Re: [Masque] Initial look at draft-cms-masque-ip-proxy-reqs-00.txt
David Schinazi <dschinazi.ietf@gmail.com> Tue, 28 July 2020 01:43 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847013A0AA7 for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 18:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVcDGva8XImM for <masque@ietfa.amsl.com>; Mon, 27 Jul 2020 18:43:00 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 258043A0AA0 for <masque@ietf.org>; Mon, 27 Jul 2020 18:43:00 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id y18so10065840lfh.11 for <masque@ietf.org>; Mon, 27 Jul 2020 18:43:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZccUyRLFX+O2caA2vD4brtYFqyfClfavnOXf/cxVHiQ=; b=mTl/wAHNjm4wA5DCRY+LnaQu+l/hTdGUbrA2/Y2BeZ7xwD497Ly3rOgZLLJ0zDj0pb HjGSD6l6ldrKMYM85gbgUhFLabfwXaB91vD+4xP/4wGmlywaKvZcgaJhVVN6GThz4jdt 2EtIQPl+4+j0j5R3rq5WxRjYEzdbO5S35AvG+0340E0eytLz4GBjy11pY1gpOsOZAyO4 DhAcYz6zqC6EDj8z+sozMy5BVRi5lZQ4dpsEp2dHsKw22wuQwOOXWowJs1EmfMPiMDyu S8d9YruQH4YqMgpGmW2+XPFi/wB6D3dDNiCyAyCEpsVKxLyvyIazQ7/QoU9dQZDUoqy8 PPig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZccUyRLFX+O2caA2vD4brtYFqyfClfavnOXf/cxVHiQ=; b=ag8AGs0wNMvdiU0cPP+xCarCsdYW6ZIbnVsdJ+fGjt7F27bzyBPT20r+y8Cy2SQ+AL URUhBMf8MjQR4mIwUdaymTHrfkcwwBxMbz9ZyA8EXbP0lNfUu2smnz1KAEhHzwL8YL2o AtZ2Kaa00KWksLUXWSn+yYuBljLOz+7Kg7dY6+TUJeKD2xBuLAu/LyFvF/wkXZiDI4Iq fISwSHH4FfCp9zo5w6T5FiyEh0mUg2WkD7hHUKWNdhGHwOzBz2YW2s4Iw5Stg3XJI57z yp8asqq4biocv8LgFPgusjXimprUPVfCTdeHchmIzF4pQqwCshZ950bbIFHx2UDTwzoz xgMA==
X-Gm-Message-State: AOAM530A9mmJGkEE9ShctLRaC7GnUVsKbbQ9veUNfFCzcMz6TPQtHAbi NCl3jRskGkxwsk3BN+kxMxWxrsRDcF6r289/oq8=
X-Google-Smtp-Source: ABdhPJyccvrkA+E3DKg3MD1PtKNe/gYQ9KZt2EvghX9o/OmwPcopW4dkYvpNbLAUrn1SuAxbqkVVcUR5+y5/vqfg/6Y=
X-Received: by 2002:a19:803:: with SMTP id 3mr13018816lfi.15.1595900577981; Mon, 27 Jul 2020 18:42:57 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBM94sdL-Ocw+Whca+WR9haC1ircgA6GxefQQ8eed319jg@mail.gmail.com>
In-Reply-To: <CABcZeBM94sdL-Ocw+Whca+WR9haC1ircgA6GxefQQ8eed319jg@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 27 Jul 2020 18:42:47 -0700
Message-ID: <CAPDSy+6oVA8k0Byouj8X247G090N=2p14tOGBScUBGc9EG2-Gg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c2bc005ab768f54"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/nYutnfnvvEf3NdB5c0QjRn7RCOE>
Subject: Re: [Masque] Initial look at draft-cms-masque-ip-proxy-reqs-00.txt
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 01:43:03 -0000
Thanks for the feedback, EKR! Responses inline. David On Mon, Jul 27, 2020 at 5:58 PM Eric Rescorla <ekr@rtfm.com> wrote: > I took an initial look at this document. Comments below. > > S 2. > I'm surprised to not see the common consumer use case where > someone VPNs onto the Internet. I suppose you could argue > that this is "Point to Network" but the way you phrase > this in 2.2 suggests otherwise. > Good point, I think we should add that as a separate use-case to make it clearer that this is something that we want to support. S 3.2. > The protocol will establish Data Transports, which will be able to > forward IP packets, in their unmodified entirety. The protocol will > support both IPv6 [IPV6] and IPv4 [IPV4]. > > This doesn't seem correct. At minimum you should be decrementing the > TTL and you might also be doing IP translation. > It depends on how you look at it. My thinking is that MASQUE itself does not modify IP packets at all. However, once your MASQUE server has decapsulated an IP packet, it'll pass it to its kernel which will then route the packet and decrement the TTL. I think that decrementing the TTL (and any kind of IP translation) should be out of scope for MASQUE IP proxying, and handled by other components separate from MASQUE. We mention translation in the "Non-requirements" section, we should probably add TTL decreasing to that section as well. > S 3.3. > > The protocol will allow endpoints to negotiate the Maximum > Transmission Unit (MTU) in use over a given Data Transport. This > will allow avoiding IP fragmentation, especially as IPv6 does not > allow IP fragmentation by nodes along the path. > > This is an unusual use of the term "negotiate" because as a general > matter, the egress point will have a fixed external MTU and thus > the MTU becomes that minus overhead. > Perhaps "negotiate" isn't the right term. I think what we meant to say was that MASQUE endpoints should have the ability to inform their peer what MTU it has on egress. Do you have a suggestion for a better word? S 3.4/3.5. > > Both the client or server may request to be assigned an IP address > range. In response to the request, the peer will respond with an IP > address range of its choosing. > > This seems like a feature that is intended for Network to Network > VPNs that doesn't make sense for a consumer-type VPN in which the > assumption is that the VPN server is the default router. > Not necessarily. In the consumer VPN protocols today, the server often tells the client what IP to use, and often the client has the ability to suggest an IP it would prefer if available, similar to DHCP. That's what we're trying to replicate here. > At any point in an IP Session (not limited to its initial > negotiation), the protocol will allow both client and server to > request routes to specific IP address ranges. In response to this > request, the peer will have the ability to respond with a subset of > routes that it is willing to accept, or deny the request. > > I don't understand what "request routes" means. Does it mean that > I am asking the peer to be willing to route to those domains? > Something else? > Yes, for example the client could say "I would like a route to 2001:DB8/32", and the server could respond "I'm willing to route you to 2001:DB8:42/48". > S 3.6. > When negotiating the creation of an IP Session, the protocol will > allow both endpoints to exchange an identifier. For example, both > endpoints will be able to identify themselves by sending a fully- > qualified domain name. > > Is this identifier secure authenticated? > Yes, though the way I've been thinking about it would be to have a mechanism for each endpoint to announce its identity, and then a separate mechanism for endpoints to authenticate themselves. The server could potentially use the client's identity when picking which key to use when verifying the client's signature, for example. > S 3.8. > > Additionally to the authentication provided by the transport, the > protocol will have the ability to authenticate both client and server > during the establishment of the IP Session. In particular, it will > be possible for the client to offer an OAuth Access Token [OAUTH] to > the server when requesting IP proxying, potentially through an > extension of the protocol. The protocol will also have the ability > to support vendor-specific authentication mechanisms as extensions. > > This seems incomplete. First, the OAUTH access token doesn't authenticate > the *server*. > I would expect most deployments to use the WebPKI to authenticate the server, and then MASQUE is required to allow other custom mechanisms to authenticate endpoints, such as authenticating the client via OAUTH for example. > S 3.9. > > While it is desirable to transmit IP packets unreliably in most > cases, the protocol will provide a mechanism to allow forwarding some > packets reliably. For example, when using HTTP/3, this can be > accomplished by allowing Data Transports to run over both DATAGRAM > and STREAM frames. > > This seems like an odd feature to add in a VPN protocol. What's the > rationale for this. > It's uncommon for VPN protocols today, but we've seen noticeable performance benefits when sending some specific packets reliably. Using this would be solely at the discretion of MASQUE endpoints. Given that MASQUE is built over QUIC, I suspect any solution we build will involve a stream of some kind, so having the ability to use the stream to route packets won't be significant extra work, especially considering the fact that we'll need this for MASQUE over HTTP/2.
- [Masque] Initial look at draft-cms-masque-ip-prox… Eric Rescorla
- Re: [Masque] Initial look at draft-cms-masque-ip-… David Schinazi
- Re: [Masque] Initial look at draft-cms-masque-ip-… Eric Rescorla