IETF Logo Mail Archive

Re: [Masque] Comments on draft-Pauly-masque-quic-proxy

Tommy Pauly <tpauly@apple.com> Tue, 09 March 2021 17:26 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4E53A1448 for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 09:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.368
X-Spam-Level:
X-Spam-Status: No, score=-2.368 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ6X5iqBpGuj for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 09:26:56 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87F943A0FFB for <masque@ietf.org>; Tue, 9 Mar 2021 09:26:56 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 129HNEQf002971; Tue, 9 Mar 2021 09:26:55 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=pH3R2lXlbxZNBRzQArtxpgyrvZByS3/fOesTh3RY8mI=; b=o0S121GnNG3ihW9226nH2HBOn7tU37JR5I2pdL0Msos8tqTvy3hRUa2hzk5w3cB8ubDi 38GfFDdw9cKHYlP4/ykfBIOO1hqP/U6jVBL3buQqiSs3t4KoE1PePYzF92tNoAVgNC+g NbKZPQ/ctG/XITRhMl9ARyqtLsj3RyDni7CIjxvhowc+6F0cK2fYm5Au4z5zaJoYRgBW xIiXEhrMZ/Knz69EF8Mh2zt4Nuao9/M6zVsvWCviEmpM+00LLpnIFFALtvEe9yTwvPSJ oion+k9sXW1s+M7swcvP9S8kLKhUMCwONZOzNdm5mDa8R0lOIJJhTWBark8DrYhi97Zx Bg==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 3749m094f3-8 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 09 Mar 2021 09:26:55 -0800
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QPP00WCVPSS0VD0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Tue, 09 Mar 2021 09:26:52 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QPP00W00PNCB700@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Tue, 09 Mar 2021 09:26:52 -0800 (PST)
X-Va-A:
X-Va-T-CD: 8d45deca0a60b8e84b634a23cb93b003
X-Va-E-CD: d03b79626153d538195f1d0bd0e21937
X-Va-R-CD: cf2744d96935aa61600fd869ddf3751f
X-Va-CD: 0
X-Va-ID: 2cce59a0-0e61-46c1-9334-74eb60a757b3
X-V-A:
X-V-T-CD: 8d45deca0a60b8e84b634a23cb93b003
X-V-E-CD: d03b79626153d538195f1d0bd0e21937
X-V-R-CD: cf2744d96935aa61600fd869ddf3751f
X-V-CD: 0
X-V-ID: 70cc4e50-64d9-462a-b0d5-177480c5f9ba
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-09_14:2021-03-09, 2021-03-09 signatures=0
Received: from smtpclient.apple (unknown [17.11.187.109]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QPP00KDCPSQKG00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Tue, 09 Mar 2021 09:26:51 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <547B8CA4-2E2C-49D6-9E75-4EE3DA5B6948@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_A62502FB-DEF7-4FAC-A254-8A735B643E47"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.6\))
Date: Tue, 09 Mar 2021 09:26:49 -0800
In-reply-to: <CAM4esxSoWVXtF-CXL-uptmA+iYnBr8AoG1W7ZnxBTzC0aP_PWw@mail.gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
To: Martin Duke <martin.h.duke@gmail.com>
References: <CAM4esxR1RVMBsbb-OsX0RUMHH4XbSBdrgBFP4oUAs=ws3at_wQ@mail.gmail.com> <438EC9D4-76D0-4639-ADB6-BD9C77ABC9F8@apple.com> <CAM4esxSoWVXtF-CXL-uptmA+iYnBr8AoG1W7ZnxBTzC0aP_PWw@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.80.0.2.6)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-09_14:2021-03-08, 2021-03-09 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/pTA7dKkNW3CYDuNdwTUyIDBSEQo>
Subject: Re: [Masque] Comments on draft-Pauly-masque-quic-proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 17:26:59 -0000


> On Mar 9, 2021, at 6:35 AM, Martin Duke <martin.h.duke@gmail.com> wrote:
> 
> I don't think this applies to base CONNECT-UDP. If the client changes its address, the MASQUE connection will do all the verification necessary to mitigate any attacks.

Yes, the proxy will do the validation, but it may want to reset the port to give a hint to the target to look at least like a NAT rebinding event.

> 
> The difference in your draft is the UDP packets are not entirely part of the MASQUE connection anymore.

They’re no longer tunneled, they are just forwarded, right. The proxy becomes a switch/NAT.

> In fact, it would be good to clarify to what extent they do count as part of the connection. Do they:
> 1) have (implied?) packet numbers?
> 2) if so, can they be acknowledged?
> 3) If not, how can they count against congestion control?

The packet numbers, ACKs, and congestion control are all end-to-end, and do not involve the “control” connection between the client and proxy after tunneling starts.

The forwarder still gets to rate control if it wants on a per-flow basis.

> 4) Can they trigger address change events, or will the proxy get a new socket to make the server handle it?

The proxy always is able to choose what socket to forward on, and what rate it allows for forwarding.

Tommy

> 
> I'm sure there are several other similar questions.
> 
> On Tue, Mar 9, 2021 at 5:10 AM Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> Hi Martin,
> 
>> On Mar 8, 2021, at 3:51 PM, Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>> wrote:
>> 
>> Thanks for writing this draft! I have some comments mostly focused on migration.
>> 
>> I conceptualize this design as the proxy falling back to NAT behavior after the handshake is done. If that’s correct, I suggest you take a look at the (rapidly evolving!) NAT section of the quic-managability draft.
> 
> You’re quite correct that this ends up being quite similar to some NAT considerations, or almost a client-side load balancer.
> 
>> Specifically:
>> 
>> 1) you should discuss the implications of the client receiving NEW_CONN_ID. I gather the client would have to request it from the proxy and revert to tunneling for that CID if rejected?
> 
> That is correct! It’s described a bit in section 4, but we could expand upon it:
> 
>    A client sends new CONNECT-UDP requests when it wants to start a new
>    QUIC connection to a target, when it has received a new Server
>    Connection ID for the target, and before it advertises a new Client
>    Connection ID to the target.
> 
> 
>> 
>> 2) It’s important that any address or port change by the client translate to a new UDP socket in the server direction. To do otherwise would break the path validation mechanisms that protect against a variety of attacks. To the maximum extent possible, port changes should beget port changes and address changes lead to address changes, as QUIC implementations may use this as a heuristic.
> 
> Yes, I agree, and will be adding that to the next version:
> 
> https://github.com/tfpauly/quic-proxy/issues/41 <https://github.com/tfpauly/quic-proxy/issues/41>
> 
> I do think this plays into the base CONNECT-UDP as well:
> 
> https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/issues/42 <https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/issues/42>
> 
> Best,
> Tommy
> 
>> 
>> Martin
>

v2.23.0 | Report a Bug | By Email