IETF Logo Mail Archive

Re: [Masque] Unifying CONNECT-IP Proposals

Martin Duke <martin.h.duke@gmail.com> Sat, 28 August 2021 04:02 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C893C3A2ABD for <masque@ietfa.amsl.com>; Fri, 27 Aug 2021 21:02:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xT2Gsg5rRbbE for <masque@ietfa.amsl.com>; Fri, 27 Aug 2021 21:02:18 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BC503A2ABA for <masque@ietf.org>; Fri, 27 Aug 2021 21:02:18 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id x5so9309689ill.3 for <masque@ietf.org>; Fri, 27 Aug 2021 21:02:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f4rjHAUzUWkez0RsyeJlOLdvBhmGFyqyk378kEfbr4Y=; b=GqT7qBWonvIW/MGMg5CFFxacETSS8TzkFhj0F9yXtTcXVPaScbc7wbwETgHj0CLbso 1nMvAM25HvghF6+WzeAcTy6eFwbx8qt9ZQZezHiDXIN6aynRCHfJnTI7MhA7FKjZJaDU BpbCd2BEYTKqV3i8FvrrzRDVjd/x+XcfUo1l6GCUFxZPSd1oaFd3nYEh1z7ZjD+4i9Q0 GWtrPnt+mFiJ89YZ4/aPX45mhsuzgt4+Kr2FdUyA0k9AFm/7DMB4w731zpr2PKwqJ3Bx i05o9K/aBihn7hLNc73OHJ1KxRpPf6n8I/LjYqarkk5izGkW1yw8OYXkdtpnHQVPVgxj RHaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f4rjHAUzUWkez0RsyeJlOLdvBhmGFyqyk378kEfbr4Y=; b=qi/RDqRfhGccbfOwwn+ARAJiBmDsp25kB7ci9IDEhIn07n9yectP7e3sbJqbPhJw6L O04xmwjK6zYlxaRONDRxOF2gO6cb8dkkYCB+mxD+RZMlhn60uTstNM2fVkjpXZqLY9ce TiTNcRE30OGY9PzlcYSpEQn5wdBiuZV/VyKv4do47mczx/ovN0sqSVfLUGLfTgrnSYwJ B8FOg9Qw2yfj0aj6n1ykoYq1nVl7Ku2a61hV0HOHpWhN37w/ck3mpxQ+B+KQc38CzKC9 yqFG3L6GomYHvbW5z99ruujvHQiMg6p/CWdLmqggdicVsDZ1tiZ0p5EwXHNhg8tEOo+S n9/g==
X-Gm-Message-State: AOAM531+gWC7fRUj1WL43YSebBobNzyPkdGDMjVfTFAk4L0C3XV1OTqr ST+YTdLHD78Pz7S5/L8ttN/eiKyvPFqRz0/zxX8=
X-Google-Smtp-Source: ABdhPJy4Bmgoff+Ga2b2ayLuUSwvW/avM40h+pcbu3Vcj41SfTt3vuTnJgB4nerRdUCz4XbJO3mWN1mv5VqZeAIeH2o=
X-Received: by 2002:a92:3012:: with SMTP id x18mr8746779ile.249.1630123336156; Fri, 27 Aug 2021 21:02:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+5R68Kn8uD_ig1vVbxO+Z=vEBJBy+veBCXN-GU1xmGGzw@mail.gmail.com> <CAM4esxQheGGMZ4CS+NNZvd8_h=KSG6T6hA_b59cY2hH7Ai6YAw@mail.gmail.com> <CABcZeBNUdM5EG+zWc+OO3SfyioxCOqe-dXhRuDhqTFN+FeGOAA@mail.gmail.com>
In-Reply-To: <CABcZeBNUdM5EG+zWc+OO3SfyioxCOqe-dXhRuDhqTFN+FeGOAA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 27 Aug 2021 21:02:03 -0700
Message-ID: <CAM4esxTPHcPVvobAuQDZoRrrMCj6bFb6cibQXzF9g-uAu-qZdg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000644d6c05ca96aa1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/mhO52bdW_Id5CfFcOvDJR2WOGm4>
Subject: Re: [Masque] Unifying CONNECT-IP Proposals
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Aug 2021 04:02:24 -0000

There are certainly cases where that approach is totally satisfactory. But
the CAPSULE case is mostly about intermediaries; in the flow forwarding
case, we are always stuck with the 1RTT delay unless we run the risk of the
server spewing out malformed packets.

To be clear, I like David's proposal at first glance; I also want to fully
think through these sorts of implications.

On Fri, Aug 27, 2021 at 5:37 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Fri, Aug 27, 2021 at 5:22 PM Martin Duke <martin.h.duke@gmail.com>
> wrote:
>
>> Hi David,
>>
>> First, thanks for making an effort (and some concessions) to move things
>> along!
>>
>> As an AD, I have no objection to splitting up the CONNECT-IP deliverable
>> into multiple drafts. I would consider all of these child drafts to be in
>> scope of the current charter.
>>
>> As an individual, I'm fine with the split at a high level, but this
>> architecture needs some deeper thinking about failure cases - servers that
>> don't support the extension, or intermediaries that forward CONNECT-UDP but
>> eat CAPSULE.
>>
>
> FWIW, I'm generally not really sympathetic to these cases. Clients don't
> magically connect to services, they are configured with them by services.
> If you need CAPSULE, then you shouldn't be configured with the address of a
> server which doesn't support it.
>
> -Ekr
>
> In particular, I can see immediately that making flow forwarding mode an
>> extension creates a 1 RTT penalty -- IIUC I can't send a datagram until the
>> server confirms it processed the flow forwarding header.
>>
>> That's not a deal breaker for me, but I'm curious what other failure
>> cases are lurking in the design.
>>
>> AFAICT the network-to-network design is robust to these issues, so that's
>> safe to split out.
>>
>> Hope that helps.
>>
>> Martin
>>
>>
>> On Fri, Aug 27, 2021 at 8:05 AM David Schinazi <dschinazi.ietf@gmail.com>
>> wrote:
>>
>>> Hi MASQUE Enthusiasts,
>>>
>>> As you know, we've had two distinct proposals for CONNECT-IP for a
>>> while. While
>>> both of them have interesting features, we need to unify on a joint
>>> effort if
>>> we want to make progress. In order to further that goal, we've made some
>>> edits
>>> to the existing documents in order to create a unified coherent path
>>> forward.
>>>
>>> First, we updated draft-ietf-masque-ip-proxy-reqs to reflect working
>>> group
>>> consensus: since the WGLC showed consensus on everything except the
>>> network-to-network use-case and the route negotiation requirement, both
>>> of
>>> those were removed from the document. draft-ietf-masque-ip-proxy-reqs-03
>>> [1]
>>> now better reflects the working group's choice.
>>>
>>> Based on these requirements, and on the WG consensus at IETF 110 to
>>> focus on
>>> Proxying IP Packets, we also updated draft-cms-masque-connect-ip. We
>>> removed
>>> all routing-related features and now draft-cms-masque-connect-ip-02 [2]
>>> contains solely what is needed to satisfy the WG's requirements from
>>> draft-ietf-masque-ip-proxy-reqs-03. We've had some interesting
>>> conversations
>>> with Tommy Pauly on this topic and would love for him to join us as
>>> editor on
>>> draft-cms-masque-connect-ip.
>>>
>>> Additionally, the discussion at IETF 111 showed that folks were also
>>> interested
>>> in various features that didn't have WG consensus: some are interested in
>>> negotiating routing and some are interested in flow forwarding. We
>>> believe that
>>> both of those are interesting features worth pursuing. The best way to
>>> accomplish this is through extensions. Luckily CONNECT-IP is extensible.
>>>
>>> We wrote up the routing negotiation as an extension in
>>> draft-cms-masque-connect-ip-ext-routes [3]. This enables split-tunnel
>>> VPN and
>>> the network-to-network use-case.
>>>
>>> We also made sure that flow forwarding mode would work as an extension,
>>> and as
>>> proof-of-concept wrote it up as draft-tbd-masque-connect-ip-ext-flow
>>> [4]. As
>>> mentioned in that document, this is mostly copied from
>>> draft-kuehlewind-masque-connect-ip-01 [5] with some minor modifications.
>>> We
>>> would like to have the authors of draft-kuehlewind-masque-connect-ip
>>> author
>>> this extension, given that they produced the interesting ideas in it.
>>>
>>> We think this refactor would be a great path forward for the MASQUE
>>> working
>>> group: it would allow us to unify multiple proposals around a common
>>> extensible
>>> protocol. We did discuss merging these three documents into one, but
>>> decided
>>> against it because it would unnecessarily delay the publication of
>>> CONNECT-IP.
>>> We would love for the working group to adopt both extensions as they will
>>> influence the design of CONNECT-IP, but both need to solve some specific
>>> hard
>>> problems that don't need to delay CONNECT-IP, so they deserve their own
>>> drafts.
>>>
>>> As usual, comments and thoughts are most welcome!
>>>
>>> Thanks,
>>> David
>>>
>>> [1]
>>> https://datatracker.ietf.org/doc/html/draft-ietf-masque-ip-proxy-reqs-03
>>> [2] https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-02
>>> [3]
>>> https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-ext-routes-00
>>> [4]
>>> https://datatracker.ietf.org/doc/html/draft-tbd-masque-connect-ip-ext-flow-00
>>> [5]
>>> https://datatracker.ietf.org/doc/html/draft-kuehlewind-masque-connect-ip-01
>>> --
>>> Masque mailing list
>>> Masque@ietf.org
>>> https://www.ietf.org/mailman/listinfo/masque
>>>
>> --
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
>>
>

v2.23.0 | Report a Bug | By Email