Re: [Masque] Unifying CONNECT-IP Proposals
Martin Duke <martin.h.duke@gmail.com> Sat, 28 August 2021 04:02 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C893C3A2ABD for <masque@ietfa.amsl.com>; Fri, 27 Aug 2021 21:02:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xT2Gsg5rRbbE for <masque@ietfa.amsl.com>; Fri, 27 Aug 2021 21:02:18 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BC503A2ABA for <masque@ietf.org>; Fri, 27 Aug 2021 21:02:18 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id x5so9309689ill.3 for <masque@ietf.org>; Fri, 27 Aug 2021 21:02:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f4rjHAUzUWkez0RsyeJlOLdvBhmGFyqyk378kEfbr4Y=; b=GqT7qBWonvIW/MGMg5CFFxacETSS8TzkFhj0F9yXtTcXVPaScbc7wbwETgHj0CLbso 1nMvAM25HvghF6+WzeAcTy6eFwbx8qt9ZQZezHiDXIN6aynRCHfJnTI7MhA7FKjZJaDU BpbCd2BEYTKqV3i8FvrrzRDVjd/x+XcfUo1l6GCUFxZPSd1oaFd3nYEh1z7ZjD+4i9Q0 GWtrPnt+mFiJ89YZ4/aPX45mhsuzgt4+Kr2FdUyA0k9AFm/7DMB4w731zpr2PKwqJ3Bx i05o9K/aBihn7hLNc73OHJ1KxRpPf6n8I/LjYqarkk5izGkW1yw8OYXkdtpnHQVPVgxj RHaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f4rjHAUzUWkez0RsyeJlOLdvBhmGFyqyk378kEfbr4Y=; b=qi/RDqRfhGccbfOwwn+ARAJiBmDsp25kB7ci9IDEhIn07n9yectP7e3sbJqbPhJw6L O04xmwjK6zYlxaRONDRxOF2gO6cb8dkkYCB+mxD+RZMlhn60uTstNM2fVkjpXZqLY9ce TiTNcRE30OGY9PzlcYSpEQn5wdBiuZV/VyKv4do47mczx/ovN0sqSVfLUGLfTgrnSYwJ B8FOg9Qw2yfj0aj6n1ykoYq1nVl7Ku2a61hV0HOHpWhN37w/ck3mpxQ+B+KQc38CzKC9 yqFG3L6GomYHvbW5z99ruujvHQiMg6p/CWdLmqggdicVsDZ1tiZ0p5EwXHNhg8tEOo+S n9/g==
X-Gm-Message-State: AOAM531+gWC7fRUj1WL43YSebBobNzyPkdGDMjVfTFAk4L0C3XV1OTqr ST+YTdLHD78Pz7S5/L8ttN/eiKyvPFqRz0/zxX8=
X-Google-Smtp-Source: ABdhPJy4Bmgoff+Ga2b2ayLuUSwvW/avM40h+pcbu3Vcj41SfTt3vuTnJgB4nerRdUCz4XbJO3mWN1mv5VqZeAIeH2o=
X-Received: by 2002:a92:3012:: with SMTP id x18mr8746779ile.249.1630123336156; Fri, 27 Aug 2021 21:02:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+5R68Kn8uD_ig1vVbxO+Z=vEBJBy+veBCXN-GU1xmGGzw@mail.gmail.com> <CAM4esxQheGGMZ4CS+NNZvd8_h=KSG6T6hA_b59cY2hH7Ai6YAw@mail.gmail.com> <CABcZeBNUdM5EG+zWc+OO3SfyioxCOqe-dXhRuDhqTFN+FeGOAA@mail.gmail.com>
In-Reply-To: <CABcZeBNUdM5EG+zWc+OO3SfyioxCOqe-dXhRuDhqTFN+FeGOAA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 27 Aug 2021 21:02:03 -0700
Message-ID: <CAM4esxTPHcPVvobAuQDZoRrrMCj6bFb6cibQXzF9g-uAu-qZdg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000644d6c05ca96aa1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/mhO52bdW_Id5CfFcOvDJR2WOGm4>
Subject: Re: [Masque] Unifying CONNECT-IP Proposals
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Aug 2021 04:02:24 -0000
There are certainly cases where that approach is totally satisfactory. But the CAPSULE case is mostly about intermediaries; in the flow forwarding case, we are always stuck with the 1RTT delay unless we run the risk of the server spewing out malformed packets. To be clear, I like David's proposal at first glance; I also want to fully think through these sorts of implications. On Fri, Aug 27, 2021 at 5:37 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Fri, Aug 27, 2021 at 5:22 PM Martin Duke <martin.h.duke@gmail.com> > wrote: > >> Hi David, >> >> First, thanks for making an effort (and some concessions) to move things >> along! >> >> As an AD, I have no objection to splitting up the CONNECT-IP deliverable >> into multiple drafts. I would consider all of these child drafts to be in >> scope of the current charter. >> >> As an individual, I'm fine with the split at a high level, but this >> architecture needs some deeper thinking about failure cases - servers that >> don't support the extension, or intermediaries that forward CONNECT-UDP but >> eat CAPSULE. >> > > FWIW, I'm generally not really sympathetic to these cases. Clients don't > magically connect to services, they are configured with them by services. > If you need CAPSULE, then you shouldn't be configured with the address of a > server which doesn't support it. > > -Ekr > > In particular, I can see immediately that making flow forwarding mode an >> extension creates a 1 RTT penalty -- IIUC I can't send a datagram until the >> server confirms it processed the flow forwarding header. >> >> That's not a deal breaker for me, but I'm curious what other failure >> cases are lurking in the design. >> >> AFAICT the network-to-network design is robust to these issues, so that's >> safe to split out. >> >> Hope that helps. >> >> Martin >> >> >> On Fri, Aug 27, 2021 at 8:05 AM David Schinazi <dschinazi.ietf@gmail.com> >> wrote: >> >>> Hi MASQUE Enthusiasts, >>> >>> As you know, we've had two distinct proposals for CONNECT-IP for a >>> while. While >>> both of them have interesting features, we need to unify on a joint >>> effort if >>> we want to make progress. In order to further that goal, we've made some >>> edits >>> to the existing documents in order to create a unified coherent path >>> forward. >>> >>> First, we updated draft-ietf-masque-ip-proxy-reqs to reflect working >>> group >>> consensus: since the WGLC showed consensus on everything except the >>> network-to-network use-case and the route negotiation requirement, both >>> of >>> those were removed from the document. draft-ietf-masque-ip-proxy-reqs-03 >>> [1] >>> now better reflects the working group's choice. >>> >>> Based on these requirements, and on the WG consensus at IETF 110 to >>> focus on >>> Proxying IP Packets, we also updated draft-cms-masque-connect-ip. We >>> removed >>> all routing-related features and now draft-cms-masque-connect-ip-02 [2] >>> contains solely what is needed to satisfy the WG's requirements from >>> draft-ietf-masque-ip-proxy-reqs-03. We've had some interesting >>> conversations >>> with Tommy Pauly on this topic and would love for him to join us as >>> editor on >>> draft-cms-masque-connect-ip. >>> >>> Additionally, the discussion at IETF 111 showed that folks were also >>> interested >>> in various features that didn't have WG consensus: some are interested in >>> negotiating routing and some are interested in flow forwarding. We >>> believe that >>> both of those are interesting features worth pursuing. The best way to >>> accomplish this is through extensions. Luckily CONNECT-IP is extensible. >>> >>> We wrote up the routing negotiation as an extension in >>> draft-cms-masque-connect-ip-ext-routes [3]. This enables split-tunnel >>> VPN and >>> the network-to-network use-case. >>> >>> We also made sure that flow forwarding mode would work as an extension, >>> and as >>> proof-of-concept wrote it up as draft-tbd-masque-connect-ip-ext-flow >>> [4]. As >>> mentioned in that document, this is mostly copied from >>> draft-kuehlewind-masque-connect-ip-01 [5] with some minor modifications. >>> We >>> would like to have the authors of draft-kuehlewind-masque-connect-ip >>> author >>> this extension, given that they produced the interesting ideas in it. >>> >>> We think this refactor would be a great path forward for the MASQUE >>> working >>> group: it would allow us to unify multiple proposals around a common >>> extensible >>> protocol. We did discuss merging these three documents into one, but >>> decided >>> against it because it would unnecessarily delay the publication of >>> CONNECT-IP. >>> We would love for the working group to adopt both extensions as they will >>> influence the design of CONNECT-IP, but both need to solve some specific >>> hard >>> problems that don't need to delay CONNECT-IP, so they deserve their own >>> drafts. >>> >>> As usual, comments and thoughts are most welcome! >>> >>> Thanks, >>> David >>> >>> [1] >>> https://datatracker.ietf.org/doc/html/draft-ietf-masque-ip-proxy-reqs-03 >>> [2] https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-02 >>> [3] >>> https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-ext-routes-00 >>> [4] >>> https://datatracker.ietf.org/doc/html/draft-tbd-masque-connect-ip-ext-flow-00 >>> [5] >>> https://datatracker.ietf.org/doc/html/draft-kuehlewind-masque-connect-ip-01 >>> -- >>> Masque mailing list >>> Masque@ietf.org >>> https://www.ietf.org/mailman/listinfo/masque >>> >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> >
- [Masque] Unifying CONNECT-IP Proposals David Schinazi
- Re: [Masque] Unifying CONNECT-IP Proposals Tommy Pauly
- Re: [Masque] Unifying CONNECT-IP Proposals Eric Kinnear
- Re: [Masque] Unifying CONNECT-IP Proposals Martin Duke
- Re: [Masque] Unifying CONNECT-IP Proposals Eric Rescorla
- Re: [Masque] Unifying CONNECT-IP Proposals Martin Duke
- Re: [Masque] Unifying CONNECT-IP Proposals David Schinazi
- Re: [Masque] Unifying CONNECT-IP Proposals Martin Duke