Re: [Masque] Comments on draft-Pauly-masque-quic-proxy
Martin Duke <martin.h.duke@gmail.com> Tue, 09 March 2021 17:49 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D343A1493 for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 09:49:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWkWe19-HieB for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 09:49:03 -0800 (PST)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E03CF3A1491 for <masque@ietf.org>; Tue, 9 Mar 2021 09:49:02 -0800 (PST)
Received: by mail-il1-x12b.google.com with SMTP id b5so12939477ilq.10 for <masque@ietf.org>; Tue, 09 Mar 2021 09:49:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CJ/JYKBW0kYKE4pMU8ZzEaCzOjQWrHiOOaa8iwjKL4s=; b=NOtA1vP8WT3F4rgUNmih3uCBQz11Pd6xj3XWGhJr3tjpYHLxo9lSa6S40bKbkfwDrC /BlEppqljFg4AkjI67w9QkRfStPmlO5RG/H9o89LVZmb7fkE9vEyOsX/3faEJn/99plE y6iI12uFK8cSGoa0Qj0P8zPDXYK+WSUK0HZZuPC7MD4g1NVgskoZt1HePKPVuHDPJAdz 3PKWKWtAKErhEwX+bXFtpoKpW2r7Lj/Hrd3REH0y3fbfoDju59aG7iBunme6oiu5Q71l Pl0fefC7hlrCAvFMM2k7jqh6eebebsEza+Ex5m09VvMySg4ZX5XcjkOl7ZPdHuRZ1Wr+ 43zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CJ/JYKBW0kYKE4pMU8ZzEaCzOjQWrHiOOaa8iwjKL4s=; b=LsQpkFEVuCMvI8GJeWLq1eSuvt6owZVNZEgtbZBFWnkmjpNk9CyRhH4iEEx60c/Wv2 AlrG0vUa96HE/XXjoSfgxswtm/KeMLN6NhF5D/jnpz31/J9rM+gGXjpx66UbbUifRH4x Ufwiwdy3rhl8/z4TARTVNKDIRYAsvidc5FX6tkIzYEdsknJ9Iqof2zCQ39NlxQEH4nUY eWK8qjr+iUfwUAqIRoyD+FXE/eJqnx8tJ3JnTwhQQ9dRMDkk8VKEuvHfq7AieJBIYbbD 4OaJv37HBrjvXlJViAqBla2UissbEXGdk9Ylzw22rY2zlCFJXGaSqJCeicgrAInEpw7N lxZQ==
X-Gm-Message-State: AOAM533Ba5E69PfPbn9umFCo24Kzj023DGHRh31Aw0b2exfckLKMOm6g mrBJgyXLJtji+n1qY4HvtgK6fwiKAnIeRUP4uSA=
X-Google-Smtp-Source: ABdhPJxaJb7V+E7O73quIxKJXaJ0Z611YwZEgy2T45Z4Q5FjuwddPCXWQ1RDmKh0DCA2tohPXGyds2NeonjHUY0EAhg=
X-Received: by 2002:a05:6e02:2142:: with SMTP id d2mr25143574ilv.249.1615312141455; Tue, 09 Mar 2021 09:49:01 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxR1RVMBsbb-OsX0RUMHH4XbSBdrgBFP4oUAs=ws3at_wQ@mail.gmail.com> <438EC9D4-76D0-4639-ADB6-BD9C77ABC9F8@apple.com> <CAM4esxSoWVXtF-CXL-uptmA+iYnBr8AoG1W7ZnxBTzC0aP_PWw@mail.gmail.com> <547B8CA4-2E2C-49D6-9E75-4EE3DA5B6948@apple.com> <CAM4esxTkxyAbXETE6Q_DCpwmQyauR=2qmV0TJAzTVgMREa1z0A@mail.gmail.com> <3FA1317E-B4DF-43E3-B6CC-A51555D5C972@apple.com>
In-Reply-To: <3FA1317E-B4DF-43E3-B6CC-A51555D5C972@apple.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 09 Mar 2021 09:48:55 -0800
Message-ID: <CAM4esxTA4GgSLGBWkhrESzNFhVBvAyH2GPyPDpeLeGcNcMswLw@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006497df05bd1e2a83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/qaDfnWi68dIW5tB1bptaQAqw7Ro>
Subject: Re: [Masque] Comments on draft-Pauly-masque-quic-proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 17:49:06 -0000
Cool. That ought to be clarified in the draft, and now the proxy definitely needs to open a new UDP socket in the server direction when the client address/port changes. On Tue, Mar 9, 2021 at 9:41 AM Tommy Pauly <tpauly@apple.com> wrote: > > On Mar 9, 2021, at 9:32 AM, Martin Duke <martin.h.duke@gmail.com> wrote: > > I'm asking about these packets in the context of the MASQUE (outer) > connection. > > > Understood; packets that are not being tunneled have no relationship to > the “control" MASQUE connection at all. > > Tommy > > > On Tue, Mar 9, 2021 at 9:26 AM Tommy Pauly <tpauly@apple.com> wrote: > >> >> >> On Mar 9, 2021, at 6:35 AM, Martin Duke <martin.h.duke@gmail.com> wrote: >> >> I don't think this applies to base CONNECT-UDP. If the client changes its >> address, the MASQUE connection will do all the verification necessary to >> mitigate any attacks. >> >> >> Yes, the proxy will do the validation, but it may want to reset the port >> to give a hint to the target to look at least like a NAT rebinding event. >> >> >> The difference in your draft is the UDP packets are not entirely part of >> the MASQUE connection anymore. >> >> >> They’re no longer tunneled, they are just forwarded, right. The proxy >> becomes a switch/NAT. >> >> In fact, it would be good to clarify to what extent they do count as part >> of the connection. Do they: >> 1) have (implied?) packet numbers? >> >> 2) if so, can they be acknowledged? >> 3) If not, how can they count against congestion control? >> >> >> The packet numbers, ACKs, and congestion control are all end-to-end, and >> do not involve the “control” connection between the client and proxy after >> tunneling starts. >> >> The forwarder still gets to rate control if it wants on a per-flow basis. >> >> 4) Can they trigger address change events, or will the proxy get a new >> socket to make the server handle it? >> >> >> The proxy always is able to choose what socket to forward on, and what >> rate it allows for forwarding. >> >> Tommy >> >> >> I'm sure there are several other similar questions. >> >> On Tue, Mar 9, 2021 at 5:10 AM Tommy Pauly <tpauly@apple.com> wrote: >> >>> Hi Martin, >>> >>> On Mar 8, 2021, at 3:51 PM, Martin Duke <martin.h.duke@gmail.com> wrote: >>> >>> Thanks for writing this draft! I have some comments mostly focused on >>> migration. >>> >>> I conceptualize this design as the proxy falling back to NAT behavior >>> after the handshake is done. If that’s correct, I suggest you take a look >>> at the (rapidly evolving!) NAT section of the quic-managability draft. >>> >>> >>> You’re quite correct that this ends up being quite similar to some NAT >>> considerations, or almost a client-side load balancer. >>> >>> Specifically: >>> >>> 1) you should discuss the implications of the client receiving >>> NEW_CONN_ID. I gather the client would have to request it from the proxy >>> and revert to tunneling for that CID if rejected? >>> >>> >>> That is correct! It’s described a bit in section 4, but we could expand >>> upon it: >>> >>> A client sends new CONNECT-UDP requests when it wants to start a new >>> QUIC connection to a target, when it has received a new Server >>> Connection ID for the target, and before it advertises a new Client >>> Connection ID to the target. >>> >>> >>> >>> >>> 2) It’s important that any address or port change by the client >>> translate to a new UDP socket in the server direction. To do otherwise >>> would break the path validation mechanisms that protect against a variety >>> of attacks. To the maximum extent possible, port changes should beget port >>> changes and address changes lead to address changes, as QUIC >>> implementations may use this as a heuristic. >>> >>> >>> Yes, I agree, and will be adding that to the next version: >>> >>> https://github.com/tfpauly/quic-proxy/issues/41 >>> >>> I do think this plays into the base CONNECT-UDP as well: >>> >>> https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/issues/42 >>> >>> Best, >>> Tommy >>> >>> >>> Martin >>> >>> >>> >> -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque > > >
- [Masque] Comments on draft-Pauly-masque-quic-proxy Martin Duke
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Ian Swett
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Martin Duke
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Tommy Pauly
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Martin Duke
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Tommy Pauly
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Martin Duke
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Tommy Pauly
- Re: [Masque] Comments on draft-Pauly-masque-quic-… Martin Duke