Re: [Webtransport] [Masque] Endpoint requirements for unknown Capsules
David Schinazi <dschinazi.ietf@gmail.com> Fri, 05 January 2024 16:40 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: webtransport@ietfa.amsl.com
Delivered-To: webtransport@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5CB5C14F689; Fri, 5 Jan 2024 08:40:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ym4vSdRQ-SRL; Fri, 5 Jan 2024 08:40:12 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8521AC14F5F3; Fri, 5 Jan 2024 08:40:12 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a294295dda3so81340466b.0; Fri, 05 Jan 2024 08:40:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704472811; x=1705077611; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AmwZYZgiIjsLx5jwRlniBNEkEmXTsHXclalDzu3GELA=; b=JZMPwBYGWFRr3ZpAxiJMsitheuHefVc9lZXXLPN+Nx7Jhi3Fvnwcv7YZ1SHLel7lfT OnOO2wct5kBBTyUTMCtK8REmlXQIIZM1p45u2XcO6duMthixhFonrcbvkNmtDreujmoQ HJkNlDEgrh7kypE2Fo/YaWVr5v/1iXNVb/oONK/WIka9n6xvleS4/6lVlNxc+5SfYyqh dE11qZ/fcIOB64Xr58ZXJOHdQ3WX/4lwaRbJaNyo99AKIx6HBOpSZ2B0FeOSQsL93q3r myUsmgJt+FhMuUob6LmDq3orTkCptqxgSZ/F3Q7OHqED2jwnhUnSWpPUiiYkzODOqZiG vV+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704472811; x=1705077611; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AmwZYZgiIjsLx5jwRlniBNEkEmXTsHXclalDzu3GELA=; b=OAux59QGOqxtcKtKfFogH+IckyKMDwX1bycbxUScjEkUg6+ATBz/7abIV75V+9+rR6 TaWhzrSZe+2lGmKCC2Ppim0qEQ+Wj5v1tVLjd/FMuuDiScuYT1HCFfDAQl4W0Pkc0R9k /MLhH9Ebl+HMH7ampYU4k0dm4nIcdNsvsl9l/10G5C03xEL2CruJCUwG6jtD2WJMOHox e76DMAXafVIYo42eY8aoC99WAj9vkbZ+TZD08l+A4fx39Hj5nZnXW0mi6vvFMxdV5VSf oItEQhlEGioZrM+ucshYXbMGPkw7e3ix6kSrxGEKXTlsHlfWisVzzKfEmW2jf+5Ncwxq M0/w==
X-Gm-Message-State: AOJu0YyOW+HvRgxrCoU+pO1CmU8Mc4V35vSF735WbdOM6pDUq+UDsusF BTqmgRUhw1N8RCO3+T67Pzw8Qo1OrhwISIs7PcU=
X-Google-Smtp-Source: AGHT+IHjBfL0Hzh0/9bOQwpwfBhM22eXzYFQyxSCGMd8j3HxLMAuvAv5089OsPYwKubp2Di4ofpr33XQkosYV+HKmA8=
X-Received: by 2002:a17:906:b84e:b0:a27:4c9e:91c6 with SMTP id ga14-20020a170906b84e00b00a274c9e91c6mr621823ejb.276.1704472810401; Fri, 05 Jan 2024 08:40:10 -0800 (PST)
MIME-Version: 1.0
References: <CALGR9oaGSX+p6K=yjjMye14oD+cpYqika05gkw6N8KbPOiRcTQ@mail.gmail.com> <EFFA5FC9-0A09-4494-9F03-64D0C93CD79E@apple.com> <CALGR9obbAt5fSO1EAOb-csDCtiFS9bkiUNm4a_qLz0sbsjMX9w@mail.gmail.com> <CALGR9ob=U1W9z=FoWLLchUDtSa7yrUp5j62fGLhWZfOy_D=sPg@mail.gmail.com>
In-Reply-To: <CALGR9ob=U1W9z=FoWLLchUDtSa7yrUp5j62fGLhWZfOy_D=sPg@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 05 Jan 2024 17:39:59 +0100
Message-ID: <CAPDSy+6oDMxETQKxABMvb41LQK2SrfCcomJchn8ErvoDGZgRvA@mail.gmail.com>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: Tommy Pauly <tpauly@apple.com>, MASQUE <masque@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, WebTransport <webtransport@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064b447060e3580fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webtransport/XQXAQMyGgy1vzx88lKhbTLdgB58>
Subject: Re: [Webtransport] [Masque] Endpoint requirements for unknown Capsules
X-BeenThere: webtransport@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WebTransport WG <webtransport.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webtransport>, <mailto:webtransport-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webtransport/>
List-Post: <mailto:webtransport@ietf.org>
List-Help: <mailto:webtransport-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webtransport>, <mailto:webtransport-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2024 16:40:17 -0000
I think Lucas found a real oversight in RFC 9297, and we should fix it. Looking through Google's QUICHE implementation, we don't handle unexpected capsules consistently. For example, a connect-udp endpoint will silently ignore received ADDRESS_ASSIGN but will reset the stream on receipt of DRAIN_WEBTRANSPORT_SESSION [1]. Using the nomenclature from Lucas's original email, we do both (b) and (d). (The discrepancy in the same implementation comes from the fact that those were implemented by different folks.) Going forward, I think we should update 9297 to clarify this, and perhaps provide guidelines for future capsules. I think draft-pardue-capsule-ext-guidance is a good starting point, and I'd like to discuss it in Brisbane. The main question that needs resolving before then is: in what WG should we discuss this? My personal interpretation is that this is in-charter for MASQUE, but what do y'all think? Cheers, David [1] https://github.com/google/quiche/blob/6c5a75906be4155ee7140415e9d2b2d18efc9fbc/quiche/quic/core/http/quic_spdy_stream.cc#L1382 On Fri, Nov 24, 2023 at 12:46 AM Lucas Pardue <lucaspardue.24.7@gmail.com> wrote: > I posted a draft, the repo is > https://github.com/LPardue/draft-pardue-capsule-ext-guidance if anyone is > interested > > A new version of Internet-Draft draft-pardue-capsule-ext-guidance-00.txt > has > been successfully submitted by Lucas Pardue and posted to the > IETF repository. > > Name: draft-pardue-capsule-ext-guidance > Revision: 00 > Title: Guidance for HTTP Capsule Protocol Extensibility > Date: 2023-11-23 > Group: Individual Submission > Pages: 6 > URL: > https://www.ietf.org/archive/id/draft-pardue-capsule-ext-guidance-00.txt > Status: > https://datatracker.ietf.org/doc/draft-pardue-capsule-ext-guidance/ > HTML: > https://www.ietf.org/archive/id/draft-pardue-capsule-ext-guidance-00.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-pardue-capsule-ext-guidance > > > Abstract: > > This document updates RFC 9297 with further guidance for > extensibility of the HTTP Capsule Protocol. > > On Thu, Nov 23, 2023 at 1:49 PM Lucas Pardue <lucaspardue.24.7@gmail.com> > wrote: > >> Hi Tommy, >> >> On Wed, Nov 22, 2023 at 5:48 AM Tommy Pauly <tpauly@apple.com> wrote: >> >>> Good question! >>> >>> While the connect-ip capsules don’t have defined behavior for >>> connect-udp, that shouldn’t prevent them from being used in the future. An >>> assign IP could make sense there. There’s a benefit from being able to use >>> capsules across protocols like that. >>> >>> However, in order for it to work, I think we’d need to have a >>> negotiation between client and server to say “I support the connect-udp >>> extension that allows address assigning.” >>> >>> That doesn’t answer your question. I could see this going either way. >>> The problem with option d is that it requires the connect-udp >>> implementation to be aware of these capsules in order to send an error. So >>> I’d probably go with interpretation b? >>> >> >> Actually I think it goes part way to answering the question, so thanks! >> >> I agree we don't want to limit extensibility possibilities. For endpoints >> to know that a new capsule type can be used, some form of negotiation is >> required. I don't think we need to be prescriptive about how that is done, >> a header might work (like "connect-udp-assign: ?1") or a setting, or >> whatever. >> >> I could live with option b) augmented by new text that better describes >> the general extension framework. I think we also overlooked adding text to >> RFC 9297's security considerations related to DoS of endpoints, see >> HTTP/3's [1] as an example of text I think we could port over. >> >> I'll see if I can find some time to collect these into a short I-D for >> easier discussion. >> >> Cheers, >> Lucas >> >> [1] - https://www.rfc-editor.org/rfc/rfc9114.html#section-10.5-4 >> >> >>> Tommy >>> >>> On Nov 21, 2023, at 12:05 PM, Lucas Pardue <lucaspardue.24.7@gmail.com> >>> wrote: >>> >>> >>> Hi folks, >>> >>> I have a question about how endpoints (not intermediaries) should >>> approach handling HTTP Capsules and I'm looking for some WG input. >>> >>> RFC 9297 defined HTTP Datagrams and the Capsule Protocol[1]. During >>> standardization, the primary use case was for proxying UDP over HTTP (RFC >>> 9298). >>> >>> 9297 defines Datagram capsules and 9298 defines how an Upgrade or >>> extended request accompanied with a connect-udp token, when successful, >>> enables *both* UDP proxying and the Capsule protocol. Once the request is >>> set up it is the expectation that Datagram capsules are exchanged, modulo >>> HTTP/3 which also has a native QUIC Datagram mapping (so endpoints can >>> exchange either form). >>> >>> RFC 9297 section 3.2 states: >>> >>> > Endpoints that receive a Capsule with an unknown Capsule Type MUST silently >>> drop that Capsule and skip over it to parse the next Capsule. >>> >>> This is inspired by HTTP/2&3 frame design with the goal of extensibility >>> and maintenance*. We have GREASE capsule codepoints and unknown real >>> extensions can be used with causing things to fall over. So far so good. >>> >>> Recently, RFC 9484 was published, defining IP over HTTP. This defined a >>> connect-ip token and 3 new capsule types, ADDRESS_ASSIGN, ADDRESS_REQUEST, >>> and ROUTE_ADVERTISEMENT. >>> >>> So here's the question: >>> >>> Assume there's an endpoint that supports both IP and UDP tunneling. It >>> knows about the tokens and the capsules I mentioned above. If it receives a >>> request for connect-udp and accepts it, then receives an ADDRESS_ASSIGN >>> capsule what should it do? >>> >>> The text in RFC 9297 seems a little ambiguous and I tried to map out the >>> options >>> >>> a) The ADDRESS_ASSIGN capsule is unknown in the context of RFC 9298, so >>> it MUST be ignored >>> b) The ADDRESS_ASSIGN capsule is unknown in the connect-udp context of >>> the target resource of the request over which the capsule protocol is >>> using, so it MUST be ignored >>> c) The ADDRESS_ASSIGN capsule is known to the endpoint. However, it is >>> undefined and so is silently dropped >>> d) The ADDRESS_ASSIGN capsule is known to the endpoint. Since this >>> capsule is unexpected for connect-udp, the server treats this as some form >>> of protocol violation (stream or connection close). >>> >>> Option (d) seems drastic but is more in the theme of dealing with the >>> "Harmful consequences of Tolerating the Unexpected" [4], so might actually >>> be The Right Thing TM. >>> >>> We have other specs like WebTransport queuing up 13 new capsule >>> registrations. If there's anything we could do to clarify the situation >>> (such as a short update doc to RFC 9297) then now seems like the right time >>> to be doing it. So please let me know your opinions. >>> >>> Cheers, >>> Lucas >>> >>> * There are other considerations for intermediaries but I'm overlooking >>> that complication right now. >>> >>> >>> [1] - https://www.rfc-editor.org/rfc/rfc9297.html >>> [2] - https://www.rfc-editor.org/rfc/rfc9298.html >>> [3] - https://www.rfc-editor.org/rfc/rfc9484.html >>> [4] - https://www.rfc-editor.org/rfc/rfc9413.html#section-4 >>> -- >>> Webtransport mailing list >>> Webtransport@ietf.org >>> https://www.ietf.org/mailman/listinfo/webtransport >>> >>> -- > Webtransport mailing list > Webtransport@ietf.org > https://www.ietf.org/mailman/listinfo/webtransport >
- [Webtransport] Endpoint requirements for unknown … Lucas Pardue
- Re: [Webtransport] [Masque] Endpoint requirements… Tommy Pauly
- Re: [Webtransport] [Masque] Endpoint requirements… Lucas Pardue
- Re: [Webtransport] [Masque] Endpoint requirements… Lucas Pardue
- Re: [Webtransport] [Masque] Endpoint requirements… David Schinazi