IETF Logo Mail Archive

Re: [Masque] Updated version of QUIC-aware proxying using HTTP capsules

Tommy Pauly <tpauly@apple.com> Wed, 13 October 2021 15:56 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1187C3A0BAA; Wed, 13 Oct 2021 08:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CIzDXy7yeY4u; Wed, 13 Oct 2021 08:56:05 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp02.apple.com (ma1-aaemail-dr-lapp02.apple.com [17.171.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 793A63A0BAD; Wed, 13 Oct 2021 08:56:05 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp02.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 19DFln3r005587; Wed, 13 Oct 2021 08:56:04 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=8h8AIQXmv8awpwIguzygwk6v3KzH3MH1v6H0eJYNKFY=; b=hl/s+OrDaJ+QEj4qG/pSPeiBDICvQnIV2/8jxH2SrQgR04L249pX1tRkkbbytHHzk+7c OF88fBwcuWFThUd/CW/shmC0z2IiHpfbgennT5kRoRQPCPxfM3w9JrhoMawd9l+JXFtJ RdQy8QAWG/6WeBVqlvkobJt4sC49/XPtqAtlSMCO11R9I0DNLqDUKy5SJote0L5T0IeI bCFvNKKe40UWIRiuK8MaWqtxmXQQJzEgjvFZlvHz72vryeKBUzek5s5CYSfdeuVMBtee M0xciu/GAIS1/DUcNKkPUhFwY0j0j9zwoC9x/MlVWZ/Fls9or1hbOA/bQewgHoyOLXpH qA==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by ma1-aaemail-dr-lapp02.apple.com with ESMTP id 3bn032s9fj-8 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 13 Oct 2021 08:56:04 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPS id <0R0X00X59AXFYJ40@rn-mailsvcp-mta-lapp01.rno.apple.com>; Wed, 13 Oct 2021 08:56:03 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) id <0R0X00Y00APGMA00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 13 Oct 2021 08:56:03 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e72da815dcb01dab2f988f94f1719970
X-Va-E-CD: 76ae5ac58befbde0fc7e163294402132
X-Va-R-CD: 341336de1de63310fa55b9e8ff757c7f
X-Va-CD: 0
X-Va-ID: 4c68dd9d-f152-4140-a898-cf82af32892c
X-V-A:
X-V-T-CD: e72da815dcb01dab2f988f94f1719970
X-V-E-CD: 76ae5ac58befbde0fc7e163294402132
X-V-R-CD: 341336de1de63310fa55b9e8ff757c7f
X-V-CD: 0
X-V-ID: 4a28255d-07be-4bb5-b683-a496b5f4b036
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-10-13_06:2021-10-13, 2021-10-13 signatures=0
Received: from smtpclient.apple (unknown [17.234.102.109]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPSA id <0R0X0091DAXF2900@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 13 Oct 2021 08:56:03 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <A5971E56-26AF-40D9-8F36-A3D3AC740B9C@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_A64D9EEE-5103-4ABB-B49D-A35FDB640203"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3691.0.3\))
Date: Wed, 13 Oct 2021 08:56:03 -0700
In-reply-to: <CAHbrMsA8GQukLnn03dUQxwm7AmAere1Zui783_dSHPOkpdpAHA@mail.gmail.com>
Cc: MASQUE <masque@ietf.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <163397549825.5676.8723272420216643562@ietfa.amsl.com> <3601C5ED-E15B-4457-AFCC-5F9F1BB176F6@apple.com> <CAHbrMsA8GQukLnn03dUQxwm7AmAere1Zui783_dSHPOkpdpAHA@mail.gmail.com>
X-Mailer: Apple Mail (2.3691.0.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-10-13_06:2021-10-13, 2021-10-13 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/uGjy1oKlINV5RjTbn8aLMDtQKvM>
Subject: Re: [Masque] Updated version of QUIC-aware proxying using HTTP capsules
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 15:56:10 -0000

Hi Ben,

> On Oct 13, 2021, at 6:13 AM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> 
> I think there's an idea here that is worth pursuing, but I'm not sure about this specific approach.
> 
> To start with a concrete issue, RFC 9000 says "an endpoint MUST NOT reuse a connection ID when sending to more than one destination address".  To preserve user privacy, the client connection ID must change when the client's IP changes.  However, this draft is based on the idea that the proxy uses essentially a single target-facing port, with the result that the target doesn't know when the client's address has changed.

I don’t think there’s any violation of that requirement here. The fact that a proxy hides a client’s original IP address, and any changes that might have (due to passive NAT rebinding or active migration) isn’t any different than with all of CONNECT-UDP proxying.
> 
> There's also a problem in the handling of Stateless Reset responses, which generate a random Connection ID.  The proxy will have to drop any Reset responses, because it does not know which client to forward them to.
> 

Yes, the stateless reset case is an interesting corner case to explore.

> The requirement that the QUIC packets to forward land on the same client-facing port as the HTTP/3 connection also strikes me as unnatural and possibly inconvenient.  The forwarding service really has nothing to do with the HTTP/3 transport.  There's no reason to even require HTTP/3; the forwarding service could just as well be controlled using a session that is running in HTTP/2.

I don’t think you’d want these to be different. From a network observer’s point of view, they wouldn’t be able to tell apart traffic bound to the proxy and traffic forwarded on—they’ll just see a sea of different QUIC SH packets with different connection IDs. It’s also a clear benefit to share address validation state for the return path, and handle NAT rebindings, etc.

> 
> I believe these problems are consequences of trying to conserve port numbers on the proxy.  This strikes me as a premature optimization.

Both the port number usage and the connection forwarding are things we doing today at large scale—this extension is the basis for how we do multi-hop proxies with iCloud Private Relay, and both aspects are hugely valuable optimizations in practice. The setup here is where you have many thousands to millions of concurrent connections that just need lightweight IP blinding to go to a next hop, with an authenticated proxy.

> 
> I think we should benchmark this design against something closer to a classic NAT:
> - Registration ACKs indicate an explicit client-facing IP and port, which is distinct from the HTTP endpoint
> - Each client-facing port is associated with one tunnel
> - Each (target-facing port, target) pair is used for at most one tunnel
> - Connections should move to a different target-facing port (and possibly IP) whenever the client's address (as viewed from the proxy) changes
> 
> This would remove the need for juggling of Connection IDs, and allow application to any UDP payload, not just QUIC.  It would allow use with any HTTP version, and be unaffected by arbitrary HTTP intermediaries.  It can even be extended to forward TCP.
> 
> The port number would impose some scaling limits, but only on the assumption that IP addresses are scarce.  In IPv6 this is definitely not true, and scaling seems likely to be manageable even in IPv4, as evidenced by the successful operation of large-scale TURN servers for WebRTC.

As given in the reasons above, I think this kind of change would be a regression for both privacy and scalability.

Best,
Tommy

> 
> On Tue, Oct 12, 2021 at 2:42 PM Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
> Hi all,
> 
> David and I recently revised the QUIC-aware proxying draft (which adds the ability to share sockets and perform forwarding on top of CONNECT-UDP).
> 
> This new revision aligns with the latest CONNECT-UDP and HTTP datagram drafts by adopting capsules and using CONNECT-UDP’s extended CONNECT method.
> 
> We ended up not needing to use any context IDs (as defined in HTTP datagrams), but instead are just using some new capsule messages to add control signaling between the client and the proxy. Hopefully, this informs some of our broader discussion about how the extensibility provided by HTTP datagrams can be used, and which parts are most useful.
> 
> Best,
> Tommy
> 
>> Begin forwarded message:
>> 
>> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>> Subject: New Version Notification for draft-pauly-masque-quic-proxy-02.txt
>> Date: October 11, 2021 at 11:04:58 AM PDT
>> To: David Schinazi <dschinazi.ietf@gmail.com <mailto:dschinazi.ietf@gmail.com>>, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>>
>> 
>> 
>> A new version of I-D, draft-pauly-masque-quic-proxy-02.txt
>> has been successfully submitted by Tommy Pauly and posted to the
>> IETF repository.
>> 
>> Name:		draft-pauly-masque-quic-proxy
>> Revision:	02
>> Title:		QUIC-Aware Proxying Using HTTP
>> Document date:	2021-10-11
>> Group:		Individual Submission
>> Pages:		19
>> URL:            https://www.ietf.org/archive/id/draft-pauly-masque-quic-proxy-02.txt <https://www.ietf.org/archive/id/draft-pauly-masque-quic-proxy-02.txt>
>> Status:         https://datatracker.ietf.org/doc/draft-pauly-masque-quic-proxy/ <https://datatracker.ietf.org/doc/draft-pauly-masque-quic-proxy/>
>> Html:           https://www.ietf.org/archive/id/draft-pauly-masque-quic-proxy-02.html <https://www.ietf.org/archive/id/draft-pauly-masque-quic-proxy-02.html>
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-pauly-masque-quic-proxy <https://datatracker.ietf.org/doc/html/draft-pauly-masque-quic-proxy>
>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-pauly-masque-quic-proxy-02 <https://www.ietf.org/rfcdiff?url2=draft-pauly-masque-quic-proxy-02>
>> 
>> Abstract:
>>   This document defines an extension to UDP Proxying over HTTP that
>>   adds specific optimizations for proxied QUIC connections.  This
>>   extension allows a proxy to reuse UDP 4-tuples for multiple
>>   connections.  It also defines a mode of proxying in which QUIC short
>>   header packets can be forwarded using an HTTP/3 proxy rather than
>>   being re-encapsulated and re-encrypted.
>> 
>> 
>> 
>> 
>> The IETF Secretariat
>> 
>> 
> 
> -- 
> Masque mailing list
> Masque@ietf.org <mailto:Masque@ietf.org>
> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>

v2.23.0 | Report a Bug | By Email