IETF Logo Mail Archive

Re: [Masque] Comments on draft-pauly-masque-quic-proxy-01.txt

Eric Rescorla <ekr@rtfm.com> Thu, 15 April 2021 19:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0202C3A1ACC for <masque@ietfa.amsl.com>; Thu, 15 Apr 2021 12:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GyfL4DOieCA for <masque@ietfa.amsl.com>; Thu, 15 Apr 2021 12:03:07 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED5D13A2B0C for <masque@ietf.org>; Thu, 15 Apr 2021 12:03:06 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id k25so25306787iob.6 for <masque@ietf.org>; Thu, 15 Apr 2021 12:03:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3LvIOdvbwQr+A7jLBcE6871Nz/mlMGSe+ZelbykQaYg=; b=WkDwMkGQdhs+jlnfqkJ7Y06K33ec9oZk5IDH1Z+7yYcalbboZziGqUFS2jAoYN10ps GkpERr5i3gJUR6u+olSmjhDkZ+NWwmQlOATFPnGlxHt6qVGzFaSWqw3ZahGRlHbiify/ iBHFSAcaxkIkFKCJH7Npc6ivJCtyrfo3cqHBCzUeWEqqRIHAYLKKxh8PqlWekzdG2VFa vbcwPWTtyFagy3BFGM9N9cv8zGtc+oIEpy8MzozvaQNV+OVLw0UF+hQiEikRmZUW8+BX 5ei1mJZZj4dc76S9Rb9KQ3Q8rC+fyWoxh8SNoJPZee7b7wBdw2oCwHes9fnP8/lzaJgy M6qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3LvIOdvbwQr+A7jLBcE6871Nz/mlMGSe+ZelbykQaYg=; b=j5i27UnlmMa4+e0l4o8RI1WzWLIUxV4+aYjOrBpPuMDXaf8KeSCOq7qUAQo7p3IOXg 29YRVELk1ONOXh5wQIZy979DOcTwfaILFe5N6X51ntQjK/cuAzsDxY98jTSrC61GNVEa 56F778C0A26EJQpToiVwX/Hiw7f1SGRuX6RdrvdfyQB1J8mIgDuq7/vuTJZL39KetnnM ZmbDIFYjefgUPBRxhLl4a1i4cOTWX15zwmkpSK3VRcxcHudlRH3v0wGSlKN44tRR/t0A 06B7YiyuOYBbGokOQpxH7O67bHR9ceEy1K+04GU4L8nAQSGFnLQtTndxOYVoZPNozmIs 8vIQ==
X-Gm-Message-State: AOAM530sAhElFQmQJyYfYQqLBhxIkJ6S+lkv4kGNrnf4Yxw9a4ejWYO0 +NXjlbsOywAkZKVH/BBkeWAo2dvY0Biq6jdzghTN9w==
X-Google-Smtp-Source: ABdhPJzMRw5Tgos7/0DevfZD8GOk/BNeuH1I5rvG9p/j6dFmG47lld3CXSz3MbIMjNx6FHkW5FBhJo1xFTeh2Je2uTY=
X-Received: by 2002:a05:6638:2591:: with SMTP id s17mr637943jat.87.1618513385576; Thu, 15 Apr 2021 12:03:05 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOdjGJeKi+oMLWee6WcZ47=KfjrqvfL_7QxA0qkRV61uw@mail.gmail.com> <24B3B557-5D90-4311-9F2F-9FD51393FC7F@apple.com>
In-Reply-To: <24B3B557-5D90-4311-9F2F-9FD51393FC7F@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 15 Apr 2021 12:02:29 -0700
Message-ID: <CABcZeBNvVhzJqW5+1ytSoc3uLngQz9yP5WLTbDh_Smk0Kdnx+w@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069806105c0078385"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/tDNkGSh8btLdNbLCsFijj41aFzs>
Subject: Re: [Masque] Comments on draft-pauly-masque-quic-proxy-01.txt
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 19:03:12 -0000

On Thu, Apr 15, 2021 at 11:52 AM Tommy Pauly <tpauly@apple.com> wrote:

> Hi ekr,
>
> On Apr 15, 2021, at 10:27 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Hi folks,
>
> I've reviewed this document. At a high level, I'm unconvinced of the
> requirements that lead to this design. I agree that QUIC in QUIC
> is going to be common, but ISTM that
>
> First, the Forwarded mode. I have two concerns here:
>
> 1. The general thrust of QUIC is to encrypt everything and having the
>    non-handshake data in the clear goes against that. It is also much
>    more difficult to analyze.
>
>
> In this case, the feature is to allow not double-encrypting data. However,
> there would never be any packets exposed on a path that wouldn’t be fully
> encrypted. It’s essentially made for multi-hop proxy cases where
> re-encryption is not a requirement for security or privacy.
>
> For example, if you use two proxies, you can forward from the first to the
> second, and then tunnel to the target.
>

I understand your point, but I don't think it's really responsive to my
concern. Exposing the data between the client and the proxy has a material
impact on the security of the data on that hop.


>
> 2. This document offers performance as the reason for forwarding mode,
>    but I think we should be quite suspicious of such claims without
>    strong evidence. The cost of symmetric encryption and decryption in
>    modern systems is extraordinarily low [0] especially with hardware
>    support, so removing the encryption seems unlikely to materially
>    change the performance profile of most proxies.
>
>
> The scalability of letting a proxy in a multi-hop proxy setup essentially
> just be a packet forwarder is very measurable.
>
> Our slides that we drew up for IETF 110 go into the details here:
>
> https://datatracker.ietf.org/meeting/110/materials/slides-110-masque-quic-aware-proxying-00
>

Thanks for this data. I think I missed this presentation. Assuming I'm
reading this correctly, it seems to me like most of the difference here is
probably due to the fact that you're not having to pull the data into
quiche. That's not meaningless, but it's also precisely the kind of
implementation issue that it seems like one could address in a production
environment. Certainly, the crypto itself doesn't seem like the primary
concern a modern AES-GCM core can easily saturate a 1Gig link.


Forwarding also does have a notable impact on effective MTU once you start
> going through multiple hops, so allowing forwarding in these environments
> allows for more hops scaling well.
>

I'm not sure what environments you have in mind here, but the primary
multi-hop environment I know of is anonymity networks like Tor. However, in
that case (1) you absolutely need to tunnel, not forward and (2) you
generally want a rather different packet framing (i.e., one that is
constant-size per hop).


>
> Second, I'm not really convinced of the need to reuse local host/port
> values. We have plenty of experience with TCP proxies that use a
> separate port for each connection (this is, after all, what a CDN is
> on the back end), and AFAIK that works out mostly OK. You don't
> really explain why this is necessary, but I can imagine two
> reasons:
>
> 1. Port scarcity -- this seems like mostly an IPv4 issue, as you can
>    use IPv6 to have an arbitrary number of addresses.
>
>
> Right, this is more of an issue for IPv4 than IPv6. However for
> particularly large numbers of connections being proxied between the same
> two nodes, it does make things simpler.
>

Well, seeing as it comes at the cost of significantly more protocol
complexity, this seems like an arguable point.


> 2. Implementation issues around having multiple sockets open -- this
>    seems like something that is fixable at the OS level (and again,
>    we'll want to for QUIC CDNs), so we don't need to add protocol
>    machinery.
>
>
> Agreed that this can be managed in various ways on a system.
>
>
> Given that much of the complexity of this proposal comes from these
> two requirements, ISTM that they require fairly close examination.
>
> If we were to relax both requirements, it seems to me that we could
> have a much simpler protocol which was basically QUIC-specific header
> compression. I can imagine a number of different ways to implement
> this, including pre-registration (the sender tells the receiver about
> CIDs in advance) or notification (the receiver tells the sender "I now
> know CID X and you can compress it with label Y"). Note that we could
> probably just fold such a compression scheme into whatever (if
> anything) we did for IP header compression.
>
> If we only relax the forwarding requirement, then we would still
> need some mechanism to mux multiple clients on the same host/port
> quartet. I can imagine a number of angles here:
>
> 1. The design you have in which the client has to pre-register
>    each receiving CID.
> 2. A design in which the proxy provides part of the CID or
>    tells the client how to construct them. This would have
>    the advantage that the proxy never told the client "no",
>    which simplifies the client logic [1].
> 3. Require the clients to use high entropy CIDs (made easier
>    with header compression) and just assume that conflicts
>    are errors.
>
>
> Agreed that collisions should be rare, and I’m fine with designs that just
> make such collisions errors.
>
> I think it comes down to being able to support forwarding, which (for the
> reasons I list above) I believe is an important capability. Not to always
> be used, but to be possible.
>

OK. I think I'd need to hear something much more convincing than the
reasons above to be in favor of forwarding.

-Ekr

Thanks,
> Tommy
>
>
> -Ekr
>
> [0] It's quite old, but see:
> https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
>
> [1] And testing, as CID collisions will be very rare.
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>
>
>

v2.23.0 | Report a Bug | By Email