IETF Logo Mail Archive

Re: [Masque] Filtering function of the Masque server for traffic incoming to the client

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 28 July 2020 09:04 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 302963A0919 for <masque@ietfa.amsl.com>; Tue, 28 Jul 2020 02:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUk38CM8QgoN for <masque@ietfa.amsl.com>; Tue, 28 Jul 2020 02:04:46 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2071.outbound.protection.outlook.com [40.107.22.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9CE03A0918 for <masque@ietf.org>; Tue, 28 Jul 2020 02:04:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oSq0z2yKQAGTAI0jmegAMnK+hKZEO8F8W1eBlwWlQShdbYkh41k8tWkspL6uSeTzDeX6rfy+MTM3l88TKSv+//tKsbL3X3IlRqzmmWeoAG1XHZyTNiMJp9KGflRBszbiIvARtU1+TBNMOS9xzXIcuk2rACTBRLa1n8f7sgFoUd02rrFQ4yJtGBgNy+mOPvlLeyzw6emrOlzjdulxE+7VtPuVD4UfixynQqAG3gr8Wxo9V2ZOH4Caqad9g38rvzGkjMJd+abEMnHl0lEY3csBhhT+l/8/RHRLopgoLizWLL0skU3ltYQmQx+RfY227z3wR2gHRMiV+Qu6xk7eo809Nw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e6tL1Z8LQ1dB7yP2iRkHABrbAcY9XQDt8sqGfIoyexM=; b=gU6XgtmUMJpszPblFAdw5v9tf76GcAJLXDdfuyR/LhIxhlaQCzosO7ZAK3pb9UI0jq2oi4Nzy9Ydc9EHZbyTom090cF39nMv8l709H+rl5ihHlGAYWwr0MSgjb7147wE3w/Q1g2vnDP51zKM4sLrtqxEgiLz2GCw1wnyd8dDMhXZr3pdTgtXCQDe5Ot4WzoYMbuls7iEk79HihwuMRBHsF4JiR9N9z5WGaNqCWsGdUktZ0u/CT5B2SxT24oYV6+rWiheAl3cAwk/Jji5+dP+ic0AGeCtWmeosWdQI7ILPZJln6UjLJz/RlbOxeVDNMOSpO7uHNkOD/TrmbMekMX0Rw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e6tL1Z8LQ1dB7yP2iRkHABrbAcY9XQDt8sqGfIoyexM=; b=QikemW85vuy33rP3JZjJdA1qwzHwFRqwF1yZUbb9VJqJb2CJit6D26gjVmssYl+603AXv/r1y4zEbP4A+lSw3UFARaEN64swFqbbKrJQuIN8D4GoPr+hMhEYUXT4CruFx3pD8jYvvVEOT5ohwU3nQ3HkizmHRrMCRaXIf3dy65s=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB3099.eurprd07.prod.outlook.com (2603:10a6:7:39::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.14; Tue, 28 Jul 2020 09:04:43 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::546c:3b3:9193:3351]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::546c:3b3:9193:3351%6]) with mapi id 15.20.3239.015; Tue, 28 Jul 2020 09:04:43 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "achernya=40google.com@dmarc.ietf.org" <achernya=40google.com@dmarc.ietf.org>, "dschinazi.ietf@gmail.com" <dschinazi.ietf@gmail.com>
CC: "masque@ietf.org" <masque@ietf.org>
Thread-Topic: [Masque] Filtering function of the Masque server for traffic incoming to the client
Thread-Index: AQHWZBHvaYNmk9XMQ0e65P+3GCMwmqkbcdmAgAA9K4CAAQUZgA==
Date: Tue, 28 Jul 2020 09:04:42 +0000
Message-ID: <2729b0183830cdb9a4b3d226b4c46dbefff9cee1.camel@ericsson.com>
References: <6cc97d7064070453574c7549c2e8af3892fe023c.camel@ericsson.com> <CAPDSy+7wR_rkY2BESYFr4wU57EokkXjR7LXi_ouOp=LZOR2EyA@mail.gmail.com> <CAHbWFkQkc5Uo8stu60SmoGuEP_MNSf0kESdGdP7KmtTVSJD=tw@mail.gmail.com>
In-Reply-To: <CAHbWFkQkc5Uo8stu60SmoGuEP_MNSf0kESdGdP7KmtTVSJD=tw@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.202]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 313225fd-cb58-4ef9-a37c-08d832d54475
x-ms-traffictypediagnostic: HE1PR07MB3099:
x-microsoft-antispam-prvs: <HE1PR07MB309963A44461E53C3FDAD9FD95730@HE1PR07MB3099.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: F3B1qVuLdMV0j1UhhA3WYF1MILI4NcI/IrIgkH/SYvs2wm99pAxui9VViXX6QCRpqh5RNysOfo/Svp8lsjRfpOJmA9a73n9vj5PFd/nHLhZWT63UehfZBT9K3e6TR33J8IdKUGzBrIWLQ7ab8WouOVK/R5ZNFdBY+4zaclwv6F64DLu2uKWbZSpzlnHPj4e9x4jeyYaqAdGi5ylQLX0h/gQj/wJVGid6UEioG4BY0MCFnineYXtF0DICuQxrgtYu9aOr0yzUEDmNg1mwT4/JASVahIz908zz1w621jevaSBh/ZIPQclebvFdy5C5iPbLFTVmB7KwIiSMEac55JwLlKMXolO2C/5QMZ91omKJsqrBARGFCe/a0ks2WhmHHDCM2AV5e8pBBvm9m+mFk1pVBkxnGd4H3VoV7deLmTD57rFJd9CchitshNWnoo4XG7b4psX1BvdL9lF8WMXWnv7BWA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(396003)(366004)(39860400002)(346002)(136003)(6486002)(26005)(5660300002)(44832011)(186003)(86362001)(966005)(2906002)(110136005)(2616005)(66574015)(8936002)(36756003)(53546011)(66946007)(66556008)(64756008)(83380400001)(316002)(478600001)(6512007)(4326008)(71200400001)(76116006)(8676002)(6506007)(66476007)(66446008)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: I+jWTrExri2wYoUkj7A9R1gINA6BXahrt2KS3Yv2kKtFbJNItj9yijVQgVdtk+ITKfVrge0wUH+ymQpfc2DkjJg/MvUx69K3sePfj1l5MhOIsN1W0y7/EsYgaNMp08krFt4kiGNFfeI7dPXbvp6sBEzZhVqIn75dKjRo+Qo/JziKKzuXGiPfLceO1OXFYCfaP7OlDV/cB2x+Ru9lewRmREP9b4YujhThB8g2V8g1osT8FP9psHSnfCqoR0OWju20dCaiBDY81bDxfTk6TBZD1nE3HRVofwOeVNKdqSCkQ5SgZy68SpkLrlRAm7W6yK4aAKLy+QMEMD8UpjW4O5n9fixA+P3NxaUx9YbUWCeCzcUAkQHmQ+KTkjh+XQ6UcmlNiAzOTM2Mcu4taJkCiCM61iScZiogLevgyoVG7lFgXbUSsx+VC9NnxxKSDwK/1jZW1SyxhEq0jZG1cyYaaekZxM0eLk0/tueOINnYa0FuXlkFMMDezAEuuO4V8j8pOWow
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FB4364F0194A624792E77E252A902E60@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 313225fd-cb58-4ef9-a37c-08d832d54475
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2020 09:04:42.9698 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Nsj3TrlDDV0YqbF1CnVCdsWvZZ0ZtpsKHeMVc3Mv31gM+BkxoVZ7RGF3knvmmey3sb7/xUv90XbegE6lWPzOsCExds4YfllxVAvf4aRRW70=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3099
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/mcV0i03jAh6jgBVxXTRHb7WzHJE>
Subject: Re: [Masque] Filtering function of the Masque server for traffic incoming to the client
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 09:04:50 -0000

Hi,

I think this sounds mostly reasonable for packets destination address when
incoming to the masque server on the external address/prefix provided to the
client. 

What really starts worrying me here is advertised routes through the Masque
Server. So you are basically saying that the MASQUE client can be an router for
a network, and then use the MASQUE server to inject routes for that network with
transit over the MASQUE server. Isn't this creeping the scope for the IP
proxying service way to far? I would expect a client to borrow a single IPv4
address or a /64 unicast IPv6 sub-net at the most. For IPv4 I would even epxect
that people get a 10.0.0.0/24 address and then there is a NAT in front of the
MASQUE server external address range. 

What I was really asking about what source address filtering should be applied
to any for these incoming packets on the MASQUE server external side. 

Cheers

Magnus

On Mon, 2020-07-27 at 13:30 -0400, Alex Chernyakhovsky wrote:
> Hi,
> 
> I'd like to add some more thoughts to the IP-specific tunnel aspects that
> David outlined. In our experience with QBONE, the important thing is to make
> sure that the packets from both endpoints are routable. That means that if a
> packet appears, either on the server or client, for a destination that is not
> exposed through the tunnel, then the packet should be dropped (or accepted by
> some other route other than the tunnel itself).
> 
> Suppose that you have a case with server-assigned IP addresses to all clients.
> The server can easily ensure that all packets destined towards the client are
> the only ones it routes into the tunnel. For defense in depth, the client
> implementation should drop any packet that is to a destination that is not
> exposed through the tunnel, as we should defend against a buggy/malicious
> server implementation.
> 
> This gets a bit more complicated with advertised routes, since there's not a
> single IP address (or range) to check, but nonetheless the same ideas hold:
> both sides of the tunnel should drop packets that are not to valid
> destinations, either from the tunnel or from the outside interface. 
> 
> For the ICMP example, the client should have routes installed for the IP
> address that's sourcing the IP packets. The server should also know these
> routes, and be able to prevent the ICMP packet from traversing the tunnel if
> it's not to an allowed source or destination range.
> 
> If we did allow packets with IPs not advertised across the tunnel to traverse
> the tunnel, then the response packets would go through a different path, and
> likely be blackholed.
> 
> To David's point about "[ensuring] that two clients do not offer overlapping
> subnets": I actually think we should allow this case, for load-balancing
> across multiple client instances, particularly for the network-to-network
> (site-to-site) use case. But then the complexity becomes ensuring that the
> overlaps are from authenticated clients permitted to do so.
> 
> Sincerely,
> -Alex
> 
> On Mon, Jul 27, 2020 at 9:51 AM David Schinazi <dschinazi.ietf@gmail.com>
> wrote:
> > Hi Magnus,
> > 
> > Some thoughts inline below.
> > 
> > On Mon, Jul 27, 2020 at 5:32 AM Magnus Westerlund <
> > magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote:
> > > Hi,
> > > 
> > > A question I have to the WG is how its view are on filtering function of
> > > the
> > > MASQUE server for incoming traffic from remote addresses. This comes from
> > > the
> > > perspective of what is in TURN for this. TURN requires the client to
> > > explcitly
> > > indicate the remote address (IP + Port) to receive traffic.
> > 
> > From the discussions we had during the chartering of MASQUE, I really think
> > that
> > we should keep TURN out of scope for MASQUE. I adds significant complexity
> > that is not warranted for all use-cases, and can be added on top of MASQUE
> > later.
> > 
> > > So the question is what behavior we do expect from MASQUE for both UDP and
> > > for
> > > IP. For UDP I think only accepting traffic from the reverse 5-tuple that
> > > the
> > > client requested to communicate to.
> > 
> > Yes, I would keep CONNECT-UDP as simple as possible, and that means that
> > one CONNECT-UDP request maps to a given 5-tuple on the proxy-server leg,
> > and all other packets are dropped.
> > 
> > > For IP I think the decision is tougher. But, I think the primary question
> > > is if
> > > one should be able to run a server as a client of the MASQUE server. If it
> > > does
> > > then any traffic to the leased IP address needs to be accepted. Thus
> > > questions
> > > about being open for any traffic and potential for attack traffic etc. 
> > 
> > Similarly to UDP, I don't think we need to solve all aspects of this
> > question within
> > MASQUE itself. MASQUE needs to negotiate the specifics of the IP tunnel it
> > creates - such as IP addresses in use by both endpoints, and authorized
> > routes
> > in both directions.
> > 
> > > A special case if one doesn't allow any remote source through to the
> > > client, is
> > > that some traffic that doesn't match IP 3-tuple still need forwarding. The
> > > best
> > > example I have is that a MASQUE server will need to look at the ICMP
> > > traffic
> > > comming in to the IP address and match the included header to existing
> > > context
> > > and forward it to the relevant client if it matches.
> > 
> > Can you elaborate on your example please? Which IP addresses are used on the
> > ICMP packet, and on the packet that triggered the ICMP?
> > 
> > I think all we need for this in MASQUE is for the endpoints to negotiate
> > which
> > subnets they are offering as routable via MASQUE. All the server then needs
> > to
> > do is ensure that two clients do not offer overlapping subnets. Or are you
> > envisioning some complexity that I'm not seeing?
> > 
> > Cheers,
> > David
> > 
> > > So what are peoples opinion here?
> > > 
> > > 
> > > Cheers
> > > 
> > > Magnus Westerlund 
> > > 
> > > 
> > > ----------------------------------------------------------------------
> > > Networks, Ericsson Research
> > > ----------------------------------------------------------------------
> > > Ericsson AB                 | Phone  +46 10 7148287
> > > Torshamnsgatan 23           | Mobile +46 73 0949079
> > > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> > > ----------------------------------------------------------------------
> > > 
> > > 
> > > -- 
> > > Masque mailing list
> > > Masque@ietf.org
> > > https://www.ietf.org/mailman/listinfo/masque
-- 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email