IETF Logo Mail Archive

Re: [Masque] Updated version of QUIC-aware proxying using HTTP capsules

Ben Schwartz <bemasc@google.com> Wed, 13 October 2021 13:13 UTC

Return-Path: <bemasc@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B233A0975 for <masque@ietfa.amsl.com>; Wed, 13 Oct 2021 06:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.097
X-Spam-Level:
X-Spam-Status: No, score=-18.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-VYiEjBoA-N for <masque@ietfa.amsl.com>; Wed, 13 Oct 2021 06:13:30 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F080E3A096F for <masque@ietf.org>; Wed, 13 Oct 2021 06:13:29 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id h19so4354133uax.5 for <masque@ietf.org>; Wed, 13 Oct 2021 06:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PSyLdCpOrn8OOVgpSCaUtG2CFbjiW16Uw+pCqs5VVNk=; b=N2YorNorsgOSe440QQP5jI3Kl5Nx3NBdes0l0Lw5A9/FKD12kEmif9ZK5s71batB4H KB81gEBY6IioJiqVbD1qiKBBmahygifSCXIrCKHm/n8KIGY5QhzIG7GVaE+oeJatDzBw nvw32JCbPNLK/BdEJwSGbxJBqnDW/9RAyLZf67KpQIJ3q6gr7M0NzBEhjLIuKJJJorGp 3kHE7zXVQoVGFZ4/CDIQZFlZTnwLrgPnTWckSz5m4fldOGItzXre9zNa8t7ipDFXEF1k T+cJuk6I6DGoGyYcB+rSzdZDp2+Tg55SUN+WnjEwqtFXYSnK3xZAMKWb4xYyo5WMfu7f Q7FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PSyLdCpOrn8OOVgpSCaUtG2CFbjiW16Uw+pCqs5VVNk=; b=m4q9f/ALImUuCHUMWAZkH1myoAECFk08+NpaWMuYXtjhBFNQf82H6zItJERjRPYM2G OLo3UQwE0+XtGtdemNqrz6GbZh+8tPRE2sW2wmTnguXPb11CjknbsMGrXDRLzX/A3j3x 0wvfes9sL+9z1G38QFenrZiHuO26EpqGhX92D/i2ijvN15wRrWmH86FQGRa/Hk10vPSg jiVkfUz4WOQK3ri3oVGnwsShHAHU9MzBLwcNc72VZFwhPx4nnT3pgdit6Xee7jRZsFGE 8//NDecCUK8MnY8N81b+HHpBtbsTD3NEzk7hpQT2x08mzCWCfL/eOpsqHNJNt8DO9Uk7 2e1Q==
X-Gm-Message-State: AOAM5322JIez0oaykQ32zbHDIigt8GQxNLzr+dhFWntv5T5ayBYRBd+T 0sE0YkCNmhAOKywWOA1GtKpvpgTyCMO0vgwu3ODdxnve+Zs=
X-Google-Smtp-Source: ABdhPJybdfWCX2Lu+m5om/4y15DZWUS0scqgyRcfQSa6JQ6gHXFogg9DeIUEGBxmIw7yBup5dazhh7VPhkcoerby4hQ=
X-Received: by 2002:a67:d996:: with SMTP id u22mr38588271vsj.12.1634130808456; Wed, 13 Oct 2021 06:13:28 -0700 (PDT)
MIME-Version: 1.0
References: <163397549825.5676.8723272420216643562@ietfa.amsl.com> <3601C5ED-E15B-4457-AFCC-5F9F1BB176F6@apple.com>
In-Reply-To: <3601C5ED-E15B-4457-AFCC-5F9F1BB176F6@apple.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 13 Oct 2021 09:13:15 -0400
Message-ID: <CAHbrMsA8GQukLnn03dUQxwm7AmAere1Zui783_dSHPOkpdpAHA@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: MASQUE <masque@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000627c8705ce3bba9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/y_Q_6qZu-5CiMBAp-ZPSWcOLsow>
Subject: Re: [Masque] Updated version of QUIC-aware proxying using HTTP capsules
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 13:13:36 -0000

I think there's an idea here that is worth pursuing, but I'm not sure about
this specific approach.

To start with a concrete issue, RFC 9000 says "an endpoint MUST NOT reuse a
connection ID when sending to more than one destination address".  To
preserve user privacy, the client connection ID must change when the
client's IP changes.  However, this draft is based on the idea that the
proxy uses essentially a single target-facing port, with the result that
the target doesn't know when the client's address has changed.

There's also a problem in the handling of Stateless Reset responses, which
generate a random Connection ID.  The proxy will have to drop any Reset
responses, because it does not know which client to forward them to.

The requirement that the QUIC packets to forward land on the same
client-facing port as the HTTP/3 connection also strikes me as unnatural
and possibly inconvenient.  The forwarding service really has nothing to do
with the HTTP/3 transport.  There's no reason to even require HTTP/3; the
forwarding service could just as well be controlled using a session that is
running in HTTP/2.

I believe these problems are consequences of trying to conserve port
numbers on the proxy.  This strikes me as a premature optimization.

I think we should benchmark this design against something closer to a
classic NAT:
- Registration ACKs indicate an explicit client-facing IP and port, which
is distinct from the HTTP endpoint
- Each client-facing port is associated with one tunnel
- Each (target-facing port, target) pair is used for at most one tunnel
- Connections should move to a different target-facing port (and possibly
IP) whenever the client's address (as viewed from the proxy) changes

This would remove the need for juggling of Connection IDs, and allow
application to any UDP payload, not just QUIC.  It would allow use with any
HTTP version, and be unaffected by arbitrary HTTP intermediaries.  It can
even be extended to forward TCP.

The port number would impose some scaling limits, but only on the
assumption that IP addresses are scarce.  In IPv6 this is definitely not
true, and scaling seems likely to be manageable even in IPv4, as evidenced
by the successful operation of large-scale TURN servers for WebRTC.

On Tue, Oct 12, 2021 at 2:42 PM Tommy Pauly <tpauly=
40apple.com@dmarc.ietf.org> wrote:

> Hi all,
>
> David and I recently revised the QUIC-aware proxying draft (which adds the
> ability to share sockets and perform forwarding on top of CONNECT-UDP).
>
> This new revision aligns with the latest CONNECT-UDP and HTTP datagram
> drafts by adopting capsules and using CONNECT-UDP’s extended CONNECT method.
>
> We ended up not needing to use any context IDs (as defined in HTTP
> datagrams), but instead are just using some new capsule messages to add
> control signaling between the client and the proxy. Hopefully, this informs
> some of our broader discussion about how the extensibility provided by HTTP
> datagrams can be used, and which parts are most useful.
>
> Best,
> Tommy
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **New Version Notification for
> draft-pauly-masque-quic-proxy-02.txt*
> *Date: *October 11, 2021 at 11:04:58 AM PDT
> *To: *David Schinazi <dschinazi.ietf@gmail.com>, Tommy Pauly <
> tpauly@apple.com>
>
>
> A new version of I-D, draft-pauly-masque-quic-proxy-02.txt
> has been successfully submitted by Tommy Pauly and posted to the
> IETF repository.
>
> Name: draft-pauly-masque-quic-proxy
> Revision: 02
> Title: QUIC-Aware Proxying Using HTTP
> Document date: 2021-10-11
> Group: Individual Submission
> Pages: 19
> URL:
> https://www.ietf.org/archive/id/draft-pauly-masque-quic-proxy-02.txt
> Status:
> https://datatracker.ietf.org/doc/draft-pauly-masque-quic-proxy/
> Html:
> https://www.ietf.org/archive/id/draft-pauly-masque-quic-proxy-02.html
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-pauly-masque-quic-proxy
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-pauly-masque-quic-proxy-02
>
> Abstract:
>   This document defines an extension to UDP Proxying over HTTP that
>   adds specific optimizations for proxied QUIC connections.  This
>   extension allows a proxy to reuse UDP 4-tuples for multiple
>   connections.  It also defines a mode of proxying in which QUIC short
>   header packets can be forwarded using an HTTP/3 proxy rather than
>   being re-encapsulated and re-encrypted.
>
>
>
>
> The IETF Secretariat
>
>
>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>

v2.23.0 | Report a Bug | By Email