Re: [Masque] Fleshing out the MASQUE Protocol
David Schinazi <dschinazi.ietf@gmail.com> Mon, 16 March 2020 19:26 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7D093A0F7B for <masque@ietfa.amsl.com>; Mon, 16 Mar 2020 12:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yZFpsvXKEEg6 for <masque@ietfa.amsl.com>; Mon, 16 Mar 2020 12:26:13 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA5B3A0F78 for <masque@ietf.org>; Mon, 16 Mar 2020 12:26:13 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id w4so5325293lji.11 for <masque@ietf.org>; Mon, 16 Mar 2020 12:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kIVr35yCddd7Z21Q+Wduxz3vIjkrFb79mNCMpPjYfD8=; b=psW2R1vgs6jCjkVvFQ8O/cjjiJSc/vAYXJfvhCf+18lQQQ8dlRyudkM+hNp3uv64iW cMqfPnGLf/m+sy5+7JTtpO+uFo/KtAbSKfkHUEjNgYucITLeMdTFMq87L6M9ntVXhEmA hV6URbHlBO9vm3bNkfkEw/ZCbA2h4stOknKRYnc9PAa1krEWl/MFnRykHji10BPJV/7Q /1tignVXB6iIPq/ia107dM+ekKz/0/E1gbyOilbJSt6GzVDiV6GmyIMjLIx5YrVvxKGZ BaVEy9BQrOUnvILCLc9aatvee6kWtij2OG3Fitkvzr9anlEHMcg+PbUb1cf92zxXHfgB pcqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kIVr35yCddd7Z21Q+Wduxz3vIjkrFb79mNCMpPjYfD8=; b=Fzk0mEu6TOCsyG5+diGpi+upH1sRpf/1592PS1b4ItBOaDcjgran/zTRypwD5fV0Gp W1ZFMlHfuLdGSAYRSNpztYGoAijlErh+2Pf/whgQ+WIQx1iY/MIjNjNS1uVuVeWI/G/J j33zeWv/Xy6T20IySN7Zv8K+oJXLrE29SfLpRUk29vnLdubUSdrvAZ492b3z8nd6H7fZ EWLLpfkIP1eGGSyWKONIbKPpsvMtObtubpMFaEpJmfs+//vTcS9+zQwnD7Ua2qhMF3lF KbwFzste1Okc9tSYLVFSrxCZ0aYoeiNETMlk6wpnkpsIkfH+F8FQUzwLQg0vpJPoE7Ya nsKQ==
X-Gm-Message-State: ANhLgQ2/FrDR7jnTwyMgYYsVQYXwgSgscpOfRzFQjGhqEvicnPsD/WTR DmYLqwxwNliRpiPaIIxfM7nLwCjer6858wr9ktE=
X-Google-Smtp-Source: ADFU+vvDWMOEvobyCGzOqNxbPvqbCdu1weqMcRfu+XWjvxSMAFeBDNyjoD5Ik+qLJTc1HFl5JghFUFGn/fUoRTomuaA=
X-Received: by 2002:a2e:b88d:: with SMTP id r13mr492375ljp.66.1584386771414; Mon, 16 Mar 2020 12:26:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+65jJOO+p3Sw52ZsEbgBAu+K4LJOwVZj4xg4V9WPk5eWQ@mail.gmail.com> <CALGR9oaE_gGHgGErhmeuBFhkU0eTGFRR2+fMArqEwGeHvXb8mA@mail.gmail.com>
In-Reply-To: <CALGR9oaE_gGHgGErhmeuBFhkU0eTGFRR2+fMArqEwGeHvXb8mA@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 16 Mar 2020 12:25:59 -0700
Message-ID: <CAPDSy+4fp_49F+UxaR2TTxQ0q=+F=4fiOZeesn-VhWgUL5r_Ug@mail.gmail.com>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b2719805a0fdcaab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/sc8bKIcT1dIAQtTYm3iTIRrPV_I>
Subject: Re: [Masque] Fleshing out the MASQUE Protocol
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 19:26:16 -0000
My expectation is that MASQUE needs to know about the connection context and is not bound by the Fetch spec - in other words, MASQUE is a client application in its own right that can't be implemented in Web-based JavaScript for example. Regarding the vulnerability you describe, I think we'll want to mention this in security considerations and recommend that implementors have proxying disabled by default unless explicitly enabled by the server administrator? David On Mon, Mar 16, 2020 at 12:19 PM Lucas Pardue <lucaspardue.24.7@gmail.com> wrote: > Hi David, > > Thanks for this update it looks good and makes things much clearer to me. > > I now understand more about the negotiation element, even though that > aspect has not changed in your diff. So I have a comment; initial > connection-wide MASQUE proxy negotiation occurs using a POST method. I'm > wondering how this applies to client applications that can't or shouldn't > know about connection context. Specifically, I'm thinking about cases like > Fetch[1], which prohibits the CONNECT method in order to mitigate a class > of vulnerability[2]. Any thoughts? > > Cheers > Lucas > > [1] - https://fetch.spec.whatwg.org/#methods > [2] - https://www.kb.cert.org/vuls/id/150227/ > > On Fri, Mar 13, 2020 at 2:10 AM David Schinazi <dschinazi.ietf@gmail.com> > wrote: > >> Hi folks, >> >> I fleshed out a lot of the details in the MASQUE protocol >> draft, and have submitted the following revision: >> https://tools.ietf.org/html/draft-schinazi-masque-protocol >> >> (note that I renamed it from draft-schinazi-masque to >> draft-schinazi-masque-protocol to meet naming requirements.) >> >> I hope that this draft contains enough information to implement >> MASQUE Negotiation, and the QUIC Proxying MASQUE Application. >> >> Feedback is most welcome! >> >> Thanks, >> David Schinazi >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> >
- [Masque] Fleshing out the MASQUE Protocol David Schinazi
- Re: [Masque] Fleshing out the MASQUE Protocol Lucas Pardue
- Re: [Masque] Fleshing out the MASQUE Protocol David Schinazi
- Re: [Masque] Fleshing out the MASQUE Protocol Lucas Pardue
- Re: [Masque] Fleshing out the MASQUE Protocol David Schinazi