IETF Logo Mail Archive

Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"

Martin Duke <martin.h.duke@gmail.com> Mon, 07 June 2021 19:39 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 142E03A0417 for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 12:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dK1Y9NIsSxhL for <masque@ietfa.amsl.com>; Mon, 7 Jun 2021 12:39:07 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C756A3A041A for <masque@ietf.org>; Mon, 7 Jun 2021 12:39:07 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id b5so17310939ilc.12 for <masque@ietf.org>; Mon, 07 Jun 2021 12:39:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Fp2FHNRCIm5jXoDqc1cz0N7ZFjHpN9hhA0hczlIZZ7Q=; b=EQA22SqQ68eH8Cw8ed8/GIJ0uGBwywFKtRqBKMdu7826Oyhjjz6kxhbWhXIShE+q1D FMbFg4+Mrn84YB0v1a5Rp8Tq351q6dG5wDKzX/T/JVlBy7fO2bgCxMhDBV42PRZ5mBak YP03iKrdbp6AgqD3+spdQtt9fcsS5G3BvW2l5OgFSC5nvvfrCi+qW2Xk5Ej6Tg/WHTvV RcJzg+cW/1M0+of4x5/wpbq1KDurwgdb55DtWt7TiLmlCTsUaH12AtcavWtgIUlacbWz CCVGrm9bPENCtEcQ71x9fUkByxLhV/zcc1IuUf6qBmspEsAGl8mRhH7y652Rr6P7ZYKU 027w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Fp2FHNRCIm5jXoDqc1cz0N7ZFjHpN9hhA0hczlIZZ7Q=; b=Ue10c2LRXSPr8r/MM93188EaKpL80wbiJs6DZ1omGlggrYvMdztsrCAcB7Zvg5ySWV f7IrgndIt7MHyNZH4+r3l7Q4ktyMGL5tVwnu6i0rppsLrpCA27ddPIhgRzreugX/uOzQ d9W451jjQ02K1zisXea8tp9AdCw2I34054/g03hwkP4ok8PnvyLT1B96HwXzrPNVanFl QPDcy5diF8Nninc0CVg3qxcU8GfFqsMaDnfKmSOp+fyp2wCQLrTjeHQ52y6wMOPjSM2h bo5n1g7+YhR2grBkZ/PuTyH5MhPsfKDXuABWL2qrwhgAJk/wtqt1pmb0xzL2syp85JVn S36g==
X-Gm-Message-State: AOAM531ZE5Sa15292qi7DAX/zt8abpH4TAmmgD3FAZqeA/124BD7Eosx tVMsIA0mh9ZJo1S09F/96bHS0esjgPZTC6dAWQU3mlKD
X-Google-Smtp-Source: ABdhPJw6yJpancEHqI1Tseho03f0uHgmErTOGG2/q30kxqBH4ZTHx0uZ4RIqMzRn/6QkyvB7HWr3YULoncMIi7+1Mhc=
X-Received: by 2002:a92:ce82:: with SMTP id r2mr8857496ilo.272.1623094744708; Mon, 07 Jun 2021 12:39:04 -0700 (PDT)
MIME-Version: 1.0
References: <d314198b-6c01-4b15-84d8-9896b5fdee80@www.fastmail.com> <HE1PR0702MB3772355483E2771650C6D679953F9@HE1PR0702MB3772.eurprd07.prod.outlook.com> <746F7E16-37BD-49EF-896A-649D394CCB05@ericsson.com> <CAPDSy+6PjZk0Kea6154V3=GF-8bs+0Mr+FtFfi-girGh3uAVrQ@mail.gmail.com> <3deea8212d66731de5c81abae353f3e9322f2d57.camel@ericsson.com> <CAPDSy+68DoVrRiC7uEn1-Ze_5LDn9mt7-f+ZeovTTYAUh=w2Og@mail.gmail.com> <21d8fc788051b570768e53d6d9355ed51b423c0a.camel@ericsson.com> <CAKKJt-d-FzXVdJpUTacb4m7ESyB6nzkk1BQSf8rHtReOvD=5Jw@mail.gmail.com> <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com>
In-Reply-To: <CAM4esxSE=misCJX=73h-kF+RQdQLC2WBhwv3nv5QgR8HK17diw@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 07 Jun 2021 12:38:59 -0700
Message-ID: <CAM4esxQatk4-ENdz+2jCbpRtr8hT0nLWbVLbb64RMJwvBf2qDA@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>, Christopher Wood <caw@heapingbits.net>
Content-Type: multipart/alternative; boundary="000000000000b1fbef05c43231d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/z9ZAYVn6fGHk685y_A9IyHLi6LA>
Subject: Re: [Masque] WGLC for "Requirements for a MASQUE Protocol to Proxy IP Traffic"
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 19:39:12 -0000

To clarify what I meant, I'm suggesting the the future IP proxy document
can split out the network-network use case specification if that proves to
be problematic.

I am not saying we should have two requirements documents.

On Mon, Jun 7, 2021 at 12:25 PM Martin Duke <martin.h.duke@gmail.com> wrote:

> I'd like to step in here as AD and make sure we are not talking past each
> other here. IIUC:
>
> (1) Magnus and Mirja do not want to implement 2.4.
> (2) The authors want to make sure the design is extensible to support 2.4,
> but are OK with some endpoints not supporting it.
>
> It does not appear that there is tension between these points. However, I
> understand that Magnus is concerned that 2.4 will hold up the core proxy-ip
> draft unnecessarily.
>
> As AD, if we come to that point, I see no requirement in the charter that
> this be one or two documents; if the option is holding everything up, it
> can go to the IESG while 2.4 has further refinement in the WG. I don't see
> that we have to make this decision now.
>
> Regarding the document at hand, the existing Sec 2 offers the possibility
> that all of the use cases are optional. It does not preclude the path that
> appears to have consensus.
>
> Is that consistent with others' understanding?
>
> Martin
>
> On Mon, Jun 7, 2021 at 5:06 AM Spencer Dawkins at IETF <
> spencerdawkins.ietf@gmail.com> wrote:
>
>>
>>
>> On Mon, Jun 7, 2021, 03:15 Magnus Westerlund <magnus.westerlund=
>> 40ericsson.com@dmarc.ietf.org> wrote:
>>
>>> Hi David and WG,
>>>
>>> Let me attempt to clarify a bit why I have made the comments I have
>>> made. I think they do stem from interepreting the network to network use
>>> cases as a very general technology and from the perspective of deploying
>>> this with clients which the server has limited trust in. I realize that you
>>> are likely comming from another perspective that you only intended to use
>>> this in cases where you have fairly high mutual trust in the client and the
>>> server. I think that is actually the major difference here and why you
>>> below think I am making a circular arguments. I think it all stem from lack
>>> of discussion of this use cases and what operational limitations we
>>> intended to have on the protocol.
>>>
>>
>> I don't know if this would have helped, but I do wish we could tell
>> (explicitly, in the requirements draft) which requirements arose from
>> various use cases.
>>
>> I'm pretty sure that most participants think they know that (likely), but
>> also think that other participants have the same understanding (perhaps
>> less likely). I think that's what Magnus is saying here, if I'm reading the
>> thread correctly.
>>
>> Do The Right Thing, of course.
>>
>> Best,
>>
>> Spencer
>>
>> So if the goal here is to have high mutual trust between client and
>>> server then I think a protocol solution may be able to be defined with such
>>> an applicability statement and less mandate on necessary protocol
>>> mechanisms to protect against malicous peers. I think that is in stark
>>> contrast against some of the other use cases where the trust in the client
>>> could be rather minimal. Like the client and server relationship is only
>>> this is a paying customer that gets a VPN access and the server has no idea
>>> what type of client or implementation that are the peer. This basic use
>>> cases will deploy with an addressing architecture that makes it much less
>>> vulnerable to malicous intent on the routing level.
>>>
>>> So, can we please discuss what assumption we have on the client and
>>> server trust?
>>>
>>> I also think your attempt to sweep the addressing schemes to be used by
>>> the servers under the rug and not disucss them have hurt the understanding.
>>> I at least have been guessing on possible deployment scenarios rather than
>>> that we have openly discussed them in the WG. Yes, they maybe not need to
>>> be detailed in the protocol solution or an arhcitecture document, however
>>> they would have made sense to have some addressing deployment scenarios in
>>> this requirement documents use case section to make clear what would have
>>> been intended. Because they do influence what is needed for the solution.
>>>
>>> Cheers
>>>
>>> Magnus
>>>
>>> --
>>> Masque mailing list
>>> Masque@ietf.org
>>> https://www.ietf.org/mailman/listinfo/masque
>>>
>> --
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
>>
>

v2.23.0 | Report a Bug | By Email