Markdown Version | Session Recording

Session Date/Time: 19 Mar 2024 05:30

masque

Summary

This MASQUE IETF 119 meeting covered several important topics, including updates on the QUIC-aware proxy draft, connect UDP binding draft (formerly listener), and connect Ethernet draft. A potential new work item, a DNS configuration extension for Connect IP, was also presented and discussed. Key discussions revolved around traffic analysis mitigation in forwarding mode, loop prevention mechanisms, MTU handling in connect Ethernet, and the best approach for delivering DNS configuration in Connect IP.

Key Discussion Points

• QUIC-aware Proxy:
  • Discussion focused on the design team's proposal for adding encryption to forwarding mode using a scrambling transform. The goal is to prevent passive byte recognition and other passive attacks.
  • The possibility of defining transforms for padding and chaff was discussed but deferred as a broader research topic.
  • Addressed the loop prevention mechanism, focusing on having the proxy choose the virtual CID to avoid looping.
• Connect UDP Binding:
  • The draft was renamed from "connect UDP listener" to "connect UDP binding".
  • Discussion centered around adding the IP and port to the response header.
  • Compression of IP and port information using new capsule types was discussed to minimize overhead. Also discussed using this to restrict IP.
• Connect Ethernet:
  • The main issue discussed was MTU and fragmentation.
  • Concerns were raised about how to handle the smaller MTU due to tunneling. Options included fragmentation, dropping oversized packets, or attempting to adjust the existing connection.
  • The group favored a minimal approach.
• DNS Configuration Extension for Connect IP:
  • A new draft proposing a DNS configuration extension for Connect IP was presented. This extension would allow the VPN server to communicate DNS server addresses, split DNS rules, and search domains to the client.

Decisions and Action Items

• QUIC-aware Proxy:
  • The chairs will run a consensus call on the design team's output for traffic analysis mitigation. If successful, the design team will be closed.
  • Editorial pass needed to clarify that encryption is present.
  • Participants were encouraged to review issue 88 and the associated PR 104 regarding loop prevention.
• Connect UDP Binding:
  • Action item: Avi to revise the draft based on feedback, including considering structured fields for the IP address header and clarifying the usage of the compression context for firewalling/filtering.
• Connect Ethernet:
  • The group will aim for a minimal approach to the connect Ethernet draft.
  • Action item: Consider what minimal mtu behavior should be.
• DNS Configuration Extension for Connect IP:
  • Participants were encouraged to read the new draft and provide feedback on the mailing list.

Next Steps

• QUIC-aware Proxy consensus call.
• Further discussion and refinement of the connect UDP binding draft.
• Continued development of the connect Ethernet draft with a focus on a minimal viable solution.
• Discussion and feedback on the DNS configuration extension for Connect IP.