IETF Logo Mail Archive

Re: [Masque] Comments on draft-Pauly-masque-quic-proxy

Tommy Pauly <tpauly@apple.com> Tue, 09 March 2021 17:41 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBD7A3A10C1 for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 09:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Icxr2Le83Q_4 for <masque@ietfa.amsl.com>; Tue, 9 Mar 2021 09:41:42 -0800 (PST)
Received: from rn-mailsvcp-ppex-lapp45.apple.com (rn-mailsvcp-ppex-lapp45.rno.apple.com [17.179.253.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A7423A1066 for <masque@ietf.org>; Tue, 9 Mar 2021 09:41:42 -0800 (PST)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp45.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp45.rno.apple.com (8.16.0.43/8.16.0.43) with SMTP id 129HRbCB006687; Tue, 9 Mar 2021 09:41:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=agxqTbYqxclXcXqi3dMrThnLKiI+KvGmKQd0SX+j5pQ=; b=qP88HFi8lO/F9NOUpRENrn2PL07Xg7KgwNWzZ5tmj0d5B7zG29G6CSwKuiRo8G9msGZ9 mY+M9zyptwXgT3WiJdp2lTgqkGOVgm+88evjfqDbOINwOv1/h17020jqHvWQpMJzA/ff I5KisGp7rZNGKFdups7Mzc1ZFz9dXtbmwyuP03XAlc+CSC4R2hyB09lHLCzG351zI/r0 G7P73tHciFP4pB8/6Z7J6KyXNVTHN5qI+dJNamQyns/tudPmb+eHqvSBBCysuhBkGNdO pQc4rUO8JKxeCPfcqncu8GlcMiKToLl5CL3UQj5x0jFoAoPIXQfPWSGOhDp3tahrsIjG nw==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by rn-mailsvcp-ppex-lapp45.rno.apple.com with ESMTP id 375vaxu2ve-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 09 Mar 2021 09:41:40 -0800
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QPP00L7DQHG22F0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Tue, 09 Mar 2021 09:41:40 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QPP00T00Q897A00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Tue, 09 Mar 2021 09:41:40 -0800 (PST)
X-Va-A:
X-Va-T-CD: 8d45deca0a60b8e84b634a23cb93b003
X-Va-E-CD: 63d5ce0ead647ffdfb290aa727323533
X-Va-R-CD: 5096368f965eaa872b2d6b1b2e97dd40
X-Va-CD: 0
X-Va-ID: 81d1e36b-a1db-4d73-b6e0-dd1dc0532ef5
X-V-A:
X-V-T-CD: 8d45deca0a60b8e84b634a23cb93b003
X-V-E-CD: 63d5ce0ead647ffdfb290aa727323533
X-V-R-CD: 5096368f965eaa872b2d6b1b2e97dd40
X-V-CD: 0
X-V-ID: 80f9f371-f295-424b-8de9-6733112d635b
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-09_14:2021-03-09, 2021-03-09 signatures=0
Received: from smtpclient.apple (unknown [17.11.129.10]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QPP00CKHQHG6G00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Tue, 09 Mar 2021 09:41:40 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <3FA1317E-B4DF-43E3-B6CC-A51555D5C972@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_DEAED226-2CD5-44F5-81EC-0A976161053D"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3668.0.2\))
Date: Tue, 09 Mar 2021 09:41:40 -0800
In-reply-to: <CAM4esxTkxyAbXETE6Q_DCpwmQyauR=2qmV0TJAzTVgMREa1z0A@mail.gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, MASQUE <masque@ietf.org>
To: Martin Duke <martin.h.duke@gmail.com>
References: <CAM4esxR1RVMBsbb-OsX0RUMHH4XbSBdrgBFP4oUAs=ws3at_wQ@mail.gmail.com> <438EC9D4-76D0-4639-ADB6-BD9C77ABC9F8@apple.com> <CAM4esxSoWVXtF-CXL-uptmA+iYnBr8AoG1W7ZnxBTzC0aP_PWw@mail.gmail.com> <547B8CA4-2E2C-49D6-9E75-4EE3DA5B6948@apple.com> <CAM4esxTkxyAbXETE6Q_DCpwmQyauR=2qmV0TJAzTVgMREa1z0A@mail.gmail.com>
X-Mailer: Apple Mail (2.3668.0.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-09_14:2021-03-09, 2021-03-09 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/zBZzdnTY21-1zekyoCHWX6hvhS0>
Subject: Re: [Masque] Comments on draft-Pauly-masque-quic-proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 17:41:44 -0000

> On Mar 9, 2021, at 9:32 AM, Martin Duke <martin.h.duke@gmail.com> wrote:
> 
> I'm asking about these packets in the context of the MASQUE (outer) connection.

Understood; packets that are not being tunneled have no relationship to the “control" MASQUE connection at all.

Tommy
> 
> On Tue, Mar 9, 2021 at 9:26 AM Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> 
> 
>> On Mar 9, 2021, at 6:35 AM, Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>> wrote:
>> 
>> I don't think this applies to base CONNECT-UDP. If the client changes its address, the MASQUE connection will do all the verification necessary to mitigate any attacks.
> 
> Yes, the proxy will do the validation, but it may want to reset the port to give a hint to the target to look at least like a NAT rebinding event.
> 
>> 
>> The difference in your draft is the UDP packets are not entirely part of the MASQUE connection anymore.
> 
> They’re no longer tunneled, they are just forwarded, right. The proxy becomes a switch/NAT.
> 
>> In fact, it would be good to clarify to what extent they do count as part of the connection. Do they:
>> 1) have (implied?) packet numbers?
>> 2) if so, can they be acknowledged?
>> 3) If not, how can they count against congestion control?
> 
> The packet numbers, ACKs, and congestion control are all end-to-end, and do not involve the “control” connection between the client and proxy after tunneling starts.
> 
> The forwarder still gets to rate control if it wants on a per-flow basis.
> 
>> 4) Can they trigger address change events, or will the proxy get a new socket to make the server handle it?
> 
> The proxy always is able to choose what socket to forward on, and what rate it allows for forwarding.
> 
> Tommy
> 
>> 
>> I'm sure there are several other similar questions.
>> 
>> On Tue, Mar 9, 2021 at 5:10 AM Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
>> Hi Martin,
>> 
>>> On Mar 8, 2021, at 3:51 PM, Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>> wrote:
>>> 
>>> Thanks for writing this draft! I have some comments mostly focused on migration.
>>> 
>>> I conceptualize this design as the proxy falling back to NAT behavior after the handshake is done. If that’s correct, I suggest you take a look at the (rapidly evolving!) NAT section of the quic-managability draft.
>> 
>> You’re quite correct that this ends up being quite similar to some NAT considerations, or almost a client-side load balancer.
>> 
>>> Specifically:
>>> 
>>> 1) you should discuss the implications of the client receiving NEW_CONN_ID. I gather the client would have to request it from the proxy and revert to tunneling for that CID if rejected?
>> 
>> That is correct! It’s described a bit in section 4, but we could expand upon it:
>> 
>>    A client sends new CONNECT-UDP requests when it wants to start a new
>>    QUIC connection to a target, when it has received a new Server
>>    Connection ID for the target, and before it advertises a new Client
>>    Connection ID to the target.
>> 
>> 
>>> 
>>> 2) It’s important that any address or port change by the client translate to a new UDP socket in the server direction. To do otherwise would break the path validation mechanisms that protect against a variety of attacks. To the maximum extent possible, port changes should beget port changes and address changes lead to address changes, as QUIC implementations may use this as a heuristic.
>> 
>> Yes, I agree, and will be adding that to the next version:
>> 
>> https://github.com/tfpauly/quic-proxy/issues/41 <https://github.com/tfpauly/quic-proxy/issues/41>
>> 
>> I do think this plays into the base CONNECT-UDP as well:
>> 
>> https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/issues/42 <https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/issues/42>
>> 
>> Best,
>> Tommy
>> 
>>> 
>>> Martin
>> 
> 
> -- 
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque

v2.23.0 | Report a Bug | By Email