UZczOJNleo5rcM0k8cPIffH/Vc6xNHDkhyjlEU4qKOGZazblgnRsjE+JHdw04rLs9L7 6AsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X0ciS15Cf2y79RZestVMOwtccTLQ/7bY7AeHDnUy0aA=; b=jPV0aZeMGFt3O3wnu7xIpDN3vBvLai1nBDCisario+qe6J9RW/j0a8+vzNI1stFFO/ KGgLscIzuHurTQysbCPl7S4sKPkSobQxcx+gLbG7WqwPJZn8zp4t+HDuS0Tg0d5yBfC2 NfSSBSz7Dyxe++ws63xQ/10RryEbPQe+wpBBLEkoSqVqozlEbQsYWktAnqwimq0jkr8X Az9ziwJ2XT9ct6LxUHgUIO5iIGHmh52GC7k+XYkj4eenDKpDKblovzk/vPpCylk+7n5c MCzzpHAl9fCLkLr7t3aoVegDXqGjNOuijnbNH7OcfZ9caU2l5flQ6OcrAQcFysgLmPyJ 3LYg==
X-Gm-Message-State: AOAM531MdtE21BpvuucvqRwhbHTAUzToJeTUwEt8Fr9NRWb4NHJivWk0 mVEfw4v+TRG5P1kMxYwG66gYUlF6cghJuclc/gMzzlOQnJM=
X-Google-Smtp-Source: ABdhPJybhuEFGnZFupRuAxiq8FxwIaX8NL36+xFAOaYj0+9Vr3AQcSfmzmGvix0hrZuzUc9kYlXHAiU3BQiPr2W36eQ=
X-Received: by 2002:a17:903:41d0:b0:138:8d81:95d5 with SMTP id u16-20020a17090341d000b001388d8195d5mr10902155ple.67.1630167836325; Sat, 28 Aug 2021 09:23:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+5R68Kn8uD_ig1vVbxO+Z=vEBJBy+veBCXN-GU1xmGGzw@mail.gmail.com> <CAM4esxQheGGMZ4CS+NNZvd8_h=KSG6T6hA_b59cY2hH7Ai6YAw@mail.gmail.com> <CABcZeBNUdM5EG+zWc+OO3SfyioxCOqe-dXhRuDhqTFN+FeGOAA@mail.gmail.com> <CAM4esxTPHcPVvobAuQDZoRrrMCj6bFb6cibQXzF9g-uAu-qZdg@mail.gmail.com>
In-Reply-To: <CAM4esxTPHcPVvobAuQDZoRrrMCj6bFb6cibQXzF9g-uAu-qZdg@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Sat, 28 Aug 2021 12:23:44 -0400
Message-ID: <CAPDSy+5WpVKi8QR0gqfdLgM3bbHKQCeifRsRE5Mc_yqWs_T8gQ@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cf121105caa10644"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/mPZmwmJXEB2q9p05AdvLpqa_2_I>
Subject: Re: [Masque] Unifying CONNECT-IP Proposals
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Aug 2021 16:24:04 -0000

Hi Martin,

This design does not require an extra round trip to use flow forwarding
mode.
That was actually one of the important design requirements of the straw man
to see if the design worked. The key design choice that enables this feature
is the fact that flow forwarding mode uses a different capsule type to
register
its datagram context IDs. The client can immediately send its
REGISTER_DATAGRAM_CONTEXT_IP_PAYLOAD capsule [1] right after
it sent its CONNECT-IP request, and it can start using IP Payload datagrams
right away. If the server does not support the extension, the server will
silently
drop the REGISTER_DATAGRAM_CONTEXT_IP_PAYLOAD capsule and not
consider that datagram context ID as registered, so when it sees subsequent
datagrams with an unknown context ID, those will also be dropped. This
removes
any risk that an endpoint tries to parse an IP Payload as if it were an IP
header
or vice versa.

To be clear, this is a very early proof of concept - if we decide to go
this route
we'll need to improve and iterate - there are bound to be many minor bugs,
but the overall design should work and provide the properties we've
discussed
at past meetings.

Thanks,
David


[1]
https://datatracker.ietf.org/doc/html/draft-tbd-masque-connect-ip-ext-flow-00#section-3.1.1

On Sat, Aug 28, 2021 at 12:02 AM Martin Duke <martin.h.duke@gmail.com>
wrote:

> There are certainly cases where that approach is totally satisfactory. But
> the CAPSULE case is mostly about intermediaries; in the flow forwarding
> case, we are always stuck with the 1RTT delay unless we run the risk of the
> server spewing out malformed packets.
>
> To be clear, I like David's proposal at first glance; I also want to fully
> think through these sorts of implications.
>
> On Fri, Aug 27, 2021 at 5:37 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Fri, Aug 27, 2021 at 5:22 PM Martin Duke <martin.h.duke@gmail.com>
>> wrote:
>>
>>> Hi David,
>>>
>>> First, thanks for making an effort (and some concessions) to move things
>>> along!
>>>
>>> As an AD, I have no objection to splitting up the CONNECT-IP deliverable
>>> into multiple drafts. I would consider all of these child drafts to be in
>>> scope of the current charter.
>>>
>>> As an individual, I'm fine with the split at a high level, but this
>>> architecture needs some deeper thinking about failure cases - servers that
>>> don't support the extension, or intermediaries that forward CONNECT-UDP but
>>> eat CAPSULE.
>>>
>>
>> FWIW, I'm generally not really sympathetic to these cases. Clients don't
>> magically connect to services, they are configured with them by services.
>> If you need CAPSULE, then you shouldn't be configured with the address of a
>> server which doesn't support it.
>>
>> -Ekr
>>
>> In particular, I can see immediately that making flow forwarding mode an
>>> extension creates a 1 RTT penalty -- IIUC I can't send a datagram until the
>>> server confirms it processed the flow forwarding header.
>>>
>>> That's not a deal breaker for me, but I'm curious what other failure
>>> cases are lurking in the design.
>>>
>>> AFAICT the network-to-network design is robust to these issues, so
>>> that's safe to split out.
>>>
>>> Hope that helps.
>>>
>>> Martin
>>>
>>>
>>> On Fri, Aug 27, 2021 at 8:05 AM David Schinazi <dschinazi.ietf@gmail.com>
>>> wrote:
>>>
>>>> Hi MASQUE Enthusiasts,
>>>>
>>>> As you know, we've had two distinct proposals for CONNECT-IP for a
>>>> while. While
>>>> both of them have interesting features, we need to unify on a joint
>>>> effort if
>>>> we want to make progress. In order to further that goal, we've made
>>>> some edits
>>>> to the existing documents in order to create a unified coherent path
>>>> forward.
>>>>
>>>> First, we updated draft-ietf-masque-ip-proxy-reqs to reflect working
>>>> group
>>>> consensus: since the WGLC showed consensus on everything except the
>>>> network-to-network use-case and the route negotiation requirement, both
>>>> of
>>>> those were removed from the document.
>>>> draft-ietf-masque-ip-proxy-reqs-03 [1]
>>>> now better reflects the working group's choice.
>>>>
>>>> Based on these requirements, and on the WG consensus at IETF 110 to
>>>> focus on
>>>> Proxying IP Packets, we also updated draft-cms-masque-connect-ip. We
>>>> removed
>>>> all routing-related features and now draft-cms-masque-connect-ip-02 [2]
>>>> contains solely what is needed to satisfy the WG's requirements from
>>>> draft-ietf-masque-ip-proxy-reqs-03. We've had some interesting
>>>> conversations
>>>> with Tommy Pauly on this topic and would love for him to join us as
>>>> editor on
>>>> draft-cms-masque-connect-ip.
>>>>
>>>> Additionally, the discussion at IETF 111 showed that folks were also
>>>> interested
>>>> in various features that didn't have WG consensus: some are interested
>>>> in
>>>> negotiating routing and some are interested in flow forwarding. We
>>>> believe that
>>>> both of those are interesting features worth pursuing. The best way to
>>>> accomplish this is through extensions. Luckily CONNECT-IP is extensible.
>>>>
>>>> We wrote up the routing negotiation as an extension in
>>>> draft-cms-masque-connect-ip-ext-routes [3]. This enables split-tunnel
>>>> VPN and
>>>> the network-to-network use-case.
>>>>
>>>> We also made sure that flow forwarding mode would work as an extension,
>>>> and as
>>>> proof-of-concept wrote it up as draft-tbd-masque-connect-ip-ext-flow
>>>> [4]. As
>>>> mentioned in that document, this is mostly copied from
>>>> draft-kuehlewind-masque-connect-ip-01 [5] with some minor
>>>> modifications. We
>>>> would like to have the authors of draft-kuehlewind-masque-connect-ip
>>>> author
>>>> this extension, given that they produced the interesting ideas in it.
>>>>
>>>> We think this refactor would be a great path forward for the MASQUE
>>>> working
>>>> group: it would allow us to unify multiple proposals around a common
>>>> extensible
>>>> protocol. We did discuss merging these three documents into one, but
>>>> decided
>>>> against it because it would unnecessarily delay the publication of
>>>> CONNECT-IP.
>>>> We would love for the working group to adopt both extensions as they
>>>> will
>>>> influence the design of CONNECT-IP, but both need to solve some
>>>> specific hard
>>>> problems that don't need to delay CONNECT-IP, so they deserve their own
>>>> drafts.
>>>>
>>>> As usual, comments and thoughts are most welcome!
>>>>
>>>> Thanks,
>>>> David
>>>>
>>>> [1]
>>>> https://datatracker.ietf.org/doc/html/draft-ietf-masque-ip-proxy-reqs-03
>>>> [2]
>>>> https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-02
>>>> [3]
>>>> https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-ext-routes-00
>>>> [4]
>>>> https://datatracker.ietf.org/doc/html/draft-tbd-masque-connect-ip-ext-flow-00
>>>> [5]
>>>> https://datatracker.ietf.org/doc/html/draft-kuehlewind-masque-connect-ip-01
>>>> --
>>>> Masque mailing list
>>>> Masque@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/masque
>>>>
>>> --
>>> Masque mailing list
>>> Masque@ietf.org
>>> https://www.ietf.org/mailman/listinfo/masque
>>>
>>

v2.23.0 | Report a Bug | By Email