Markdown Version | Session Recording

Session Date/Time: 06 Nov 2024 15:00

masque

Summary

The MASQUE working group meeting at IETF 121 covered updates and progress on four working group documents: Quick Aware Proxying, Proxying Listener UDP with Connect-UDP Bindings, Processing Ethernet in HTTP/3 Generic Connect, and DNS configuration with Connect-IP. Discussions included connection ID limits for Quick Aware Proxying, congestion control considerations for Connect-Ethernet, and the use of SVCB records for DNS configuration in Connect-IP. The group is approaching working group last call for several drafts and emphasized the need for more implementation and interop testing.

Key Discussion Points

• Quick Aware Proxying:
  • Introduction of a maximum connection ID limit to prevent resource exhaustion attacks.
  • Discussion of a potential "blocked" capsule to signal the need for more connection IDs, but ultimately decided against it in favor of fallback mechanisms.
  • Documentation of active attacks on the scramble transform.
• Proxying Listener UDP with Connect-UDP Bindings:
  • Editorial updates since the last meeting.
  • Need for interoperability testing between different implementations.
• Processing Ethernet in HTTP/3 Generic Connect:
  • Interop testing with ARP request and reply exchange.
  • Debate on whether to include text regarding MTU issues.
  • Extensive discussion on congestion control and the implications of encapsulating Ethernet within a congestion-controlled tunnel.
• DNS configuration with Connect-IP:
  • Adoption of SVCB records for DNS configuration.
  • Concerns raised regarding the semantics of "internal domains" and "search domains."
  • Discussion on whether to follow the Ikev2 split DNS model.

Decisions and Action Items

• Quick Aware Proxying:
  • File a new issue for a "blocked" like signal.
  • Document the active attack on the scramble transform.
  • Prioritize implementation and interoperability testing.
• Processing Ethernet in HTTP/3 Generic Connect:
  • Include text about what to do when you can't fit the Ethernet frame and the underlying connection says it won't fit.
  • Request an early review from the INT area.
• DNS configuration with Connect-IP:
  • Revise the draft based on the discussion of internal domains and search domains.
  • Consult with DNS experts, possibly via the DNS-OP mailing list.
  • Consider Ben's request to also go to ADD.
  • Coordinate with the PVD proxy draft authors.

Next Steps

• Implementers to prioritize interoperability testing across all documents, particularly scramble transforms in Quick Aware Proxying and connectivity bindings in Connect-UDP.
• Authors to address open issues and incorporate feedback from the meeting.
• Working group to plan for working group last call once sufficient implementation and interop data is available.
• Authors to seek early reviews from relevant areas (INT, DNS, ADD).