Re: A non-TLS standard is needed
Lucas Pardue <lucaspardue.24.7@gmail.com> Tue, 28 April 2020 02:09 UTC
Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB7B13A0C0F for <quic@ietfa.amsl.com>; Mon, 27 Apr 2020 19:09:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Agy9IeymNE0l for <quic@ietfa.amsl.com>; Mon, 27 Apr 2020 19:09:32 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E57053A0C0D for <quic@ietf.org>; Mon, 27 Apr 2020 19:09:31 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id y24so1044884wma.4 for <quic@ietf.org>; Mon, 27 Apr 2020 19:09:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=anIE3tbRdFk1r00G3+AkDCMKsBuhETpQXQw/tr2HeDk=; b=sR5PVnpEJGFGaSgrZzz34ns7omMLRw2X19deqmffpeAFsBPmTjjS3LWkJSSzEb/Wso edrGISuQ173j85FG+282zgzow27mSvMJMrSB/tQ99Q28BELxPj6gGaMZNrHrP1rfZ5mt WDHZnH0R9FIM3NSQ4rtgZJHYg04t+B/HUpeKHhH6MWUP4127KYJWbpBH61ZXOoDJ0ghZ GO+Iq5fVG100nsMD5eO9kIeoxALR4wSUoMM7pEGdlWaNKRxnOlsMmHmjQS0XYQIuzaYl VKKj+m4aX3UUkaNTHX2RjYUWdzqxZtEs2n+wdefD1Io16qpf/vyHGTBldXgDoxOuvmAD ngmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=anIE3tbRdFk1r00G3+AkDCMKsBuhETpQXQw/tr2HeDk=; b=BLfM9aOybnzhwP+M4sYXHMszCK5Hh+1i4/HAgGqLf99gsHZDJSauh0z51L2R/aURMv YcILou0QSTSQDcbSQZeWtxaVNl4o7PlPjhmRucqZV+hq2AWbnSxSOJPx8Zw+GjE2QS47 DB/7LjfP7r0RU0lDxR4mdLvg0erSyM/fBlMM2kySRx49vXOd5Eme6f3FQefsw1qn60dh c6btRaTE6YEMSAbMFpgPtPe54BlRVFkFRdS8ulLxwfytRbzPCSFeOiqNtV55MW/yJGMA uufwUmuvJE3AsEF+Z/R0sG94L7GCw8hhjtsHTBiHSJqYpKLtP3uCMccgab7G5phGnNz5 TSaQ==
X-Gm-Message-State: AGi0PuZxym5dEvYXOmLiYINHPv1IKzqv2o6H/gSla0hlGdA321HI6K2f vYeFheVZmQh8nBBKEikKAxjiOASoVBPm0Cjjbdw=
X-Google-Smtp-Source: APiQypJuPjpOul24KAlmdjtKyGjy0egpAscfb7gB7AtSHjRw0oELZlfI0iINxIC0vSEM1mOkqoo+/QGsT34WuPzgn3k=
X-Received: by 2002:a1c:4409:: with SMTP id r9mr1814996wma.165.1588039770330; Mon, 27 Apr 2020 19:09:30 -0700 (PDT)
MIME-Version: 1.0
References: <tencent_458BB4AFD3E32DBAAEA3F09FAEF063800605@qq.com> <2208100.KEu4SK8F6j@linux-9daj> <72518FA2-4D02-4498-BFED-C6F694C5687A@eggert.org> <2010266.tehQBtF6zN@linux-9daj>
In-Reply-To: <2010266.tehQBtF6zN@linux-9daj>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Tue, 28 Apr 2020 03:09:19 +0100
Message-ID: <CALGR9obi+uogBVGrSVAmEx-YNG=w-Vxj2ntH+KcGc_k49xGUyQ@mail.gmail.com>
Subject: Re: A non-TLS standard is needed
To: Paul Vixie <paul@redbarn.org>
Cc: Lars Eggert <lars@eggert.org>, quic <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000665ab605a45052d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QjVZNVOi5sajzzcG02HPiyGSnLo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 02:09:34 -0000
Hi Paul, Some responses in line: On Mon, 27 Apr 2020, 23:47 Paul Vixie, <paul@redbarn.org> wrote: > On Monday, 27 April 2020 11:56:20 UTC Lars Eggert wrote: > > Hi Paul, > > > > this is definitely a broader discussion - it's popping up in other > places as > > well. > > > > The IETF can certainly have this discussion somewhere, but the QUIC list > is > > probably not the right home for it, esp. not as we've entered the home > > stretch with regards to closing the final open issues that will let us > WGLC > > the current specs. > > lars, et al, thank you for such recognition. if mirjam's draft isn't a WG > item, i hope that those in charge will find a place for it. Just to clarify things here, draft-ietf-quic-applicability and draft-ietf-quic-applicability are adopted documents with milestones. Contributors and reviewers are welcomed. i do not expect to > relitigate the mandate for TLS, but i do hope we can recommend some signal > beyond destination UDP port number, which is arbitrary given ALT-SVC and > the > HTTPSSVC mechanisms, as the way a hardened private network can recognize > some > UDP flows as likely to be HTTP-related and thus permitted to form outbound > flows. without this the applicability of QUIC will be less than it could > be. > > in other words i am requesting advice, a redirect, beyond the source > quench. > Personally I see the applicability and management as succeeding the charter goal without relitigation. Maybe there are more general statements to be said about the conditions that could affect the ability to make and maintain QUIC connections in different deployment architectures. I defer to the document editors' judgement here. However, beyond the QUIC WG we also have MASQUE which has been discussing use cases and potential solutions related to proxying and tunneling. One case is similar to how an enterprise might set up restricting outbound HTTP over TCP (and TLS) today: deny all outbound traffic apart unless it goes via a forward proxy. One proposal to achieve this is the definition of a CONNECT_UDP method which is a request by the client asking the proxy to form an outbound "UDP connection" to the target. This could be used to provide an enforcement function based on the request metadata. Maybe that is along the lines of what you are describing? Cheers Lucas >
- A non-TLS standard is needed 援北斗兮酌桂浆
- Re: A non-TLS standard is needed Lars Eggert
- Re: A non-TLS standard is needed Salz, Rich
- Re: A non-TLS standard is needed Paul Vixie
- Re: A non-TLS standard is needed Töma Gavrichenkov
- Re: A non-TLS standard is needed Paul Vixie
- Re: A non-TLS standard is needed Salz, Rich
- Re: A non-TLS standard is needed Lars Eggert
- Re: A non-TLS standard is needed Mirja Kuehlewind
- Re: A non-TLS standard is needed Roberto Peon
- Re: A non-TLS standard is needed Paul Vixie
- Re: A non-TLS standard is needed Stephen Farrell
- Re: A non-TLS standard is needed Matt Joras
- Re: A non-TLS standard is needed Lucas Pardue
- Re: A non-TLS standard is needed Paul Vixie
- Re: A non-TLS standard is needed Paul Vixie
- 回复: A non-TLS standard is needed 援北斗兮酌桂浆
- Re: A non-TLS standard is needed Mark Nottingham
- Re: 回复: A non-TLS standard is needed Paul Vixie