Re: [Masque] Comments on draft-age-masque-connect-ip-01
Eric Rescorla <ekr@rtfm.com> Mon, 08 November 2021 18:32 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A233A0E1F for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 10:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8VPIq-mOpcUg for <masque@ietfa.amsl.com>; Mon, 8 Nov 2021 10:32:10 -0800 (PST)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E57883A0E19 for <masque@ietf.org>; Mon, 8 Nov 2021 10:32:09 -0800 (PST)
Received: by mail-io1-xd33.google.com with SMTP id y16so2386497ioc.8 for <masque@ietf.org>; Mon, 08 Nov 2021 10:32:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mw/ce8clRRdTPE27UzU2h4o36KEv/KFz/tqRwc1/uk4=; b=U6dovug+dFwI8iytrPNzi2Lyiohj90OU0p/MPGUxCGQwAKAXxqieVIF6r2tb8HrKXn U0327VwdJLqmrhvP4OlxzhqHl0sOTt100J0sSehuPJnry/ECcRy+XfYDDYVJmhiXi/8N bPqYaryp7w2OKLtnxKdxkeYGDSXMXHCfB5tfwRYJK04R+A06Wop9atkTnSGUprRFXS4A Kp/nzmkOdi3F3r41JiNm6b8VeQWqnqEB6W2B66Q4/LZ9VQqCY/IkDCUAp0V7XcrttFQo 4rqWjNdaiFbvxDzrP6TwusTAAA7uj7SBqU5Jw/EAKX2WPXdeTf4mlhxzZ0SweLf8967+ r8MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mw/ce8clRRdTPE27UzU2h4o36KEv/KFz/tqRwc1/uk4=; b=liuBdBy06hiNbRV3tXmJCZH7y5rvZAEtGkXnss8kQFe9ZheURWJxJHKSkRtqwedIwX CjArzM9Ck168jjU5Az9KN/uwBkLt8JpcEvOpWTt5PAZFVWu6/gyyYIpPPChM34gmu07S 4mI8YLxerNb51Nmnuwoxi8YY6ahpIBRNi9jhLWbi6QYHwPHNHUjG9EbvjTYp28JeNWz1 XMFVTH6JYfKQ7mNDKNc2V4TveeNvLgj9B9nja7dwrbJSpeJ7yeJ4nlSpBBj3xxuGpd05 BnEbuzYpp1J0vrtnkyQd+H3KANiNlJl3Kkz3gQOeF1XsF8cT+IMQVBVwo5nugoj3hEjZ FP3Q==
X-Gm-Message-State: AOAM532lTVUiE3yvkP8yyJy8Ld7Jk77zLjHDOVPKP9EC5I/C248CVSdR BwkAGz/CK74/8fo7jTlJ+Wef+d8Q/CsxiHDctkLvQw==
X-Google-Smtp-Source: ABdhPJy+7rCcEWu4n6LzHit0UpidweBY+LhLWcYcFJFn/94q3oBvSVZz+moW5rIczuzavXRDeU5s+QshM20mWcZjIkA=
X-Received: by 2002:a05:6638:190f:: with SMTP id p15mr939243jal.82.1636396325123; Mon, 08 Nov 2021 10:32:05 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMSe7JJ41EC+f1pyAFrm_+9TU2h=SY-_Xy5vX5wu8TgOQ@mail.gmail.com> <7C41DE50-EE9B-4084-8A1D-88471664E23E@apple.com> <CABcZeBN1Q00hLijF9D1Wu7eGVDe_8jRR=QZ9t3gc-xtkee0=rw@mail.gmail.com> <F6EC2485-95BD-4D8A-BF8E-12E9B1F74253@apple.com> <CAPDSy+7wtrnM73phoM1oniW9jwPoqW00Q0ybuUKNdOhmEV96Kg@mail.gmail.com>
In-Reply-To: <CAPDSy+7wtrnM73phoM1oniW9jwPoqW00Q0ybuUKNdOhmEV96Kg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 08 Nov 2021 10:31:28 -0800
Message-ID: <CABcZeBND2b5BkU+vF9zQae24JaNcCnOCkwf6bbbKtL-z0LWzZA@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Tommy Pauly <tpauly@apple.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000abc9dc05d04b35b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/ujOTozFZBhIjSjQPAeIsnzh3Buw>
Subject: Re: [Masque] Comments on draft-age-masque-connect-ip-01
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 18:32:15 -0000
On Mon, Nov 8, 2021 at 10:08 AM David Schinazi <dschinazi.ietf@gmail.com> wrote: > If I may jump in, Tommy I think you misunderstood EKR's point. EKR is > saying that in the common consumer VPN scenario it doesn't make sense for > the CLIENT to send routes to the SERVER. I think we can resolve EKR's > concern by taking this text from draft-cms-masque-connect-ip and copying it > to draft-age-masque-connect-ip: > Yes, this is what I meant. > In theory, endpoints could use ROUTE_ADVERTISEMENT capsules to divert > traffic from naive endpoints. To avoid this, receivers of > ROUTE_ADVERTISEMENT capsules MUST check their local policy before > acting on such capsules, see Section 5. > > > https://datatracker.ietf.org/doc/html/draft-cms-masque-connect-ip-01#section-8 > This seems reasonable. -Ekr > > On Mon, Nov 8, 2021 at 10:04 AM Tommy Pauly <tpauly= > 40apple.com@dmarc.ietf.org> wrote: > >> >> >> On Nov 8, 2021, at 8:43 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> >> >> On Mon, Nov 8, 2021 at 7:52 AM Tommy Pauly <tpauly@apple.com> wrote: >> >>> >>> >>> On Nov 7, 2021, at 3:12 PM, Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> This document seems like a reasonable starting point. Good to see >>> the authors converging. Some technical comments below. >>> >>> >>> Thanks for the comments! >>> >>> >>> Overall, I wonder if we should actually forbid the client from >>> using IP addresses in packets when the target is specified. >>> That would avoid goofy situations in which the client does >>> >>> CONNECT 192.0.2.1 >>> >>> And then sends to 192.0.2.2. >>> >>> >>> I think it’s more consistent to define the behavior of what error the >>> sender receives when it sends a packet for which it didn’t have an assigned >>> source address or a valid destination route. Is this cause for dropping the >>> packet silently, sending an error capsule, or closing the request stream >>> with an error? >>> >>> I filed this to discuss: >>> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/43 >>> >> >> I could live with that, though I do like to make it impossible to do bad >> things. >> >> >> Okay, let’s discuss on the issue. >> >> >> >> >>> S 4.1. >>> >>> target: The variable "target" contains a hostname or IP address of a >>> specific host to which the client wants to proxy packets. If the >>> "target" variable is not specified, the client is requesting to >>> communicate with any allowable host. If the target is an IP >>> address, the request will only support a single IP version. If >>> the target is a hostname, the server is expected to perform DNS >>> resolution to determine which route(s) to advertise to the client. >>> The server SHOULD send a ROUTE_ADVERTISEMENT capsule that includes >>> routes for all usable resolved addresses for the requested >>> hostname. >>> >>> This treatment of DNS names seems like it's going to create a lot of >>> additional complexity: for instance, how does the client know which IP >>> to put in the dst field. You don't specify that the >>> ROUTE_ADVERTISEMENT MUST *only* include valid addresses. For instance, >>> suppose that the DNS name resolves to >>> >>> 192.0.2.1 >>> 192.0.2.2 >>> 192.0.2.4 <-- No 192.0.2.3! >>> 192.0.2.5 >>> 192.0.2.6 >>> 192.0.2.7 >>> >>> and the server advertises 192.0.2.1-192.0.2.7. >>> >>> Given that this is an IP layer mechanism, I would simply remove the >>> DNS option; clients can always do DNS over the tunnel. >>> >>> >>> >>> I can see this either way. >>> >>> For cases where I don’t want a full tunnel, but just want to talk to one >>> host, I would need to open an IP flow for a DNS server. I could of course >>> open one, and then open a proxied flow to each target address, and request >>> the same local address I got on the first. >>> >>> This would work, but is more back-and-forth, and also doesn’t give me a >>> way to just ask the proxy to use it’s own DNS cache. For cases like CONNECT >>> and CONNECT-UDP, we’ve found it very useful for latency to have the DNS >>> cache run on the proxy, so that we benefit from all clients going through >>> the proxy sharing the same cache, and not needing a round trip back to the >>> client. To that end, I’d like to at least *allow* connecting by a >>> hostname in the protocol (even if some proxies wouldn’t choose to support >>> that). >>> >> >> I would make several points here. >> >> First, while it's desirable to be able to use the proxy's DNS cache, it's >> increasingly insufficient to simply get the A/AAAA records, for reasons >> such as SVCB. For instance, you wouldn't be able to do ECH using the DNS >> version alone because you would need to look up the SVCB. So, while it does >> incur a round trip, it seems like you are going to need to do a DNS >> resolution for this case. >> >> >> Yes, ECH does require doing a DNS lookup, but (a) ECH may not be >> applicable to the type of connection I’m doing with CONNECT-IP and (b) the >> records for A / AAAA / HTTPS / SVCB may have different TTLs and thus have >> different caching benefits. >> >> >> Second, even taken on its own terms, if I understand this mechanism >> correctly, I think it's still broken for the reason I mentioned above. The >> problem is that you are using the ROUTE_ADVERTISEMENT as an implicit DNS >> resolution--to tell you what to put in the dst-addr. If that's true, then I >> think you need to require that the ROUTE_ADVERTISEMENT to be strict. >> >> >> Yes, I agree that the route advertisement needs to be strict if this is >> allowed. >> >> >> >> >>> >>> >>> S 4.2. >>> Is the server required to send ADDRESS_ASSIGN? If not, what is the >>> client supposed to use as it's source address? Also, what happens >>> if you only get a v6 address but need to talk to a v4 endpoint, >>> or vice versa. >>> >>> >>> https://github.com/tfpauly/draft-age-masque-connect-ip/issues/42 >>> >>> Probably the best thing to say is that any peer that can send packets >>> MUST first have received an ADDRESS_ASSIGN capsule. >>> >>> Regarding v4 and v6, yes, you do need the right family assigned. >>> >>> >>> >>> S 4.2.3. >>> You should probably say something here about how in many cases >>> you shouldn't trust a ROUTE_ADVERTISEMENT. For instance, it's >>> incoherent for an ordinary consumer VPN client to start >>> advertising routes. >>> >>> >>> A full-tunnel VPN server may not have a complex routing table, but it’s >>> still possible to have some “excluded” routes that won’t be allowed >>> (private subnets, etc). Traditionally, most VPN protocols do always include >>> the route information. The “trust” here is just about what the endpoint is >>> willing to route/forward. >>> >>> What kind of warning were you imagining? >>> >> >> "Note: peers MUST NOT blindly trust ROUTE_ADVERTISEMENT. They MUST filter >> it through local policy" >> >> >> Hm, OK. What would “local policy” be here? I guess in the case of >> personal VPN, my client may expect a full tunnel, but if the server tells >> me I can’t route to a specific subnet (maybe it doesn’t allow 10.0.0/24, >> reasonably), my only recourse would be to fail the connection, not to try >> to send to addresses that are disallowed. >> >> Tommy >> >> >> -Ekr >> >> >>> Best, >>> Tommy >>> >>> >>> >>> >>> >>> -- >>> Masque mailing list >>> Masque@ietf.org >>> https://www.ietf.org/mailman/listinfo/masque >>> >>> >>> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> >> >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque >> >
- [Masque] Comments on draft-age-masque-connect-ip-… Eric Rescorla
- Re: [Masque] Comments on draft-age-masque-connect… Tommy Pauly
- Re: [Masque] Comments on draft-age-masque-connect… Eric Rescorla
- Re: [Masque] Comments on draft-age-masque-connect… Tommy Pauly
- Re: [Masque] Comments on draft-age-masque-connect… David Schinazi
- Re: [Masque] Comments on draft-age-masque-connect… Ben Schwartz
- Re: [Masque] Comments on draft-age-masque-connect… Eric Rescorla
- Re: [Masque] Comments on draft-age-masque-connect… Eric Rescorla