IETF Logo Mail Archive

Re: [Ohai] Proxying WebSockets and gRPC

Eric Orth <ericorth@google.com> Tue, 26 September 2023 19:10 UTC

Return-Path: <ericorth@google.com>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5827CC137364 for <ohai@ietfa.amsl.com>; Tue, 26 Sep 2023 12:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.607
X-Spam-Level:
X-Spam-Status: No, score=-22.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPrwx_Lzartt for <ohai@ietfa.amsl.com>; Tue, 26 Sep 2023 12:10:07 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC5AEC13737E for <ohai@ietf.org>; Tue, 26 Sep 2023 12:10:06 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-52fe27898e9so11473993a12.0 for <ohai@ietf.org>; Tue, 26 Sep 2023 12:10:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1695755405; x=1696360205; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KpwO6mjy6nxwlpFILToYCjrBDzVokTaDPznZquuwdfk=; b=jLcKMQNuPwKA3dT0BvFsv6Xao9vix6wlXDWUCIMT/7Tf8iuCLYDlrAt4Vp6MU83t9E ahVWl16lRHFRX1EDmaTZnvjJ4x6RS7oN4uOQ+ziWK7Qiiw/WhFnMQCvY8/fFlCo4mKBT OCiyWTaEAagOFFCN9E6+Ou9sgPQd/3l+hJ9y65sepdS8pBVVgiJj03MNo84CbwubdeeI A/8FWyIoZNGs/GdPNjDmjSOTzol/GS36jMmExaWqtmfOVZh5+uBwe2pC8cejA/HXhtc2 f8r+Fozu/hVPfoPeUTYH4qC4CeNbVwEmpWZnHVMmvU63UyL2opTyHCeqmDHfpH7H0l2c 0XYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695755405; x=1696360205; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KpwO6mjy6nxwlpFILToYCjrBDzVokTaDPznZquuwdfk=; b=wf2dO+Dgi5ApvWxh6xdBrBPeGCY3B00Ja91CkbS8vRPFvnJsQmGJFXti4MLVDrpoT7 O081T7ZU0Kj7sv2Qf/oFdJ5f1hA6QKMeDAOkGMnvhsq4i8o1ivWZO5enwLy6SsoQvf5u 4tQT1PJ3/aYS3EmeKy7sd26M7j+nVXVLW59qVqwfmRy+8Vi6lEZiC+23og06m0xgs6NA i4N46AALyeu1zAZiOhhucRTCqoW7PRf0m2jBx1Yn2yQiPoeC1rHTK8Vl8M/JSJEdmXmy I5l76+kLP03v0NerctcwYErgs9dA++PI4JH/qbr+744LuwOG+vT4tcS00hYfjeCDA8sJ HC5w==
X-Gm-Message-State: AOJu0YzOW0byXWeZEe9Jt6XurZYYhXp/h9AGpLU+Psg4h7v3PzoNuMG7 b6ypddMiLgn4iB/tZc6ypoEo/G+mAOo/sKu6eYn13g==
X-Google-Smtp-Source: AGHT+IHmRkWv2zUeRiDKWcJMtuwwIrEvlSV12QLIxuPVllk+NtXVfsMujuOcoIIYZIWprgLzmYZFuhM360wPHo/vXL4=
X-Received: by 2002:a17:906:210a:b0:9ae:6bef:4a54 with SMTP id 10-20020a170906210a00b009ae6bef4a54mr8791990ejt.3.1695755404762; Tue, 26 Sep 2023 12:10:04 -0700 (PDT)
MIME-Version: 1.0
References: <0C3B0472-9937-451C-BE84-DE7C28CA00BE@heapingbits.net> <a43a726a-d513-45ac-8ff0-a75423fd0e1f@betaapp.fastmail.com> <0D1678F2-4353-4D81-962D-E583E2FCA5FB@apple.com> <1A5A1199-AE4D-4DDF-BFAC-1AF0E10C01E4@heapingbits.net> <CAMOjQcGEj8mqbk_mEY5t5T5g1MAK2NWtk3QBn6gOwWAxS=Ca5g@mail.gmail.com> <987E0856-878C-44E0-9B93-4C3B78847376@heapingbits.net>
In-Reply-To: <987E0856-878C-44E0-9B93-4C3B78847376@heapingbits.net>
From: Eric Orth <ericorth@google.com>
Date: Tue, 26 Sep 2023 15:09:53 -0400
Message-ID: <CAMOjQcEGij4BS38q3h2jN4NLUmrgaDtrNFtJQGBVtwB-3ZWwRQ@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, ohai@ietf.org
Content-Type: multipart/alternative; boundary="000000000000879269060647d271"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/f41lTsXTeBYyR1mpJ-OY6aEC5rk>
Subject: Re: [Ohai] Proxying WebSockets and gRPC
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Sep 2023 19:10:11 -0000

On Tue, Sep 26, 2023 at 3:01 PM Christopher Wood <caw@heapingbits.net>
wrote:

>
> On Sep 26, 2023, at 2:54 PM, Eric Orth <ericorth@google.com> wrote:
>
> Maybe it's my unfamiliarity with gRPC, but why wouldn't that simple
> REST-like API fit over "normal" OHTTP without the need for chunked OHTTP or
> additional extensive guidance? What is the gRPC layer adding that is both
> helpful for the interaction and that you can't just send as a simple
> request and response?
>
>
> gRPC supports streams of messages, which is why I brought chunked OHTTP
> into the picture. If you don’t care about streams, then yes, you should in
> theory just be able to use OHTTP out of the box.
>
>
> For the most part, I think we've avoided the need for guidance on adapting
> specific protocols to OHTTP because it's either obvious or it's not well
> suited to OHTTP.  If something like gRPC adds a bunch of stuff that doesn't
> obviously fit into OHTTP, then the answer is probably to not use gRPC and
> just extract out the requests and responses into a more pure OHTTP
> interaction.  Just like how OHTTP is not actually compatible with generic
> HTTP and you can't expect any arbitrary HTTP interaction to cleanly go over
> OHTTP without massaging it into OHTTP compatibility, we shouldn't expect
> other HTTP-like protocols to go cleanly over OHTTP either.
>
>
> Anecdotally, what constitutes “a bunch of stuff that doesn’t obviously fit
> into OHTTP” is not obvious to everyone, which is partly why I raise this
> topic. I appreciate that they may be obvious to folks on this list, but I
> don’t think this list represents the audience of people who may want to
> actually use these technologies in practice.
>

Fair enough, but if it's not obvious to folks on this list how gRPC could
obviously fit into OHTTP, then the answer for best guidance to people off
the list is probably something along the lines of "Don't use gRPC over
OHTTP.  If you have a simple streamed-message API without needing
persistence or sessions, extract out your streamed messages and send them
directly over chunked OHTTP."


>
> Best,
> Chris
>
>
> On Tue, Sep 26, 2023 at 10:26 AM Christopher Wood <caw@heapingbits.net>
> wrote:
>
>> I agree with the technical points below around privacy, security, and
>> cost, but I feel like the core question was missed. To help sharpen it,
>> let’s ignore WebSockets for the time being and focus on gRPC.
>>
>> First, I think we all understand that OHTTP targets a constrained set of
>> HTTP use cases — we debated about the name for a while because of this very
>> reason! That constraints are basically what Tommy described: there is no
>> state across requests and there is no notion of a session. My claim is that
>> gRPC can be used to build application APIs with these exact same semantics.
>> Moreover, given that gRPC uses HTTP under the hood, it seems perfectly
>> reasonable to use OHTTP to provide the desired privacy properties under
>> these constraints.
>>
>> To provide an example, imagine you were building a weather app. The app
>> has one API — give me the forecast for a particular location (where
>> location could be city, lat/lon coordinates, or whatever). We could build
>> this API in a REST-like way by defining a weather resource, and then
>> GETting the weather for a particular location, e.g.,
>>
>>    Client->Server: GET /weather?location=newyorkcity
>>    Server->Client: 200 OK <weather>
>>
>> We could also build this API in an RPC-like way by defining a procedure
>> that computes the weather based on a location message and returns the
>> result. Handwaving over the gRPC layer, interacting with this API using
>> HTTP is then something like this:
>>
>>    Client->Server: POST /weather <body includes protobuf of location
>> message>
>>    Server->Client: 200 OK <body includes protobuf of weather forecast
>> message>
>>
>> These aren't the world’s greatest APIs, but hopefully they get the point
>> across. Specifically, in both cases, requests to the app are stateless and,
>> ideally, unlinkable. The app should not learn anything about the client’s
>> identity (IP address) when servicing a request. There is no notion of a
>> session.
>>
>> One might reasonably use OHTTP to mask the client’s IP when interacting
>> with the REST variant. It’s trivial to do and quite cheap. It’s something
>> that has been deployed for a variety of similar use cases today, ranging
>> from DNS to application-specific APIs [1]. I think it’s reasonable to also
>> use OHTTP when interacting with the RPC API. Or, rather, I see no
>> convincing technical reason why you would want to apply MASQUE here instead
>> of OHTTP.
>>
>> With this as motivating context, my open-ended question was basically how
>> folks think about adding proxy support for these different types of
>> application APIs. Taking a step further back, I think it might be useful if
>> this community produced some sort of guidance on how to design APIs and
>> choose the appropriate proxy technology for developers who write such apps,
>> and for developers who maintain legacy apps. The folks on this list have no
>> doubt thought about and had conversations with people about when and why we
>> might use OHTTP vs MASQUE and how they fit into the application
>> architecture, so perhaps we ought to try and write down some of those
>> considerations for the benefit of those outside of this list.
>>
>> Thoughts?
>>
>> Best,
>> Chris
>>
>> [1] https://flo.health/press-center/anonymous-mode-feature
>>
>> On Sep 25, 2023, at 11:29 PM, Tommy Pauly <tpauly=
>> 40apple.com@dmarc.ietf.org> wrote:
>>
>> I agree with Martin that for something that has a generic stream like
>> WebSocket or anything with multiple requests, you’re going to be more
>> stateful, and you’re better off using a MASQUE-flavored proxy.
>>
>> OHTTP is suitable for request-response pairs that benefit from being
>> highly unlinkable, but still aren’t “sessions” where there is
>> back-and-forth state.
>>
>> For cases like the chunked OHTTP variant, we shouldn’t use that as a way
>> to shoehorn in arbitrary streams, but to better accommodate cases where one
>> of the messages is better processed in pieces. Supporting 1XX responses in
>> one case, and the other (which I’m interested in) is when you have
>> responses that may be short or very long, and in the long cases may be slow
>> to generate and process.
>>
>> Thanks,
>> Tommy
>>
>> On Sep 25, 2023, at 7:36 PM, Martin Thomson <mt@lowentropy.net> wrote:
>>
>> (Duplicate?)
>>
>> Either way, I don't know if something like gRPC or thewebsocketprotocol
>> makes sense to use here.  If you want crazy, then why not also allow the
>> modern HTTP CONNECT variants?  Yes, you could, but the "should" question is
>> probably a more important one.
>>
>> Reasons that you might not want to use OHTTP for either of these:
>>
>> 1. Replay risk.  OHTTP doesn't protect against replay attacks by a relay
>> (or, if you are crazy enough to send something TLS early data toward the
>> relay, arbitrary network attackers).  It is hard to reason about the replay
>> risk with arbitrary protocols like these.  Maybe we could layer liveness
>> checking on top, but is that really the direction we want to go in?
>>
>> 2. Latency savings are marginal when costs can be amortized.  OHTTP does
>> have lower overhead than something like MASQUE, but once the overheads in
>> MASQUE are amortized over a longer-lived session, is this really that
>> valuable?
>>
>> 3. Cost is cost and I don't see how a MASQUE proxy is materially
>> different than OHTTP in this case.  Maybe the proxy spends more time on
>> crypto, but the trade-off is the replay attack risk.
>>
>> gRPC is a little more complex than a simple one-in-one-out query, which
>> suggests further issues with OHTTP on top of those.  Multiple requests mean
>> that overheads build up and MASQUE starts looking even better for that.
>>
>> Do you have something specific in mind?
>>
>> On Tue, Sep 26, 2023, at 04:31, Christopher Wood wrote:
>>
>> Hi folks,
>>
>> Thanks to the contributions of this group and the companion MASQUE
>> group, we now have a helpful suite of protocols for proxying
>> application traffic in a variety of scenarios. MASQUE gives us a
>> generic way to proxy connections to existing servers, and OHTTP gives
>> us an application-specific way to proxy transactional messages to
>> supporting applications. These two cover quite a lot of ground as
>> currently specified, allowing us to proxy browser traffic as well as
>> most HTTP-based API traffic.
>>
>> In some of my discussions about "proxying all the things," two use
>> cases have emerged as somewhat common: proxying traffic for APIs built
>> on WebSocket and gRPC. This is unsurprising given the popularity of
>> these two technologies. It seems prudent that we have a reasonable
>> answer for those who want to support these use cases.
>>
>> One straightforward answer is to just use MASQUE! This is a perfectly
>> fine approach if you have a proxy to use. However, perhaps MASQUE is a
>> bit too expensive -- for some definition of expensive -- for some
>> deployments, and OHTTP is a more preferred option.
>>
>> Given that we now have chunked OHTTP as a proposal [1], I wonder what
>> folks think about using this variant to support WebSockets and gRPC.
>> gRPC supports transactional and streaming requests and responses, which
>> fits well with normal and chunked OHTTP, and if you squint at
>> WebSockets you might view it as a long-standing request and response
>> stream. (I'm ignoring for the moment that gRPC is heavily coupled to
>> HTTP/2. Since things like gRPC-web exist perhaps there is a way of
>> avoiding that coupling.)
>>
>> Has anyone else encountered these use cases, and if so, what do you
>> think about the various proxying options available?
>>
>> Best,
>> Chris
>>
>> [1] https://datatracker.ietf.org/doc/draft-ohai-chunked-ohttp/
>> --
>> Ohai mailing list
>> Ohai@ietf.org
>> https://www.ietf.org/mailman/listinfo/ohai
>>
>>
>> --
>> Ohai mailing list
>> Ohai@ietf.org
>> https://www.ietf.org/mailman/listinfo/ohai
>>
>>
>> --
>> Ohai mailing list
>> Ohai@ietf.org
>> https://www.ietf.org/mailman/listinfo/ohai
>>
>>
>> --
>> Ohai mailing list
>> Ohai@ietf.org
>> https://www.ietf.org/mailman/listinfo/ohai
>>
>
>

v2.23.0 | Report a Bug | By Email