Re: [Masque] Éric Vyncke's Discuss on draft-ietf-masque-connect-ip-09: (with DISCUSS and COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 12 April 2023 10:54 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E89C151544; Wed, 12 Apr 2023 03:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.595
X-Spam-Level:
X-Spam-Status: No, score=-9.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="fbwE0LX3"; dkim=pass (1024-bit key) header.d=cisco.com header.b="JBXOvRs/"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jAqVPsNFsWH; Wed, 12 Apr 2023 03:53:57 -0700 (PDT)
Received: from aer-iport-7.cisco.com (aer-iport-7.cisco.com [173.38.203.69]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E3F6C151532; Wed, 12 Apr 2023 03:53:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35403; q=dns/txt; s=iport; t=1681296837; x=1682506437; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BB4SVRiu13LkG2RnUkc9VGELqVOtQbuTCMvF+wRy3Z8=; b=fbwE0LX3rFbQmbZRCA60aKrnRH1b1iH2waPbteeMJBqyyhbpoSUflvNo ofoK0bua0KGRo1c/NlZ0VugEn578koivLGc5Yi1UjePoYuI1zHdVYgLfG gbZGsW9pkKARqxuJhMnjhOqJ8JaePXgrwcrO9qepqDSmiNlGhvRjFMHbx g=;
X-IPAS-Result: A0AoAACRjDZklxbLJq1aHQEBAQEJARIBBQUBZYEWCAELAYEqMVJzAlkpEkaEUoNMA4RPX4gwA4ETFooikhEUgREDVg8BAQENAQE7CQQBAYUGAhaFJyY0CQ4BAgICAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBNwUQNYVoDYYDAQEBAQMSER0BATcBDwIBCA4DAwECIQcDAgICHxEUBgMIAgQOBRYMglwBghUTAzEDAQ8GnwIBgT8CiiB6gTKBAYIIAQEGBAWBOwIBCwICQAGaPw2CRwMGgUEBh0YEdl4BAYMzhGZCgUlEgRUnDBCCMDc+giBCAQECAYEoAQELBgFBDQmDJTmCLol1hH6CaIhqCoE0doEgDoE8gQQCCQIRa4EQCGqBeUACDWQLDm+BSYMqBAIUPwc2AxkrHUADC3A/NRQgBlhtLBETBQMLFSpHBAg4Bhs0EQIIDxIPBiZEDkI3MxMGXAEpCw4RA1CBRwQvgV0GASYknCmBXSUtGWoEFA4ZEAYCBBAMMC8BXgsEFQIBDgMWEREpA5IvCoMTR4pJjimTCD5vCoN+i3KPDgSGAwQvg32MZoZrimGGMWKFf4w2hT6NU4NukRwIGIR5AgQCBAUCDgEBBjWBLjprcHAVOyoBgggBAQExUhkPjiARCAkVgzuFFIpldQI7AgcBCgEBAwkBgjmGM4JYAQE
IronPort-PHdr: A9a23:w/lFQRKQwZOtrUaWedmcuasyDhhOgF28FgcY8N8gk71RN/7l9JX5N 0uZ7vJo3xfFXoTevupNkPGe87vhVmoJ/YubvTgcfYZNWR4IhYRenwEpDMOfT0yuBPXrdCc9W s9FUQwt5Gm1ZHBcA922fFjOuju35D8WFA/4MF94OPXzEY3fp8+2zOu1vZbUZlYAiD+0e7gnN Byttk2RrpwPnIJ4I6Atyx3E6ndJYLFQwmVlZBqfyh39/cy3upVk9kxt
IronPort-Data: A9a23:8tiQgazwI2d6ADzPx4F6t+cKxirEfRIJ4+MujC+fZmUNrF6WrkUCy WtOCmCHbv+CMDH3eogla96+ox4G68TQz4AxG1Ru/lhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJloCCea/H9BC5C5xZVG/fngqoHUVaiVakideSc+EH160U46wbZj6mJVqYHR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyV94KYkGE2EByCQrr+4sQKNb 72rILmRpgs19vq2Yz+vuu6TnkYiGtY+MeUS45Zbc/DKv/RMmsA9+rwBPaFMRE1PsDauh/Nvz t8XsJGvcAh8a8UgmMxFO/VZOyhzJ+hN/6XKZCHl98eS1EbBNXDrxp2CDmlvYtZeobYxWzkVs 6ZCQNwORkjra+aezayqTOJvi+woLdLgO8UUvXQIITTxUa16EMiYHs0m4/dbwGsboNhrQ8+dP ds4RB5Mbj/sTkdAbwJ/5JUWxbf02SaXnydjgFecvrMq7kDSwRB/lr/3P7L9f9WRXNhY202Yr 2Pc5Ez4Dw0UctuFxlKt/miliPOKnC7nVscXHaah6/Mvi1qVwGEYFFgXTXO6rOW3zEmkVLp3K kEP9QIvoLQ8skuxQbHAswaQqXOe+x8EXMBMVusz9EeGy7Hf5ECSAW1soiN9hMIOrvU/HmwH3 EeynPTxJiJpuueQRG2k+eLBxd+tAhQ9IWgHbC4CaAIK5dj/vY0+5i4jqP4+T8ZZafWoQVnNL yC2QDsW2u1L0J5Xv0mv1QmW0mnw/PAlWyZsvl2PNl9J+D+Vc6adQ+REA3D49/9DK5nxorKp5 yFBw5DOhAziJbWAjzeAWq01G7Wg4frtDdE9vbKNN8R4n9hO0yf9FWy13N2YDBw4WirjUWWwC HI/QSsLuPdu0IKCNMebmb6ZBcUw1rTHHt/4TP3SZdcmSsEvJFbdp34+PhPLgTiFfK0QfUcXZ 8/znSGEUClyNEib5GHeqxo1iOVynXlumQs/u7iqk03PPUWiiI69EOdZbwTmghER56KfqwKd6 MdEK8aP0H1ivB7WPEHqHXooBQlSdxATXMmuw+QOL77rH+aTMDx4YxMn6eh6ININcmU8vrqgw 0xRrWcBkAOu2SOdeFvWAp2hAZu2NatCQbsAFXVEFX6j2mMoZsCk66J3Snf9VeBPGDBLpRKsc 8Q4Rg==
IronPort-HdrOrdr: A9a23:ddgCq6qc8sd1an5vv1a0mdEaV5uUL9V00zEX/kB9WHVpm5Oj5q OTdaUgtSMc1gxxZJh5o6HwBEDhexzhHZ4c2/hpAV7QZniXhILIFvAt0WKG+UyDJ8SQzJ8h6U 4NSdkYNDS0NykFsS+Y2nj4Lz9D+qj6zEnAv463pB0BIXAOGsVdBkVCe3mm+yZNNXF77O8CZe ChD7181kGdkBosH6KG738+MdTrlpnurtbLcBQGDxko5E2lljWz8oP3FBCew1M3Ty5P6a1Kyx mHryXJooGY992rwB7V0GHeq75MnsH699dFDMuQzuAINzTXjBqybogJYczBgNl1mpDr1L8Zqq iKn/4SBbU015oXRBDtnfLZ4Xil7N/p0Q679bbXuwq5nSWzfkNINyMIv/MqTvKe0TthgDk3up g7ql6xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOLFuJYO5gLZvt3+9Kq1wVh7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm00xR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XWJ0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeIWzNV1wg1nwqUmGLELQI5tlluxEU5XHNc3WDRE=
X-IronPort-Anti-Spam-Filtered: true
Received: from aer-iport-nat.cisco.com (HELO aer-core-12.cisco.com) ([173.38.203.22]) by aer-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Apr 2023 10:53:54 +0000
Received: from aer-opgw-2.cisco.com (aer-opgw-2.cisco.com [173.38.212.134]) by aer-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 33CArrGp032883 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 12 Apr 2023 10:53:53 GMT
Received: from mail-bn8nam12lp2172.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.172]) by aer-opgw-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Apr 2023 10:53:53 +0000
Received: from mail-bn8nam12lp2172.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.172]) by aer-opgw-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Apr 2023 10:53:53 +0000
Received: from mail-bn8nam12lp2172.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.172]) by aer-opgw-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Apr 2023 10:53:53 +0000
Authentication-Results: aer-opgw-2.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=evyncke@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="5.98,339,1673913600"; d="scan'";a="62074"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mZ3I6WutRQOzbyY+a67q69s9gN05AXdvcmTtYKjp2wgIiakMr47yNg0D9VfXChlnANQR6wG+lEkfYIDbz6Akuztskd1zhlPuuH6cmdxVAxvS8koJOyoQJgee6rk1eRqJoah59trUlNHRaqYIMwJVVumJvt36jgJYaJmGuJUwo5uop52HldiLYs679Mlc/uPyRV0JT57wezVvaPstCE1+a6+80pXPUO0o0XxC+nxnoLqJiHiLg1Cjg/gonDCgsqN8P6FjGNytrcGNqkX0fPKvPqicHOxubT9Gq9oRQdJwCavVkQK+OFXUs8O5UenbbNtldOm40Y7yPOU7MzD1uqgixA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BB4SVRiu13LkG2RnUkc9VGELqVOtQbuTCMvF+wRy3Z8=; b=bJHdWOXv706DY1O/9ueFPCkaQwhngeCBUXUEUA8LSfxuyLQA+paXuKHpuQCtlFvj2ugudlWbg7JRmN+jgxL9z5GUa74CkPcVzdYK54YKgfA1kshQAumj4Rx9bW0I3nidSCOvmWbODSqSBbcR5GXYuddAmTkGQ/pVgShQuakbPdJeoBDLdCbTXOqJ+ra0rz80zXi1f3HhhOahdRoJ0vH2k1wqx7RSv3kHqDsRZpp5cj6E6o0FlmiwI0yjbUmbPt2GONfBLdkIlD2lLzoywVVpPpSk58gspP/mM4pBPfTwWL25Ml60BX9q8tzARxLbRdcDEtzMbOEXfX2xDcNa+FDRsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BB4SVRiu13LkG2RnUkc9VGELqVOtQbuTCMvF+wRy3Z8=; b=JBXOvRs/yRGIHTR0c7Yyt6zAuaGXCWproijj8K7Vo3+10z9fE48fMIWNj8XnPo4TmqMvTSqa1bxPnYm1+U/jJgMHZ2kvZd8fhZGc2yD+6ZpGq4ybCE1shUljXaCMsIlCGunSN37gVYuKbS7sIBNCOU7JUPAbF0bbCMcPLH7iXis=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by IA1PR11MB7726.namprd11.prod.outlook.com (2603:10b6:208:3f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.30; Wed, 12 Apr 2023 10:53:50 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::1cb4:210d:7f4d:ab99]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::1cb4:210d:7f4d:ab99%9]) with mapi id 15.20.6298.030; Wed, 12 Apr 2023 10:53:50 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-masque-connect-ip@ietf.org" <draft-ietf-masque-connect-ip@ietf.org>, "masque-chairs@ietf.org" <masque-chairs@ietf.org>, "masque@ietf.org" <masque@ietf.org>, "caw@heapingbits.net" <caw@heapingbits.net>
Thread-Topic: Éric Vyncke's Discuss on draft-ietf-masque-connect-ip-09: (with DISCUSS and COMMENT)
Thread-Index: AQHZbGjalRrQ6eGTwUabi66uUpVc268mzfOAgADU4AA=
Date: Wed, 12 Apr 2023 10:53:49 +0000
Message-ID: <09D789D4-1B4F-4292-837B-2BF0D92EBF4C@cisco.com>
References: <168121253516.32736.10754673770332939967@ietfa.amsl.com> <CAPDSy+5joAN3X15PNYv5p9X5vde4mz6rXSf3dFXG1b0D4ZVpSg@mail.gmail.com>
In-Reply-To: <CAPDSy+5joAN3X15PNYv5p9X5vde4mz6rXSf3dFXG1b0D4ZVpSg@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.71.23032500
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR11MB4966:EE_|IA1PR11MB7726:EE_
x-ms-office365-filtering-correlation-id: 72ec96d9-ead0-44ea-e0f4-08db3b4432da
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: l++A7kbPJTEXTpMlG2WaxQ2rrejVanDItDfMtUFb29raquZS08GNACG1mlc8W/h08oas/MNZgVqNGGgIRzYvpWPtjJp54502V/qXvBhuJ21fbaXo65LFlXzpRuH+4GAbEX2tRxnre9z/sY4F5M0f7arc9l3kFJc+NOYKWatAszSBXTwyGpA9OhF/fuvK2yD4E/QSLMc+h1ALCtap5AEZmcFHQ39TUz230JHimG0vGeui4bffS2DwCzE7HW/QEXDX+nW5PxprBexyRrhR4zcUSAZp2h0Wsu5cJvL9CCurX6WncCF5XKeA8q6Iadm3omwRNZtlUdA32rGnRYolUws1xZQK+He2oHDb82ekOYIvgzxPmTe2dv6VKUvJ/A6r2QiMdWm/2DFcH84Iga33snligO+LYi4IDRgyk+hARMyOaoK5+0LGbGGyDLonHwtDwitKA6p5g7u93wv+YUElR7iwEaJ1bH+Qq9Woms7rX5k/P00NhIxh80DdeyDe957QnV/St6Cq201liSRHuHlwTUeV3axxvwgAf2fdSL79a0XqSJtg6cOMGBh/NQ9oODl73J/63tEfUKpZIVYwRVL3FEe4+Vc56Rfiq+U07udLo4jQlxnsFkf4zKa3rPNFbSCj9WuonTqhKVQGUzfkWEm3QWFZht1SqPPtfbjcVnxYpt8CmU0Tqkuf7rF7nKTNmbN3k45N
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(136003)(366004)(376002)(346002)(39860400002)(451199021)(66574015)(2616005)(83380400001)(76116006)(91956017)(966005)(478600001)(6486002)(186003)(54906003)(6506007)(53546011)(6512007)(2906002)(36756003)(33656002)(224303003)(5660300002)(38100700002)(122000001)(64756008)(66946007)(66446008)(66556008)(6916009)(4326008)(66476007)(41300700001)(8936002)(38070700005)(166002)(316002)(86362001)(71200400001)(66899021)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: owz9g/aRwWPG4kjwzIczeZzdwDqVUbmj34ZEE7JJ1gBxr9+4XwmmnWOwn9QeW4nEuHyx2JIPBO7xhCCT64tjR09D8lb9D7haG9NAfYOe7cSQMqTiHXjQbCsh9EdDxsJIFwcbWUg4QSogp1owgzd5Q86Kvr8Uf/AxuS33sLPpIdDFgsauusnm9HRTfL+nIKRlzvTYEB5jXAAA4NmhUethhdhOcB1FvZbEU9rdch8GNtIsLgXCEb+nQlma0PN29SqXdKkVBh53XUEMXRvFjA+FvyyJSWgesMymg5oTkbqZsj3tN9XTgO+mV5UeoTMj10z9NhqfrfIHPGGSsClL67JpCE4PdXpWWl6W/qFBFf+U6Ke9QAB3lt1LMzeJebMDoYbiy9a6VjPL9Th/sJScKc5zef4Sz4iYl/+QmSa8SUH3MdjJ1ADAHojpvdRMzUOIveExolBkBcI/yjQTgKr9A3VgPOYUCR0qJFNIsPpE4WFYH/JOdI5iDnM75K9GF4DBTz0gbqdZw4GfVAYsRbA+i3aI2VjegwVeop85cIZyydcOtJSBHrrTmrNrcvVlumibWXGtsf80//dkz2XgApIkJCfoxlWHF9PRdhYxWHexlbdN+74hlBezn6OYa76cfnua1AdkaOocQz9MThbuHzE0s55ruKU0RzYVyV2xH/GUCc+gdtZpYLrUnlEAzQVpU/zVSJVCzOv0O4D/EhB8hJnW1iPF+T7YZ2g8fhpp3Mil8TaLbMLjaEcQtGVQcu7V0YcA3PGJOyJX2esZMFGOuPSYzgPhhOoRBQlLS0322+JcBU/pF2TQeDQmv8ri5Wda/8bagz8P75vNbOp79S2FMrA+4deVT4Gx3ZQ6X36x+gNJ0u8UlD7VatigXS1Jdp6JAYfL/kQrp5qrXN8+CynpDoPVG0vRGn+RZp9IPfpaeMbFJySF9n+zmo9uB6ZzTSWhzY+5vAHZAwh3dZatON3Mv8jLMUidPxc8ERoXqaZnxYGcvAcGJ7D9QWihM5lwUHAyxub10bout2IPLT6ys6WFU+bVistImj/mKPLwyKEwG12L6pQmiiGktohEgRHQDhaZnvGCgisj2brDf6FIOJnjDEYqyecjS8ipMle60udBvBUTcmEOZaP2G3zqLBcb1A5nTysV+v43/mMgaMkbBC/AVxRQitMs6uAjevTBohM8FGHxYoHfHGXfz8FCBbdDxdltt4h19hMCYjNwPwJyXE0Nt4yl4PG6yLIBv5nOjl5FuJhFX/BDuOKKaohQM8gtgYFPa2L3Advt55TKtCbRgfTYJFcaVUszvAqq1V76Bp+EAalDIIzWGmbWpzdI8EnUL8mFHcHD+KKh188pWOHmRHi8f2KbOiw8fwrrECzgTiALUsjHKbuBSAWNUMTaHnyaH505WJ2IOmy4qCgZmbRe3GWlMuFIxEsvaIFp7ZxBVi6Ax/9uZbMQlfMRlbWMF7GygepSZo97Y1d9awHSvDYbM78ZoTasOHg+p8fStAHwFUXI97kV4LfgoDTj+9BaM40bPX71tzLxoXFeJn8IjNEatZEeuGkczqFG4G5Y2BU7nSb8N2sv+uQDgOLFnk8Mnm+bH23kiTCv5AtBh6hYVbJsN+6+PV5pt48Ln4DGSfTkKyh6rtjH9XdzgmAM8cmoRZnNxnNAEj5/zn4I
Content-Type: multipart/alternative; boundary="_000_09D789D41B4F4292837B2BF0D92EBF4Cciscocom_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 72ec96d9-ead0-44ea-e0f4-08db3b4432da
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2023 10:53:49.9886 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9L8342orF3oVJd4DlzG/7Er/Vyjk59293V59EqXCbAWLm4hIWBONAL5UIErQ6kFD0BfySB/R/SCtlkmurBd/6g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB7726
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/rcKKer4kcvGZ2YSqzv7xeKndiaE>
Subject: Re: [Masque] Éric Vyncke's Discuss on draft-ietf-masque-connect-ip-09: (with DISCUSS and COMMENT)
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 10:54:01 -0000
Hello David, Thank you for your prompt reply. As you know, authors may completely ignore the COMMENT points as they are not blocking. Please look below for EV> for my replies. And, to be clear, I intend to ballot a YES once the DICUSS points are discussed/addressed as I really like the technique. Regards -éric From: David Schinazi <dschinazi.ietf@gmail.com> Date: Wednesday, 12 April 2023 at 02:12 To: Eric Vyncke <evyncke@cisco.com> Cc: The IESG <iesg@ietf.org>, "draft-ietf-masque-connect-ip@ietf.org" <draft-ietf-masque-connect-ip@ietf.org>, "masque-chairs@ietf.org" <masque-chairs@ietf.org>, "masque@ietf.org" <masque@ietf.org>, "caw@heapingbits.net" <caw@heapingbits.net> Subject: Re: Éric Vyncke's Discuss on draft-ietf-masque-connect-ip-09: (with DISCUSS and COMMENT) Hi Éric, and thank you for your review. In this email, I'll address your DISCUSS points. We'll dive into your COMMENTs once we've cleared your DISCUSS. Please see responses inline. David On Tue, Apr 11, 2023 at 4:28 AM Éric Vyncke via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: Éric Vyncke has entered the following ballot position for draft-ietf-masque-connect-ip-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-masque-connect-ip/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for the work put into this document. I *really* find the idea and the protocol interesting and useful. The text is also easy to read and to understand (albeit underspecified in some cases -- hence my DISCUSS). Please find below some blocking DISCUSS points (easy to address by adding some text), some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits. Special thanks to Chris Wood for the shepherd's detailed write-up including the WG consensus *but* it lacks the justification of the intended status. Other thanks to Tim Winters, the Internet directorate reviewer (at my request): https://datatracker.ietf.org/doc/review-ietf-masque-connect-ip-09-intdir-telechat-winters-2023-04-07/ (and I have read the email exchange, thanks to all) I hope that this review helps to improve the document, Regards, -éric # DISCUSS (blocking) As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is a request to have a discussion on the following topics: ## Section 8 Several parts of this section are unspecified, see below. `Note that ICMP messages can originate from a source address different from that of the IP proxying peer.` is of course obvious, but I think that this case (ICMP originating from the global Internet to the proxy client) deserves a section on its own. Notably whether this source must be within the target ? This is discussed in the following paragraph of our Security Considerations: https://www.ietf.org/archive/id/draft-ietf-masque-connect-ip-09.html#section-12-4 Does that answer your question? EV> Not really, the point in the security section is valid and should be kept of course. EV> But, the sentence in section 8 is really terse and would benefit from a paragraph on its own. EV> Would the authors object adding a sentence like "Client SHOULD expect receiving ICMP messages sourced outside of the target." ? EV> If authors object, then I am clearing this DISCUSS point as it would have been discussed. The source address to be used by the proxy when originating an ICMP should also be specified, even if just a reference to RFC 6724 for IPv6. We already reference RFC 4443 which discusses this in section 2.2. I'm not sure adding a reference to RFC 6724 is required. Either way, may I propose we move this editorial topic out of your DISCUSS block and into a COMMENT please? EV> the reference to RFC 4443 in section 8 is correct even if I would prefer to have a clearer text rather than " IP proxying endpoints SHOULD use ICMP" (the use being rather vague, what about "IP proxying endpoints SHOULD generate an ICMP by implementing ICMP/ICMPv6" ?). It is about clarification. EV> BTW, I forgot to add a non-blocking COMMENT on this section about ICMP generation about packets received from the Internet to the proxy client. Feel free to ignore of course. ## Section 9.2 In the example where the IP proxy has an IP address in the same prefix as the legacy client (there is no on-link / off-link state for IPv4 as opposed to IPv6), the encapsulation behavior of section 7 requires the TTL to be decremented before entering the tunnel, which is really wrong as it this case it is not formally a routing to a different prefix and some protocols may expect TTL=255, which won't be the case. Request to add some text about this "issue". Can you elaborate on what protocols do this? As far as I know, all modern OSes set a default TTL of 64 so you'd never see a TTL or Hop Limit of 255. We use something very similar to this example in production and haven't had any TTL problems. EV> Erik Kline has also noticed this issue. As you asked for examples, from the top of my head: EV> The generalized TTL security mechanism, RFC 5082, is often used outside of BGP/LDP (and BTW I would love to support BGP on a MASQUE IP proxy) EV> RFC 4891, NDP, also relies on HL=255 EV> See also section 11 of RFC 6762 (mDNS) EV> In short, there is either a shortcoming in the route/address negotiation in connect-ip as it allows such deployement EV> or this example should be annotated by some text about the TTL/HL being decremented in what appears a link operation. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- # COMMENTS (non blocking) ## Waiting for Last Call PR ? May I suggest, next time, to wait until a revised I-D is submitted based on the IETF Last Call before balloting ? E.g., the PR based on the sec-dir review is not yet merged AFAIK. ## Section 3 `The URI Template MUST NOT contain any non-ASCII unicode characters and MUST only contain ASCII characters in the range 0x21-0x7E inclusive` the fist part of the sentence appears as useless as the second part is more restrictive. ## Section 4.1 In `establishes an IP tunnel` should the other side of the tunnel specified ? ## Section 4.6 Should the text also be clear that the proxy should only proxy packets *from* the target to the client ? ## Section 4.7.1 Should the text specify what are the unused bits of the prefix when the prefix length is not the address length ? I.e., is 2001:db8:cafe:babe:f00d::/32 a valid prefix ? ## Section 4.7.3 In the previous sections, IP protocol could also be an IPv6 extension header. I.e., using "0" as a wildcard value prevents using it to signal Hop-by-hop extension header. Should 59 be used ? (even if no next header is only for IPv6) BTW, I was about to ballot DISCUSS on this issue. The reader (including myself and John Scudder per his ballot) would probably welcome more explanations to understand why the usual CIDR/prefix notation for routes is not used. I.e., some routers only use CIDR/prefix FIB entries and one start-end range could translate in a lot of CIDR/prefix routes in the router FIB. ## Section 7 Thanks for the text about link-local addresses and link-local multicast. But, then it raises the question about which IP address to use when replying to a link-local multicast ? I.e., can a global address be used in the absence of LLA ? ## Section 8 Please also add "hop-limit exceeded" in the non-exhaustive list of errors. Should ICMP echo requests be mentioned ? (they are *not* error signaling but are quite useful). ## Section 9.1 In `Such VPN setups can be either full-tunnel or split-tunnel` please define (or add a reference) to full/split tunnel or simply do not mention those terms now as they are defined later. `using a source address in its assigned prefix` while the client has been assigned a single /32 (i.e., the sentence is correct but could be confusing) The legends of figures 15 and 16 use different templates ("capsule" in one case) is it on purpose ? Should the split-tunnel example have two routes to exclude 192.2.0.42 ? ## Section 12 RFC 5095 is probably not the best RFC about extension header security, there have been many others notably in V6OPS by Fernando Gont et al. Should there be an informative reference to RFC 6169 (Security Concerns with IP Tunneling) ? # NITS (non blocking / cosmetic) ## Section 4.1 s/via A and/or AAAA records/via A and/or AAAA resource records/ ?
- [Masque] Éric Vyncke's Discuss on draft-ietf-masq… Éric Vyncke via Datatracker
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… David Schinazi
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… Eric Vyncke (evyncke)
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… David Schinazi
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… David Schinazi
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… Eric Vyncke (evyncke)
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… David Schinazi
- Re: [Masque] Éric Vyncke's Discuss on draft-ietf-… David Schinazi