Internet Engineering Task Force 107, 24 Mar 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF107-MASQUE-20200324-2144

Description

MASQUE meeting session at IETF 107
2020/03/24 2144

https://datatracker.ietf.org/meeting/107/proceedings

A

Participants increasing.

A

It's t16: if you can get started.

A

Masks, if you are wondering what room you're in well.

A

Is not available to join us from your coach and Chris? Do you want to get this going sure.

B

Let me just go to the next slide.

B

A

B

Lovely alright, so if this is your first virtual meeting for the ITF this time around, take a minute to familiarize yourself with new rules, particularly those around queue management, we will meet someone to sort of manage the queue do it yourself is with you just type in + Q into the chat.

B

Remove yourself do the opposite, and we will do our best to make sure that we address your questions or give you time to speak in the order in which you get into the queue and if you screw up or mess up, please let us know or for the by Chad, not by stopping over at the mic.

B

Importantly also restricting yourself unless recent video off as well to make sure that everyone has a good experience and if you haven't done so already, there is a link to the blue sheet in the chat which is etherpad please up over. There fill out your name to make sure that we track everyone who's here next slide. Please.

B

This NIT well I, assume everyone here is familiar with it, but those who are not again, please take a moment either right now or offline to familiarize yourself with it.

B

Importantly on the light respectful and mindful voice, I'd, the mic or virtual mic, and we should get along swimmingly next, please.

B

Right so quickly we're just going to go over the plants of us and how we expect to you, know: I can be up meeting and then we'll hop right into the meat and potatoes of the session starting with math. So if you go to the next slide, we have the agenda specifically. So we'll start with the problem statement and the sort of initial framework that was proposed by David's canonically sort of laying the foundation for everyone to make sure were kind of on the same page.

B

Well, then, dump into some use cases that have been discussed on the list and in various channels, sort of leading to this this meeting today. This is better not that for ongoing for a couple years now, as far as I know a little bit more intrepid in some circumstances or in some companies, and it we're going to sort of air those and talk about them and other relevance.

B

Masks mission, then we'll sort of from those use cases talk about the requirements that have been extracted, sort of helping us scope, the work of the potentially proposed working group and then go right into the Charter. Just text that falls out of that set of requirements and then we'll get into the e list of both questions, sort of trying to get a sense of whether or not folks Hank we're moving in the right direction, and this is something that has been added to succeed next slide. Please right so reiterate it again.

B

You know please this whole virtual experience is new to everyone, so your best to sort of be concise and quick, but to the point at the mic, we ask that you only ask clarifying questions until we get to the Charter discussion at the end and if you're venturing into not a clarifying question, we the chairs, genre myself, sort of help correct or guide the discussion as needed.

B

Each section that was laid out on the previous slide of the agenda will be and will end with a particular a brief pause for questions related to that particular section. And so, if you can, please hold any of the quote: I need to clarifying questions you have until we get to that point. So we can all the presenters can get through. That allows us to sort of batch up.

B

You know the questions and hopefully work through any technical oddities that we may experience along the way and ultimately, at the end, give us more time to speak about the Charter and the ultimate buff questions. So with that said, Inc get started with next slide right, so David I will hand it off to you. You have 20 minutes, I. Think correctly sounds.

C

Good all right just so my name is David scan Ozzie I, look at Google. Can someone confirm that you're hearing me correctly I hear.

D

C

Perfect, thank you. Thank you all right. Let's get started so today, I'm going to talk about kind of the problem statement form ask: why are we all here and the mask framework, which is one an individual proposal of how we could potentially solve the problem statement next slide? Please.

C

So in today's world and Internet there are times where proxies have really beneficial value. In some cases, for example, they can connect disjoint networks. Let's say if you have two IP networks that aren't reachable key IP layer, but you have an application gateway proxies, can also a decryption and just to clarify here when I say proxy I use that term very, very loosely.

C

So a VPN server such as you know, IPSec or Open VPN or whatever is a form of proxy in that you are sending your traffic through there to go to a final distillation, and another case is in some cases proxies can help you with congestion control if, for example, the links on either side of the box, you have different properties.

C

Sometimes this can increase performance and so little diagram to illustrate what I'm talking about the client will send its traffic to a proxy server and through that to an eventual destination, so that can be a web server or all sorts of things with an interconnection that can be in some cases tunneled in and out of connection next slide, please all right. So what do proxies look like today?

C

So a an example is like native HTTP proxy meaning you can take and shibi proxy and send it naked, get or post commands, and it will like turn around, create connections to other servers and we play those those requests, and so that works, but the problem is, it only works if what you're trying to get at is HTTP.

E

C

Also, the proxy can see everything that you're requesting and all the responses which today's world is pretty much a non-starter for most cases. Http also has the connect verb, which allows you to tell the proxy I want a plain, TCP connection to the server IP M port. This is particularly useful, for example, if you want to do TLS end-to-end, so that works really well, it protects your data from the proxy, but it only supports TCP.

C

So if your protocol uses UDP or something else you're out of luck, SoCs supports TCP and UDP, but again the proxy can see a lot of what you're doing and just setting up, especially for UDP requires multiple round trips, which, in today's worlds with trying to reduce latency and improve performance, is again not very often a non-starter IPSec internal mode can offer ways to proxy your traffic kind of with a focus you know on VPN, and you know that kind of aggregator problem is it's in some cases.

C

It really requires you to be route on the proxy, which is not always possible for every deployment and transparent TCP proxies in some scenarios. Called TCP accelerators are devices that are on path and can muck with your TCP. In some cases, they can even improve the performance, but the client really doesn't have a say on whether to use this or not, which is great next slide. Please.

C

So why is this landscape starting to become a problem today, quick in HTTP, three are becoming a thing: we're going to publish that RFC sometime soon, I swear and a lot of the web is going to start using this. So this is a lot of traffic going on the internet that is now running over quick, an HTTP three and quic has a lot of great properties such as Kilis, encryption being mandatory or encrypting the transport layer information.

C

So the acknowledgments and sequent numbers, and all that which break a lot of the existing proxy mechanisms and also quick, is built on top of UDP and not TCP, so the proxies that require TCP don't work with anymore, so we have a growing need for these use cases where, before they use one of the existing processes, but today with HTTP, 3 and quick, we need something else next slide. Please.

C

The good news is that quick and it should be 3, Walter kind of creating the problem.

F

C

Also providing us with the solution, so what if we used quick and HTTP 3 to build the new proxy protocol, so one of the great features that quick provides I can help. Here is multiplexing streams, so inside a given quick connection, you can have multiple independent, reliable streams. At the same time, you can also use Datagram frames, which is a quick extension to send things unreliably, which means that they're not retransmitted.

C

So if you're, let's say tunneling like rocky packets or something over quick, not having them retransmitted, this layer can significantly improve performance in some cases. Additionally, HT p3 brings us like decades of work in HTTP, so a request response mechanism, caching, existing authentication mechanisms and all this. So all of these combined give us a lot of the tools we need and extensibility for a new proxy protocol.

C

So what this starts to look at on this diagram, which is pretty much the same one as before, is both the outer and the inner connections are not quick and things still work next slide, please.

C

So what is the mask framework? The idea behind masks as currently defined is um so what, if we build a application multiplexing mechanism on top of gp3, so you could do one HTTP, 3 handshake and you know, TLS can change and all that.

F

C

Then you can use all these things inside the correction without having to negotiate them. So another important property here is, if you're a client device, not all of your traffic will prefer the same proxy protocol. So, for example, if what you're trying to do is a TCP flow, then maybe you just use HTTP connect inside this HTTP 3 connection. That already exists that you know you don't even need mask for that. But that gives you a lot of what you want with very low overhead. But let's say you also want to do quick.

C

This should be connectors and support that. So what if we built an application that allows you to proxy, quick and also one of the properties of quic, is packets to have redundant information from one packet to the next, like, notably the connection IDs, and also the IP address and port of the server you want to reach on the other side. So what if we compress those away, so we don't have to send them on every single packet to really reduce overhead.

C

Your quic connection has a higher available and to you and then for things that aren't any of those. In some cases you just want to be able to proxy raw IP packets. What if you could proxy those in the same connection and those have overhead, but it's just for those types of traffic that couldn't fit into the previous ones, and all of this is inside one quick, encryption boundary which allows you to save performance by not redoing key changes all the time, but.

F

C

Path- attackers- let's say your ISP, if you in your particular model, you don't trust your eyes, be they can't really see what your proxying or what applications you're using with a fiber using multiple con at the same time, next slide, please so the mask protocol is so it's an individual draft and the goal here is not to go into too much detail on the draft just to say that what we've been talking about.

C

There is a potential strongman for how we could build this, and the goal here is not necessarily go into too much detail into how that works, just to say that it's possible to solve this problem. So the way a current it's currently set up is the mast. Negotiate has a negotiation step using HTTP POST.

C

So when a client decides to like have a max change with a mast server, so it sets up a and it should be three connection so that now relies on the web PKI and then it sends a should be post where the it's a list of the supported, mask applications and their configuration options and the server responds.

C

Similarly, with oh yeah I support these applications, you want, and by the way, here's my configuration, for example, I'll, allow you to proxy HTTP, but only to these sets of domains, for example, and then, as part of this negotiation, a mask kind of reaches down into quick and says: oh well, here's a Datagram, ID or a unidirectional stream ID that you can use and every time you use those it'll be gear allocated to this mask application mask will ensure that its key multiplexed to that application- and you can use it from here on out next slide.

C

Please and that's it clarifying questions. Please.

A

A

G

That, if you'd.

A

Like to get into the mic, you please add yourself on the WebEx chat.

A

Christian Europe.

F

Give it attack to have a discussion about what is the assumption about resources at the proxy like canned epoxy, creek, potter's wheel? It's supposed to do so, and it operate on us on a small set of odds. How many Lions can reserve and things.

C

Oh currently, like the mask framework itself, doesn't make those assumptions I would put those inside the individual applications. So, for example, one thing that Christian and I collaborated on was a version of quick proxying that only needs one port open on the server, but maybe for different use cases. We build different ones. So I think this would be in each application to determine things like that as part of negotiation. For example, the server could tell you well I only allow you to have this many concurrent connections or sorry come back later.

C

I am out of resources right now,.

A

Mark you're next.

H

Can you hear me yep.

I

Yes, yeah, okay, so David I think this is generally good. I just wanted one question: I'm, assuming that your use of post and how it uses HTTP is more of a hand wavey. This is a way to get it working as a prototype. More than actually a proposal is that accurate.

C

So yes, I, would say like at this point in time. It's been a well I need a request response. This seems like a natural way to fit it. I would love to get more feedback from folks from the HTTP working group about if there are better ways to do this, but just to be really clear. This is a detail of the individual proposal. I have not of like masks in general, so I wouldn't want to get into those details too. Much today understood.

I

Just wanted to make sure that wasn't set in stone absolutely.

C

None of the protocol bits are set in stone.

A

Mardon Yonex.

E

And I really appreciate the none of the protocol. Bits are set in stone. Piece I'd like to understand a little bit about your thoughts on, on which one of the many applications you have is critical and which ones maybe are so important. You've got quick. Relaying you've got TCP relaying you've got UDP and IP, there's a whole bunch of things in there, which one of those is most important to you.

C

um I think personally, having a quick relaying will make a big difference, because over like rod, Peter shoveling raw trotty, packets back and forth, it will be a significant performance difference which might be a deal breaker as in like this will make it viable. So that's one that I focused on so far and implemented after that I think having the IP one is important as well, because that is kind of the bottom level capture, all of it for the for the VPN use case.

C

At least that will really do that, but the that is kind of my personal take and I know. A lot of other folks interested in masks have different focuses on other parts of mask that I they will, they think, address their use case better.

A

Thanks Eric, Yonex and and I. Let me just remind people to please say your full names before you ask.

C

uh Eric or scroll up um so yeah I guess maybe is a question with the chairs on there. The question Martin just asked is like sort of represented by some text in the Charter about the initial set of client initiated services. We want a biscuit that discussion later or now later.

B

A

I'm later I think would be better. This is the people designations. When we get to the requirements and the Tartar discussion, we will I think they'll be a little more just sort of coherence around this. Hopefully.

A

um Spencer you're next thank.

J

You so just so, nobody is surprised when we get the inventor.

K

A

J

Spencer Dawkins, thank you. The we are having a chat in the in the jabber room about whether this is a more like a proxy or more like a relay or more like a watt, and it seems like we don't need to talk about that now. But just so we don't get to the end and then everybody's surprised when somebody says something about that, because I think that is a relevant point.

C

Absolutely- and that is clarifying so one of the downsides here is every single networking term has been overloaded more than 12 times so I totally agree that some of these terms aren't the best and I'm open to suggestions, especially in the documents, for example, in some cases mask applications. Other folks have told me they prefer to call them services, which sounds reasonable. The mass server calling it a proxy or not, if yeah we're.

C

So hopefully we have enough diagrams in these presentations to make it clear what we're talking about, but I agree that once we reach the point of delivering documents, it would be nice to have a you, unified terminology, but we're not there. Yet.

A

Okay, that's the end of the queue.

A

Move on to the next presentation.

A

Media, do you want to pick this up? Yes,.

D

So this part I have a few slides to talk about youth cases or actually it's more to slide the talk about scenarios that cover a set of use cases. So on the next slide, you go to them.

D

Yes, we have basically a diagram very similar to what you've seen from David's talk right now, where you have the client, the master server, and in this case the master server is to use to connect to more than one target server, and the benefit you get here is by having a tunnel between the client and the math server that any kind of Platt on path observer between the client and the master. Server really just sees your quick tunnel and doesn't see what happens inside.

D

It doesn't see what kind of connections you you're having inside, in which service you connect to. So this provides so the tunneling provides just an additional layer of encryption, every kind of VPN death and that it also hides any kind of traffic from the observer, and the goal here is really also to make this traffic not stick out what other traffic that this observer would see on the path. So it should not be easy for the observer to identify this. This is masked traffic.

D

You might get additional benefits if you have a trust relationship between the client and the masked server, and in that case we might also want some kind of meta to authenticate the client, especially if the master of a Nosa set of clients it should serve.

D

It would also not reveal to anybody else that it's a master server and another benefit with kind of this kind of setup is also that it might increase the privacy of the clients towards the servers, because the masked server has to put his IP address as the source IP address in there to make sure that the back traffic is routed over the master server, and so it will also hide the IP address of the client from the different servers. So this is kind of the basic set up.

D

That also proved that already provides for cover this kind of use case. You go on the next slide.

D

It's this is still kind of the the same setup, but but just talking about some additional things, the math server could provide to you. So you could also- because you have this channel this quick connection between the client and the math server. You can also use this connection to talk to the math server directly and figure out. If am a server offers any kind of service to you. That could be helpful like in this diagram.

D

It just shows, as an example, service that the math server, for example, could resolve some some ENS addresses for you, because you might not have access to your favorite DNS server or you would like the math server to resolve this address from its location, which might be close to you or not the important part. In this images. We use this yellow line here, which is the communication channel and which just means you can. You know, ask additional service to the math server or the math server can provide you some additional information.

D

For example, if the math server is located in your access network, the math server might be able to give you additional information about the current network status yep. So next slide- and this light we put in here- because there is a related proposal in the quick working group, which is called quick tunneling and they focus on a very specific use case where the client is multihomed.

D

So usually today, you have a lot of mobile clients who have a Wi-Fi connection and a 5g connection, and the goal would be here to leverage both connections at the same time and in their draft. You find this picture here on the slide where they have some kind of something that is called a concentrator in the network, which makes it possible to aggregate the traffic. This can be done by, for example, having two quick connections that are used as tunnels on the different network.

D

Legs and like all want to say here, is that this concentrator is basically kind of a very similar to math server and a math server can provide them. Potentially such a functionality as well, and the point here really is to to standardize and to work on a common proxy control protocol that can cover a whole set of use cases in front instead of trying to just like address. Every use case separately with a different approach and I think at this point, I give back to the chairs right.

F

Yes, yes, thank you.

A

Thanks Vidya and we have a a very quick addition to the set of use cases, and this is cube one Alex. Do you want to go these slides quickly? Yes,.

H

I'll do can everyone hear me yep.

A

H

Hi everyone, my name, is Alex Aronofsky I work on Google Google, global cache, which is Google's content, delivery network and I'm here to talk about cubone, the quick based overlay Network environment, which is effectively a VPN that we built in order to help manage the Google global cash machines. So the problem which we're trying to solve is that we have CDN nodes all around the world and many of them expose management services which we want to reach from Google data centers or the data centers exposed services that we want to reach from these machines.

H

But for security reasons we really don't want to expose all of these services on public IP addresses using regular ports. So, in the past, we've hidden this traffic through HTTP proxy, and this has not worked particularly well. What we really like to be able to do is provide seamless native connectivity to allow services like G, RPC or other TLS authenticated things to work directly. So we were challenged with this deployment. Environment in which is P is basically filter, their networks very heavily. So we knew things like IPSec or unlikely to be available to us.

H

So, after looking at a whole bunch of different solutions, we decided to leverage quick, which we had already shown, that we could serve from our machines towards users to build a VPN and actually be able to hold IP frames. This current diagram shows what the overall architecture here looks like so on one of the machines in an isp network, we run a user space, VPN client, which itself is providing a tapper ton device to the Linux kernel and sets up IP routing rules to allow native IP traffic to flow through it.

H

This itself establishes a quick tunnel through regular load, balancing techniques to a so called VPN Terminator, which is living inside of a Google Data Center Network, which also has the ability to program some Software Defined Networking routing rules. In order to ensure that the response traffic makes it back to the VPN terminator. This allows us to have seamless, IP connectivity wrapped in a quick connection, next slide, please.

H

So why quick there's a couple of reasons which robusta quick over IPSec? The first was the pluggable congestion control. This meant that we could turn it off for the tunnel packets, avoiding the standard tcp over tcp problem meant. We also had pluggable reliable delivery. We could turn it off because we don't need retransmission, because the inner TCP congestion, control and reliable delivery should take care of that as well.

H

Also because we were implementing on top of G quick, we also had pluggable authentication.

H

We happen to swap out and use alts, which is Google's RPC based authentication system and use that internally, and this just goes to show how versatile quic is and why it's good for this sort of thing, and we also like quick, because it was already part of the security of things that already run on the public Internet and what we got out as a result is we were able to deploy this VPN internet scale across ISP backbones connecting back to Google and we're already serving hundreds of gigs of traffic today for about the last two years, connecting our nodes back to our data centers in over 170 countries.

H

So we've actually shown something that I believe was previously not known that you can in fact run quick at scale across backbones and have reliable connectivity.

H

We're looking forward to working with the mask working group that will hopefully be formed today to see how our experience can help feed the masked rats and also we're looking forward to taking back that feedback and moving our changes that we did too quick to be able to use the standardized form. Thank you.

B

All right, thanks, Alex, just.

A

To be clear, that yeah just to start.

F

He was noticing.

A

One thing that this was a use case that currently uses a sort of a homegrown protocol and B and then, as Alex just pointed out, the hope is that, if masks were to be a reality, then this would move over to masks eventually.

A

All right, Chris.

B

Yeah thanks so thanks everyone who is the list- and here today in the use cases the variety of use cases help support. We've tried to collate them here. Some of them may be redundant with what's been previously discussed. Internet might be that a or.

B

What they're a lot about what we think are important use case to that mascot health address and their obably lots of different designs that people come up with solutions that people come up with for tasks that could help achieve them, ranging from the very simple to the probably a bit too complex.

B

So I'm not going to reiterate these again: it's not everyone. Just having talked about them, but I just want to drive the point home that we're aiming for something that's sort of or flexible and that it can support. You know Park same for both datagrams and possibly stream based applications, something Isaac sensible. They can for support other services as needed. You know either in the working group or in some future recharging or the working group and potentially with some other. You know knobs bells and whistles if folks think they are truly necessary.

B

So, for example, supporting like specific congestion control is one thing that was raised so five, please.

B

Right so from the set of use cases, we had a couple meetings over the past couple weeks to try to call together a set of initial requirements that a mask solution will help or are that would sort of scope.

B

A mask Ellucian to the preview speaks cases, and- and these are the simple ones that we come up with I'm sure they're not perfect, nor are they perhaps exhaustive or complete, but hopefully they should get the point across so just march through them like the first one parking ago, she ation not being visible on the wire uneffective Lee aims to sit a.

B

Sorry need to say that connection to a a mask server does not stick out on the wire via some clear text signal. So, for example, if one was to negotiate mass using an alt n so get as opposed to H 3 and then doing negotiation in age 3- that's not great.

B

So, ideally, the solution does not check out the connection setup base, not in the connection use phase later on. So things like traffic analysis that take place or that might hurt on an active connection. That's proxying, like IP datagrams or something else is sort of not something that we're trying to hide or putting into being in to requirements right now. The second one is that the use of a proxy is sort of explicit by a client. It's not something that you know. Clients can be just sort of.

B

Coerced into using by virtue of being connectivity like a transparent, TCP app because quick requires authentication of the proxy.

B

This just has a requirement that falls out of that as sort of Jonah to tie to the next slide, which is another requirement face, it means it's like there will be some way to sort of bootstrap and discover these proxies, but we're kind of considering that problem out of scope for the initial our group, vertex focus specifically on the the mask protocol itself and the framework that David outlined the third one. This basically aims to say that each service or application that one might use over mask is you know, unique and its own way.

B

It might have its own semantics and then that negotiated use of that particular service via UDP proxying. Something simple like that or a DNS resolution like earlier is configurable during the quote negotiation phase, so clients and servers can exchange parameters that control. How of the this particular application, or this particular service will be used as the framework for protocol should support that for just reiterating something that is common to all.

B

These are mostly these cases that, of course, we want to support parking, various Datagram and stream based services, and these give me something you know permitted things like simple UDP or IP datagrams or TCP connections or streams or higher-level application protocols like HTTP, or something like that.

B

The last one I do not guarantee that the wording on this is correct or or accurate or perfect, by any means.

B

Basically, what we're trying to say here is that the security context, the connection security properties of the connection between the client server I can a server are completely independent from the CID frocky properties of whatever can I shoot, you would through a mask for our three-way other two, a couple short you know: tunneling TCP or a UDP based protocol through mask the proc.

B

The security of that does not depend on the fact that you Istanbul it over mask or through it a quick connection and I apologize from now articulating that well, but basically, the point is that they are. They are separate protocols, they're not meant to be sort of joined at that. So if you can move forward to next slide, please, like I said, require non requirements. Explicitly otoscope is building a discovery, bootstrapping mechanism. We will assume that one exists, be it. You know some kind of static configuration one.

B

That's you know Tenafly an authenticated, dctp option or you know, delivered by a carrier pigeon or whatever, but actually laying down the specifics for the it's, not something we'll discuss and I mean it may influence certain protocol things or decisions, but again we're not going to try to work specifically to focus on building that and so next slide. That's questions right. So I don't know where the queue start. I did yep.

A

So the next in line is margin upgrade.

E

Yeah Mountain Clemson: can you go back to slide 22 I think it is where you have the requirements Thanks, so I wanted to talk a little bit about number one, and what your threat model was, because one of the things that we've identified in using quick for proxy in various contexts and I think some of these original ideas came out of the Tor investigations was that if you have a motivated attacker who has access to both legs of the network, you have the ability to do anonymize the connection between the linkage between one connection and the other one.

E

So is there some document that I can read that would articulate the sort of goals here.

B

There is no document, however. I will simply take my understanding of the remodelers and David can chime, then if he thinks it's wrong or different or whatever, effectively we're assuming a very trivial, simple, passive adversary, someone's typing very loudly between the client and the math server, whose only ability is to basically look at what's sent in clear text on the wire and things like any sort of traffic analysis. That's more complicated beyond that is assumed, not feasible, perhaps incorrectly, so so that that's like I should know for not claiming it's correct.

B

But that was what influenced that particular decision, and the idea was that the guy was trying to articulate the configuring of a particular mask and actually would not use like an al viento again. Something simple like that, may take place over HP or whatever something inside in Greenville, so David alternatives.

C

Oh hey, if I may jump in David nickens as here, so these right now in terms of documents, we kind of have two things: we have the Charter that we'll discuss later and then we have kind of a multiple individual proposals, so I can answer. At least this is somewhat discussed in my individual proposal. So this is not.

C

You know tied to the Charter by any means yet, but the idea there is that we would want for an observer on the path to let's say if you just talked to a random web server to not have an obvious way of knowing that this is proxy traffic. It would be nice if it would look like, like, let's say all the clear text bits today: the s and I the ILP and things like that. Look like web traffic.

C

The traffic analysis is definitely a huge concern and will want to do what we can to address that, but at least I it would be important to catch the low-hanging fruit of like, let's not leave. Anything in the clear text then make this a big blinking light. Oh, this is proxy traffic. You should block it.

E

Alright, that my sense thanks David.

B

Can I ask a question to Martin? Would it help if, like the threat model, the influence these requirements was there spelled out either Davis document or elsewhere I just.

E

Really wanted to understand where, where was I had some sort of expectation that someone had already done some of this analysis and so I went looking for it and I didn't stay in a bit. So there's some interpreting.

A

E

Out there not a lot yeah.

A

E

And that's because.

A

The some of the feedback is useful. The feedback is useful also because, if the set of requirements as the city earth are useful for the working group, it might be, it might be valuable to add it to charter, but that's something we can discuss later.

A

Mark you're next.

I

Got DQ'd I'm going to sing it for later for the Charter discussion egg. All.

A

Right, thanks mark um mole, get up next.

L

Aside, just to clarify maybe assumption or our restrictions around network topology of client and server are those in the traditional sense that the client can be netted. But the server must not be must be a publicly reachable by the proxy I've heard at one point you say something like the proxy may also provide like address resolution services, not just name resolution, but is that is that partly intent to to provide stun technicality for the clients.

C

If I could jump in here, these alligators sure yes good, um so the the goal here is not to replace done. Tara nice. All these things, I think the at least my current thought of this, and maybe it's not written down because I just worked with that assumption, is that the mask server is not behind any kind of net, and it's just a box that, from wherever the client is they can connect to yep like and resolve the name of, and similarly the what's on.

C

The other side should be straightforward, accessible from the proxy to the end server, so I, don't think we're trying to reinvent or replace any bits of turn or anything like that here.

A

Just a reminder to everybody: please please say your full-name at the mic: nobody can see you, they cannot look at your badge, so the only clue they've got is, what do you say the mic, so that was more than a tea I. Think that's how I pronounce it. But yes,.

L

A

Thank you, Christine you're next and please say your name.

F

Christian Rita now I was wondering what kind of dependency you have on sni encryption.

F

And because currently.

B

F

Example, Chris you mentioned LPN, but if you are using equal GL and it's encrypted, so it's not visible either.

B

But I'm going to answer it's my understanding. We have no dependent in anything from outside of quick or we don't have any dignity in yes and I. Echo rather David I, don't know if you look yeah.

C

I'll, add to that that yes and I, or or encrypted s and I or encrypted client hello, are definitely things that could make this better. But currently it does not have a dependency. It does not have requirement. The only dependencies right now are quick and the quick Datagram extension if I'm, not forgetting anything,.

H

A

All right, I'm, going to number of people, are D queuing themselves waiting for the Charter discussion to start. So, let's, let's flow along to the next thing, which is the Charter discussion.

A

B

Yeah so I dropped. The link here folks have access to the slides and they can follow the link to mattify, which has the proposed charter text.

B

We have updated it slightly, based on the last version that Eric near floated on the list. Thank you Eric for putting that together. Again, that's very helpful. So right now, I'd like to is just kind of go through each of the three main sections of the proposed charter and then open the floor to discussion for refined questions in discussion. So John. If you could move ahead.

B

um Right so the first thing that we're trying to address in the Charter is why this is a particular problem, so this is effectively motivating we're drawing on the motivation that they lean out and his earlier slides thing that practicing is useful and that just lost two different technologies it'd be nice. Basically, if there was one new one that had all the the properties of all these existing technologies, so hot there can move on.

B

Jenna, thank you, and so just right into why quick, so we go through.

B

So that I level won't just walk. Quick is a canon protocol compact, which should be fairly familiar, those who are involved in the development of quick and who are here today. So I don't think we need to really talk specifically about the send more. The next one will be interesting, so go to the next.

B

Right so here actively what the mass group will do if you haven't read it I'm, going to pause just for a moment to let you read it.

B

B

Okay, so effectively, the idea is to specify framework or protocol that allows using various client initiated services, some of which are listed here, HP, quick and IP proxying, UD sort of so you omitted realizing that now in such a way that you know the frame worker protocol could be extended later on to support additional services replication as I read it the saying earlier.

B

The non requirements specifying things like how discovery are specific discovery mechanism is explicitly otoscope the retarder you may happen later on to sort of if we feel the need to pull that in I'm not going to speculate about the future, certainly if it does require any dependencies on other protocols like, for example, if we decide that we need to have hard to pendency. On echo with details, pretty group and the relevant workgroups to sort of make our artists, you know see that come to a completion in a quick and expedient manner.

B

B

Effectively it we have not laid out a particular set of starting documents from which the proposed burn group start, although the documents said have already been discussed in particularly the core protocol mass protocol, that David has does look at the fit we're going to be a good place to jump on from and it you know. It says due to some of these use cases.

B

Of course, I don't want to send too much times out on the talking about the specific solutions I'd like to hear from people who are queuing up in the mic as to whether or not this is heading in the right direction. Are there things that should change, etc, etc. So, with that, let's I'm recently Chad that we act that we skipped over Tommy, so yeah.

F

B

Want to add to our question sure, if that, if that's okay, it had a little bit more to do with the requirements. I think it's also somewhat relevant for the Charter discussion. Great specifically and I know I'd. Actually, you know seen the requirements list before and we had the item that was out of scope for the group, which was how do we bootstrap this um I just wanted to ask for clarification with?

B

How much is that out of scope? Do we think that something that is going to be out of scope, like always or just for this initial charter, and specifically, if I, think about how we look at other things, have worked like dough? That was a group that didn't describe how you discover it and right now we're having you know all this work in ad D about how to do that. But luckily dough did define in the URI template.

B

How do we communicate about a dough server such that at least, if I have other discovery mechanisms like DHCP, like DVDs or whatever? We have a way to communicate it? So do we want to at least talk about? How do we describe a mask server and so that we can embed bit in other technologies that allow its discovery?

B

Yeah I, don't think that's unreasonable! In fact, though, using dough is a sort of example for how we expect this to operate is is great, because we do want to focus primarily on the protocol on the framework and leave.

B

You know the additional, possibly more complicated bits to follow on work that could be done after recharter, if necessary, but to your point, I I'm, not going to say it's out of scope to describe how a mass server might be represented for the purposes of actually aiding discovery mechanisms later on, although I'm curious to hear what the other proponents think about that particular question,.

A

At this point, I just call on the proponents to put themselves at the front of the virtual room. You don't have to move anywhere the screen free to dump in and respond if you would like moving on Mach yo next.

I

Yeah mark Nottingham, so I'm, looking at this and I know I just made you prep by saying my name: Jonah I'm, looking at this and I'm, not sure that I see something that I would call and or that it's most helpful to call a new protocol in this.

I

Besides for marketing considerations, of course, which we'll leave aside for the moment and I say that, because you know in the quick work, and especially in hb3 work, there's been a workout I'm kind of waiting in the wings that some folks are interested in, which is enabling a particular HTTP request/response exchange to flag itself for being delivered.

I

Unreliably and the video folks are very interested this for you doing video over HTTP 3, you can say: deliver this segment on reliably, so I don't have retransmissions crowding out other traffic and assuming that we find a way to do that and that specified we do that in a generic way.

I

So it wasn't just for video, it would be for a number of applications and as far as I can see from looking at the use cases and the requirements here once that's available using that facility on a connect method would give you the properties that you want.

I

Potentially did it right and in the right coordinates on the previous discussion. Doing it in a generic way that's used. Another HP traffic would be a real benefit instead of doing in a way that's specific to this protocol. If you want to call it that and so I'm wondering if it you know, if that's the case, whether we should just be waiting for that generic mechanism to surface hopefully soon then describe how to apply to connect because connect is frankly a bit of a mass. It's.

I

It's got some issues, because it's somewhat personal specific and we're trying to sort those out curly in the core work and the result would be probably a fairly small, spec I. Think you'd focus mostly on you know. What is the the payload in the headers of the connect and the response to negotiate some application? Specific metadata I'd? Be really interested to hear I guess David's response to that.

C

I

C

Kennedy here so I think for some parts of this this could be solved at the HTTP layer, but I think kind of conceptually. But the goal here is not to change in any way shape or form like HTTP semantics, as in like you still can do the same things with HTTP but like, for example, one open question and like some of the drafts address, that is well for unreliable things like datagrams.

C

Even if you know we were to define something for. Let's say you know downloading a video unreliably that would probably use quick datagrams inside an HTTP connection, but it would still require TP semantics and which is normal and I would expect a should be working group to work to provide us with that. But here I think there are cases for things that are nowhere near HTTP. So, for example, let's say I want to transmit a ICMP over this or just a raw UDP packet of some custom UDP protocol.

C

You've never heard of for those I think what mask provides is a way to tell the proxy I want to have this. This bucket of UDP bytes sent. That way. Please, and with I, wouldn't see that fitting in what HTTP does today, because those are different, semantics I hope that answers your question not.

I

Really um I I was just talking about an unreliable connect effectively, which you don't pretty much anything into bi-directionally yeah.

D

Can I yes miracle into it kind of jump in as well. So I do agree with you that, like disconnect method, could provide very similar mentality but, to be honest, I mean HTTP connectors, really a heck right. It's not really part of me or it's not like the HTTP protocol, using it pretty just something to indicate forwarding, and that is very similar to what we but I think some of the use cases we have.

D

It doesn't have to be HTTP specific, and so it makes sense, maybe to utilize the fact that it doesn't have to be HTTP so specific to optimize for those kids a little bit more I.

I

Guess that comes back to the original, this does get a little bit how the bits on the wire it is this an HTTP extension. It sounds an awful lot like it is one. So maybe it's just better connect, or are you really talking about a new quic protocol.

D

Definitely not a new quic protocol, but something on top of quick.

I

Quick rate of HTTP 3 now.

D

I think it could be on top of quick, so I think the deployment for HTTP is really about making. This look like web traffic, which is HTTP, and the proxying protocol itself, doesn't have to have any bit dependencies on it in HTTP.

D

I

Are you going to multiplex it with HD 3, or does it have to have a distinguished port.

C

L

C

Could jump in here I think so this gets into the details of the wire format because and semantics are I guess. This is an open question where, if you know we start off as HTTP I personally would like to use HTTP.

C

So we can reuse a shippi semantics for parts of mask, but I don't kind of envision this, as just things tacked on to HTTP I, think it would be like enough of a change that I wouldn't necessarily call it a sheepy anymore, but I totally see that this is the kind of conversation that we all love, because it's all in semantics and we can look.

F

C

Same thing and see very different things because of our backgrounds, so I would say this is really great, but I don't have a good answer yet I think we would.

A

C

More into the solution, space I'll.

I

Tell you where.

C

I

Okay, then I guess from my perspective, I'll end with to me before something gets chartered. It seems really fundamental that you define whether or not you define in a new application protocol on top of quick or you defining an extension to an existing protocol. Let I don't think you can charter without doing that. I.

A

Think that's the third point. hmm This might be a discussion, diode, baltics Encanto. This is different.

C

Good yeah, I, know and I totally agree with mark. There. I see this as a different protocol, given that, like the use, cases and constraints, are very different and like that's, why I think it would make sense to have it in its own working group, because the questions asked would be pretty different from the ones in in the HTTP working group, but I mean part of the. Why we're here in this valve is to figure that out.

I

Okay, alright, then, whether or not it's multiplex with HTTP traffic seems like a really critical definition between the two, a.

M

Mark just to like put you on the spot there. If you look at the last paragraph on this page right, it says if it requires extensions to any existing protocols. I, like this group, should coordinate with a group. Does that, like you know, kind of answer at least some part of your question that, like you know, if you have to do some extensions, we go back to where this needs to happen. I think the.

K

Nice thing too,.

M

I

J

I

Potentially, yes, my concern that you're hearing, probably behind what I'm asking, is that going and doing things like redefining connector and defining you know new methods and things are fairly invasive changes to http and there's a lot of faults there. So it would have to be a very close coordination. Okay,.

A

Sounds good, thank you, yeah I think. Another way, perhaps of echoing this might be. The question is: if this belongs in a subject, working group or other pieces that belong in those individual working groups directly.

A

That's a perfectly finished question. Thinking of solution to you.

A

Thank you for that mark next is Martin Martin Thompson.

A

Are you there Mardan.

E

I mean audio troubles, so I heard.

F

E

I have to read might have to reload I apologize if I drop out, so the first line of the charters says the property is good, but it doesn't say why it's good and I think saying why it's good would be very important in this context. Understanding water, what properties we're looking for out of proxying is would be I, think critical, I think we're looking for the privacy aspects of it, but that's not clear from the Charter.

E

Second point is just say: node.

E

Right in the sense that if we can't be doing things with nh3 and pretending that it is a ch3 and it is a ch3- let's not pretend- and that means the last my.

A

Promotion is bid that last point you dropped out there for a moment. I'm.

E

Sorry I blame the NBN, but if we're making changes to HTTP three such that we're able to do these sorts of things, then it is a ch3 and the last paragraph of the Charter. That probably needs to be amended and we need to coordinator even more closely with.

E

The line between pretending and actually modifying the protocol is much finer than I think we're giving credit.

A

I mean I, didn't save him through this or doesn't even the proponents want to speak to this so.

C

I had a hard time on hearing and understanding Lauren sorry.

A

um Why don't we move this to to a mod? Maybe you could bring this up on jab, but I didn't want to misrepresent you. I heard you for the most part, but I don't want to speak out of turn you moving on. Let's go to Eric Harry.

C

Eric rajala um so Marc said some of what I was going to say: um I guess I, when I first heard about this I envisioned. This is like super connect, ie connect with unreliable and maybe we'd like clean up some of the semantics. That's something I'm quite interested in uh you know. We have things that use, connect and we've all been being reliable, um I'm much less enthusiastic about sort of this. You know application specific stuff like quick and DNS um I think like we should just to offer.

C

um You know I think if you start by offering like basically UDP and TCP and see how, like that's that that um you know shakes out at which point this seems like a relatively modest objection. Some.

F

C

To uh to a you know, a CPA, quick, um actually I.

L

C

Like I read these proposals, and these.

F

C

Puzzles clear, like a h2 retention, it's not like some quickie thing, um so um I never be a good idea. um Now that I'm no longer an ad I'm like I'm like allowed to be so late, but what about whether it is an HTTP dis or in working group, quick, but I, think that, like it's relatively small, so um you know it should be done quickly. No matter what this and me, if.

D

I may respond.

C

To a curb I, so yeah, this kind of goes back to semantics, where I I totally agree with you that it's not that much work to add these things and if we end up building it as like, the current mass proposal or if we end up building it as like new a new HTTP verb, for example, I think that's something that we should decide as a mask working group hypothetically, if it were formed. I understand that for your use case, the like UDP Connect is completely sufficient, but I'm not sure.

C

That's the case for all the proponents of this bath and so building something that is extensible might have value. But I do think that this is something that doesn't need to be nailed down today. It needs to like it.

F

C

Be if we need to solve this, and there are people who want to solve it, let's get together form a working group and decide how to solve it. Well, so so, yes, yes, and no on so on, so certainly I think you know on the cases. I saw might need IP, connect and.

J

I think extensibility.

C

Is good, obviously I suppose a good feature on. However, it's not totally something we can put today, because if you read the Charter text, it strongly implies that we build a quick, specific and ACP quick, specific service and that's actually something I, don't think we should do and so I'm not prepared to have a charter with that in the Charter. um So Edgar could I ask you to clarify why you think we shouldn't do this, so you don't have a use for it, but some other folks might I.

F

Don't I think it's a necessary.

C

Complexity, that can be served by these other cases and I haven't heard a strong rationale for why this exists and if you everything.

A

So hang on for so just I'm going to prepare briefly midea did you have something to say I.

D

Wanted to ask echo a clarifying Krishna note, and so, when you say you want some kind of super connect, is it important for you that it's actually HTTP based or is it just a functionality that the super connect would provide you that you're looking for well.

C

I guess I I guess so I mean this goes back. I think to some concern. Processes are high back and forth in Java, in a sense that, for many of the cases we're interested in you know you can just like get by like term would do the job right. um I mean this in some respects they like term with different spelling, um and so in what way?

C

Is it better than turn it's better than term that people want to run like h3 like servers and want to run quick servers and so on the same reason as web transport people think they'll want and riffed people think they want to have like h3.

C

Having this see some other goofy thing that is quick and not on on and and nice reasons are quite problematic also on, given that the first requirement here um was about like not sticking out I, don't see how you're going to do that um if you're not you're, not basically h3, unless you're going to have a dependent data.

A

So I'm going to move the place I.

A

Think that some echoes here, anyways noted metaphorical echoes not really.

N

Bernard you next Hey I'd like to follow up on some of what occurs just talked about I. Think there's a about scope here. We've talked a lot about the framework, but I have some questions about the overall protocols that we're looking at support down. The road I think it has to be relatively clear what the overall scope is, because it's very difficult to answer. For example, some of the questions that occur asked about this threat model.

N

When you don't know, ultimately, what are all the app you're going to support so it becomes so are we trying to you know, allow something like tour, also with respect to some other protocols. Some of the protocols we've talked about are well defined and are being standard out.

N

The working groups, like you, know, dough and stuff, like that, some of them, like the tunneling work, that's been discussed, are not currently being standardized, so I would want to understand for the things that we do here within the framework where, where the actual protocols being a fine- and is there a working group that works on them for each thing that is included within this framework.

C

So I think the goal David's Ganassi here of the bold sentence in the first paragraph that is currently on the screen is to say that the main deliverable of the mask working group hypothetically would be.

D

This framework.

C

And then a small set of applications because I don't think you know you can in order to define a good framework, you need to define at least a couple applications to make sure it works well and then once we're there. Then it would probably be.

C

You know, after a recharter still in a purview of this working group, to define new ones and but be like security model of mask itself should be really seen in the light of just the framework and have like just a security model, that's well defined, and then the applications would then decide if their requirements are met by the security model. If they want to build something on top of masks,.

A

All right, Ben, Schwartz Yonex of mine,.

C

Hi Ben Schwartz I mostly wanted to say that all I really want is IP over web transport. All those other stuff stems sounds okay, but that's that's. Basically what I want or something morally equivalent.

A

And exotica, what do you mean by web transport? You because that's they can end up. You know loaded, 15, bins, but now I think well.

C

Web transport is, you know, a pretty specific proposal. You know OSHA q3c and the IETF I want. It provides a message. Oriented transport I just want to put IP datagrams in in those boxes and ship them back and forth. It's you know it's such a. It's so simple. It almost doesn't. You know it's like a three-word RFC.

C

F

C

Jump in to answer that, one as mask enthusiast and also chair of web trans, so there is definitely a lot of similarities between mask and web track transport. Absolutely they're, both hey. How do we ferry stuff on top of quick there's this new quick thing? We should do cool things with it, but the requirements are very different, and so the goal of web transport very clearly is to have something that is accessible to the web. So the focus is the web security model and taking taking things from WebSocket and.

K

C

That in the world of quick, so let's say how do we do WebSocket, but with UDP, but the goal there is to make it accessible to the web and by that I mean JavaScript running in a browser. If what you're trying to do with IP here is a VPN client on you can't do that from inside a browser, and you really shouldn't trust.

C

Your entire VPN stack to be something in JavaScript, so I think that doing IP over quick datagrams is definitely useful, but I'm not sure web Transport is the right way to say that and hence mask you.

C

Sure so I'm not particularly proposing to implement this in JavaScript, although I think it's actually, you know there might be some some.

F

C

Where that's interesting, but it's not that it's not the use case. We're focused on. But my point is mostly that as a at the protocol level, ignoring essentially ignoring the w3c components, looking solely at the IETF components of web Transport, that you could just throw some IP packets on top of it, and that would fit the bill here. And so we can.

C

We can invent some more stuff if we want, but there are some essentially reusable components that we can just stick together and call today and I brought this up, partly as a counterpoint to what Mark Nottingham was mentioning, where I just have some difficulty, believing that the HTTP working group is really going to standardize a component of HTTP itself. That will let us ship an arbitrary IP Datagram to an arbitrary IP destination.

A

All right, Ted you're up next.

J

That's that hurry speaking.

J

If you go to the charter text on slide, 26 that describes the motivations that have work I, don't believe it actually motivates any of the work that would have the the proxy deliver services outside of sort of wrapping and unwrapping packages at one end of the spectrum and acting as an HTTP connect proxy at the other and I. Think if you go back to 28, sorry to ask you to flip around Jonah, if you go to the section that says, specify mask server, discovery is out of scope of the group. I.

J

Think a combination of that really indicates that you almost are talking given the spread of things that came before the Charter about three different groups of property types. You have one property type, which is essentially acting as a VPN endpoint.

J

It's going to ship IP packets, to whoever it was told to ship them to on the inner part of the tunnel and call it a day. You have what Lukas has talked about in the jabber chat, which is essentially an HTTP proxy for atv-3, and you have this sort of generalized thing where it's offering services to to the endpoint of over-over, quick, which might be DNS. So it's not it's not acting to go back to the figure.

J

It's not a blue line where the client tells the proxy server go to this DNS server and ask this question: ask this traffic to that DNS server, but instead is asking it to do the resolution and I realized what the Turner is saying. Is it once I build a framework but I think at this point, you're asking it to deliver both chalk and sheets and building a framework that's going to deliver both of those may not be the most effective way to do that.

J

If, in fact, you've got three different goals, three different documents and three different approaches: maybe the right way to resolve this and I think the Charter needs to be really clear in its selection. Of what its primary use case is because what I'm reading in sort of the side channel here is that there's a pretty fundamental disagreement about whether this is a you know, everything over mask type BBN or whether this is in fact an HTTP proxy that works with with quick and I think much of the presentations up to this point kind of assumed.

J

We could do all of that in a framework and I'm becoming less and less convinced of that. At the conversation school.

D

I would like to reply to that one, so we did kind of have when, when first started, as the proponents came together about, if we had kind of the same problems like you have to have different use cases. Is that really the same solution and the more from talking about it?

D

We actually tagged it that at the same solution, because the basic mechanism of the basic assumption you need here is with you just forwarding and everything else you can build on top of that and the endpoint is here: it's not the kind of forwarding you have with Sox o or ever today, where you have to open a different connection for every thing you want to forward. It's really. You have already this outer Creek tunnel and it is there and you can just use it and you can build things on top of this forwarding.

D

Given you have a direct connection between the client in the proxy and I think: that's the big benefit here, to not go and in separate and build like three times the same protocol, but trying to actually have one protocol that can address many of the use cases and can be flexible and extendable. So it can actually also cover future use cases.

A

I'm going to cut the line here after Cullen, because we have about this about 10 minutes and about 10 people in queue right now. So if everybody could keep their questions and responses short, that would be L for Ian you're. Next.

A

A

Again can come back and do maybe is an audio shoe, Spencer yah next.

J

Yeah or to start thank you all for bringing this proposal forward and I'd really like to thank people on focusing on the you know different use cases the people were thinking about, because I think that really got us out of the we're hiding all of our product. All of our servers place that this kind of started and turned this into something that a lot more people can work on.

J

I think that getting to be really crisp about what this is most like, because you know I, think people are kind of seeing this is this is a relay, or this is a tunnel in you know timely mechanism, or this is a proxy or something like that- and you know I think, is so I think ditching a certain amount of the first paragraph or you know it's like yeah. These are kind of these are kind of middle boxes, so you know yeah those what those were middle boxes. But what are we really going to do?

J

I think that that's going to be important, I think that that was one number two on the thing on discovery and having that be out of scope, for this would make me feel better if we had some idea of where that was headed like it was. Are there mechanisms that we could point to now and things like that they would. That would make us feel better about this. You know I mean you know. I just didn't want this to turn back into host text as a way of configuring. This go.

J

You know the moral equivalent of that, and the third thing I wanted to say was we.

J

We heard you know and like cubone and things like that, you know we're hearing things where.

J

You were kind of talking about the way quick can be, but it's not that quite yet you know, is this unreliable or is this data grams or what what what you know? What do? What what needs to be hard, a quick, that's not or to quick, now and I.

J

Think that, because you know, we've got the thing in the in the Charter about we punt to the other working groups, but just if we can be if we go, if we're going into this, knowing that we're that we have gaps being real clear about that upfront would be helpful, also and I'll. Stop by saying I, don't know that we're going to have another face-to-face IETF this year, so I definitely work work.

J

I'm staying definitely up for continuing to discuss this either at the either at the use case level or the Charter level, or both on email and seeing how quickly we can with this board is I. I would like this I would like something like what I think mask is to go forward. Thank you.

A

Thank You, Spencer I think yeah. We need to be more crisp in the in the in the Charter I think that will help a lot of people actually yeah Ian. Do you want to try one more time.

J

Now, the world now that we're all motivated in poll requests.

A

Look for I'm going to move on to Iain. If you can try one more time, nope cannot hear you in okay. I'll have to move along and again. If you want to come back in, let me know static you're next.

G

So I I'm one great- and this is completely uh sorry but debrie.

A

Stood you mean for the.

G

Reason what you don't want to I'm sorry, Cara Kartal, and this overdoing just quick inside quick, is the compression. But am I misunderstanding: is there like an additional round trip between, like there's an additional mass negotiation that has to happen before quick right? So is that are you like trading off time for bandwidth or latency for bandwidth or am I missing, something like an additional benefit of mask so for quick inside quick, so.

C

If I'm answer that David's cannot see here, I'm not sure I understand your question. A quick inside quick doesn't exist today. So one of the goals here is to make that a reality and like.

G

C

Quick I'm doing like sorry go ahead. You're.

G

Saying that's not possible right now! Well,.

C

What I'm saying is today quickly with HTTP 3 on top allows you to do, gets and posts and whatever is TP semantics, your heart desire to say: hey, HTTP, 3 server, I want you to proxy this quick packet to this other server over there. There's no way to do that today.

G

Okay, that answered my question.

D

Yeah I would like to here's a miracle of and I like, would like to add that I, don't think it necessary had to have to add another round-trip time. It depends on how we design this kind of negotiation protocol and the negotiation protocol might be only the client instructing the server to do something because it already knows the capabilities of the server. So you could basically, in the same amount of time, instruct the server to do something and send the data in order forward.

A

That next is Alex.

A

I can't hear you Alex. Are you trying to speak.

B

Move on the next person yep.

A

Let's move on Jonathan Linux, hello, its athletics, I, assume, I'm, audible,.

K

C

So um I guess my I mean I certainly have the concern. I think somebody mentioned this on the job or this will be an xkcd 9:27 problem. So I guess my question is: to what extent would you know turnover, quick and over socks six over quick or possibly either of them over WebTrends meet the requirements and to what extent will they not because I'd rather you know, there's a I think a sacrament? Is it a lot of existing semantics worked on which you know it's better, not to reinvent things.

C

We already have there's a good reason for it, and maybe maybe even if they're different, that's a good reason, but if they're.

O

The same and just then I think that's not a good, then we should not try to reinvent the wheel yet again hip enough wheels as it is.

L

Going onto this David.

C

So I so I apologize. This is what I try to address this in my slides. Oh, we have a bunch of wheels but quick kind of showed up and like kind of proved to us that a lot of those wheels don't fit the bill anymore. So something needs to be done and, honestly, the output of the mass. What you doesn't need to be you know a brand-new shiny protocol with its own name. You know as her and I'm not we're saying. If this ends up being, let's say: I, don't know methods in HCP.

C

Maybe we just had a few spokes to the wheels we have and that's totally an option. I really like the current individual drafted its own thing, because that was just an easier thing to get up and off the ground. But I think that is a perfectly reasonable discussion to have inside the working group.

A

Thanks David, what's a lad.

N

What's matter, Michael I have a question that sprout might be a relatively narrow, buy it's about the impact of congestion control. I am a su slides with quick and quick to want this only given that the inner quick is encrypted. Won't this only really work. If you have have unreliability of the packets that you're sending those in your quick packets in to avoid the problems of TCP and TCP, where all sorts of bad things happen.

D

This is me, included an M, so it depends on really what the scenario is and that's why we actually want to have this different services that you can request from the proxy. But there are scenarios where you can also use this for on a reliable stream for local recovery. If you have a very short little arts model, a link, but it has high high loss just having a reliable channel.

D

There can be very beneficial within testing that, and in this case the the congestion hallways in congestion control isn't such a big problem because the timescales are so different. So it's the end. It depends.

C

If I could add something there as well, so for something, let's say this is the scenario we're tunneling TCP / IP over this. For for some reason- and yes, if you do TCP / TCP performance is bad. We have an ample amount of papers demonstrating that, but the important thing here is that what makes this bad is to thing is one of two things that are often conflated there.

C

One is congestion, control and the other is recovery, and so, when you do TCP and TCP, you have two nested recovery loops that retransmits things, and so you can end up having data we transfer that to layers, even though it's useless, so that's, what's really bad nested congestion control, however, is not bad.

C

If you look like a at any router on the Internet today, assuming you're speaking to something on the internet, that is multiple hops away. Your router has a queue and you can call that queue management algorithm a type of good for it, there's more coming in on one side than the other. It will drop packets to rate limit deal so having this level of nested congestion control actually is no different than just having a node or router on your path. That is dropping you if you're going too fast, so I do think.

C

It's really important that we use quick data grams to avoid the nested recovery, but I think that, as the congestion control is not necessarily a problem.

A

I'd like to speak to that as an individual, but I'm not going to get into it now. I think this is an interesting question, but it's it's it's not something that we need to get into at this point.

A

um Next up is Martin, but Martin DQ'd himself, I am going to go on to Tommy from Europe next.

B

Alright, thanks sorry for the delay Tommy Polly. This is going back a little bit to the comments that been made about the relationship with web Transport. I. Think that's a really interesting thing to bring up and kind of merging the approach and the protocol bits could actually make a lot of sense. I do encourage to David's response, saying that there are different use cases and different motivations I want to encourage that we shouldn't be defining things separately in different groups and different knobs within the same protocols h3.

B

Just because one comes from VPN approach and one comes from the w3c and JavaScript they can both rely on the same protocol. Knobs. Of course, I. Think that would add a question of how would supporting these interests affect the web Transport Charter. If, though, documents were to help include some of the hhv bits that were necessary for this and, at the very least, I think for the purpose of this charter, you should add a touch point with web trends listed in the groups that we need to talk to.

B

If this is a group.

C

D

Excuse me agree.

C

To that, yes, we want.

O

C

Sure we don't have any work repeating. Luckily, a lot of the folks involved here are involved there, but you're right. Let's spell that out in the Charter all right, I'm mark you're up next.

I

Mark Nottingham I just wanted to briefly say respond to one of the comments then Schwartz made, which was he didn't, see. Http working group work delivering.

F

I

To ship arbitrary IP packets, I think it was I I, don't see the reason why not we already have connect, we just need to in reliability. I, don't think that's at all out of scope or even terribly controversial. There.

A

Thanks: mink cousin little mix.

O

Colorings, um so this is not just a proxy, it's also an app when you really think about it, and so, when I see things like IP proxying in it and people talking about receiving ICMP messages, I think that the Charter needs to say a lot more about how what which upstream side of it's not the downstream side.

O

Who can send packets back and get them into a connection who can initiate this and this all comes around, though really can you use this to run servers and all of those issues and how will that all work I mean you know I if I have an IP address and I'm just sending to IPS, can any other IP send it and I get the packet?

O

If so, how do you not bad, and all those issues I think this, that the Charter is very it's thinking about it very much as everything's initiated from the downstream side, but it doesn't talk about initiation from the upstream side at all. So I'd like to see the the Charter a little clearer in that scope,.

C

um If I can answer that, David's gonna see so Colin, that's a really good point like I'm, not entirely sure it needs to be in the Charter, though it'll absolutely need to be in the document that defines how to do this. There are really.

F

C

In very subtle security considerations that are going to be needed on how to do this right, I guess, maybe a just a sentence and the Charter is saying: don't met and don't mess this up, but I would really see this a more as a deliverable in the documents. Well,.

O

Third up I think it'd be good to be clear, then that we in the Charter that we expect to be able to run servers on it and receive suffer abroad set of connections, or we don't expect that one way or the other, because that definitely splits it I agree the security considerations: how to do that are going to be really complicated.

O

It'd be good to understand what people's poll is. Yeah I'm gone, yeah.

D

I'm not sure I'm sending this kind of present yet because so in the in the diagram we had I think the term client mask server and target server. They were more indicating. You know where the tunnel is, and we always say the talent is between the client and the mask server, but it doesn't really mean what the actual application connection does do here. So I'm not sure what what you're! Looking for? What's the scenario you have in mind well,.

O

If I send a packet, so if a client sends up to the mask server and says, please send this IP packet to IP address X, and then it gets back an ICMP address from. Why is it supposed to forward that back to the client? What if it just gets a reply packet to the same ip? Why does it need a different?

O

Does it need a unique IP for every single client behind this I mean when I read this charter here it seems like you're, saying all of those things at once and that, if that's the goal, this is a very, very broad. Oh yeah.

C

I, don't think that's the goal, and that's thanks calling for isolating that. I think what we'll want is to say no. The client has expressed interest in tunneling to this destination. So if you have packets on the return path, send it to the client and if you have weird packets, that you don't understand, maybe drop them on the floor, but yeah that should be clarified. It was kind of a working assumption that we forgot to document.

O

I get what you just say so back to the NAT question that makes sense when you're, using UDP or TCP or quick or something with something. On top of those does what you said just make sense in the context of IP and all and won't take any more time.

C

It really depends at what layer, you're proxying and all these things and I agree with you that this gets into very pretty gritty details. So maybe look, let's take it off less, but I agree that there should be clarified, but.

D

I I mean I, understand the problem now and I am and I think we need to work on that, but I'm not sure if it has to be in the Charter. For me, that's really some of the details of the protocol that need to be specified.

A

All right, I'm, I'm, gonna, move this along I even had one comment which I'm going to relay one of my other mic here. He says we should pursue this work, but we need to determine whether it's so real, quick or over HTTP 3 before creating the working group- and this is more for the quick chairs- this work makes me think the Datagram may be needed in quickly one or Garriga might be. This will travel quickly, one for this work, and you want to thoughts on that, but we're not going to do that discussion here.

A

I hope what I said was clear and we are going to move on to the next phase of this in the last 20 minutes that we have, which is the both questions. Chris, you don't take this.

A

Can you advance the slide? Please.

A

No I am apparently resizing. I have no idea what I've not done anything or didn't gone to the slides right.

B

A

Cullen, okay: this is just.

B

G

A

B

Alright, so thanks everyone on the feedback from the Charter on. We will work after this to sort of clarifies several the key points that were raised in particular around throwing up motivating texts in the football trying to suss out whether or not this is a new protocol or an extension of a protocol, the quick vs. they should be throwing thing and other issues that I've made out of here.

B

So in the time that's left.

B

We both dissent of what this is something that we want to go forward with some air here so now think about questions, and so in the interest of time, I think the the way we'll do this is I will just post a question. There will not be a home of any particular type just want to hear what people think. So you know please keep up to the mic. You have disagreements with what's written here or disagreements with what I'm saying right now. Thank you mark and we can go through there. Mark I'll turn.

I

B

Quickly before we get started, oh.

I

Sorry I, misunderstood I wanted to answer the question. I have.

B

To wait 20 minutes before you not yet.

B

Okay, so I'm kidding first, so the first one immediately. There was a lot of question about the specificity in the charter text as proposed, but I. Imagine that's something we could work through, but in a general at a general level like a know or here from Oakland tonight, you think the effectively the scope of the problem that we're trying to solve a laid out in the motivating text from Davis and the foremost case that we described in and the motivating Carter proposed to our text is well-defined and well understood.

B

And if not, what are the particular? Perhaps you can shed some light on one of the particular areas in which a more refinement is necessary or needed, and what we might be able to do.

B

You know better clarify them for the understanding of everyone, so ecker I think you're up unless mark Monceau.

B

C

um So I guess I came into this thinking that they were well defined and whoa understood and I thought that it was basically what I think you know. Colin would call a symmetric that, um namely you know, you'd be able to make outgoing connections with like UDP and and like we can fight about this quick for JCP thing later, but basically be like outgoing, um but on this : points out, basically the question whether there's going to be server on functionality or table functionality or raw IP.

C

If cable functionality or like kind of like real scope, questions for the working group, so I think you know I guess I would argue they shouldn't be, in which case I think that the scope is well understood, but other people think they are. They should be, then probably to get up.

A

Yeah, that's a good point mark the other go next sure.

I

Mark Nottingham, yeah I agree with whatever says, I think the abstractions that are being boarded really need to be nailed down to the Charter I. Don't agree that this could be sort of the working group says people are going to come in with wildly different expectations and it's going to cause a lot of friction. I think it needs to be defined personally, whether this is a new protocol on top of quick or whether it is htv-3 extension or extensions or something else.

A

I'm been the next.

C

Okay, so clearly that the scope is not universally well understood, I, don't think that we need to fully specify the the layering I think. The key requirement that I do think we could get consensus on here, for the Charter is to say that this protocol can run inside a quick Association alongside HTTP inside a quick Association that is owned by HTTP 3.

F

Okay, who's got it. uh Does that mean X, yes, looks like Isis yeah.

N

Okay, um I think the scope of the problem. It seems that there's a lot of questions about whether or not things like AI, whether just forwarding sections at connection layer or application or IP layer and bla support. All of those are those all connected, so I, don't think I think that's an area that would like to see more clarity on.

B

Sorry, can you can you reiterate, what's enough.

N

Yeah, so we're talking about something like law forward, not proc to GDP, while proxy quick, we want to proxy TCP, we wanna proxy IP. These are all different things and are they all going to be available? All the time are there going to be, is going to be serve a menu? Is it going to be so? Are these love layer on top of each other? So the way before word quick is the way before UDP.

N

It's just that there's a connection, or is it going to do other other sorts of things that you can forward individual streams and be aware of the streams inside the inner one that these are for finish questions then you can see sir lately they've seen HTTP proxy versus you know, passing a CP over IPSec.

B

B

I do agree that certainly a clarity on what is the minimal functionality that the the master will provide is certainly needed.

A

Yeah- and this is under the negotiation, guys know exactly what services yeah.

F

A

Impact negotiator and how they are- and that is definitely not something that is in the Charter moment, but yeah um I think the next up is is Martin. You.

E

Have Marvin comes from one of the comments that I made earlier that got cut off cute audio travels. Was that there's a lot of discussion in this charter about frameworks and nothing in the discussion that we've had so far suggests that any need for a framework at all?

E

And while the point that echo raised I think is probably the biggest one, this discussion of frameworks makes me deeply concerned. I, don't think we need one at all. I'm glad us rather see that jettisoned.

B

Can you clarify what you mean by a framework what.

A

Your understanding.

B

Of the framework is just to make sure we're so.

E

It's pretty hard of thing where you use in the in the current set of proposals, but there is your framework at the moment for I, guess, discovery of capabilities and and so forth and I, don't think that's very well formulated, but the suggestion well I could extrapolate from there and say that there's possible things that are shared across quick proxying versus IP proxying, those UDP proxy inverse of the TCP proxying that all require the same sort of signaling and I'm. Not seeing any motivation for that and I would rather see that go okay. Thank you.

E

H

D

Is I could a.

H

C

There it's gonna be here, so the reason in my individual proposal, I currently have a framework, is that if the Yusuke, like might do use case, that I'm personally passionate about is a VPN client and if you're, building a VPN client as I like truly a little bit too earlier in my slides different kind, you might be varying very different kinds of traffic based on what your users are doing, and these different kinds of traffic don't necessarily need or want the same kind of proxying, and so maybe framework is a bad choice of words.

C

But the idea was what, if we allow, having multiple things inside this same connection to my proxy in a way, that's not visible to on path, observers and I. Think that's for me the main justification for having what I call the framework, which is to be able to have multiple of these. At the same time, that's.

E

Ok, you can use the word multiplexing in that case and then not even have any program. Ok,.

C

Yeah, but that is that is the only thing I meant by that. Ok.

E

That makes a little.

A

Make a noise to.

E

Fix that I think.

A

It is actually useful. This is good because I think framework might confuse a lot of people. It's a very general term and being more specific is, is something that we could do in the current Charter. That's one of the pieces of feedback I'm taking back is that the Charter needs to certainly be more closed, and this is a very precise registry.

A

And the next in line is Mike Bishop.

K

So I feel like there are a lot of scenarios here and.

A

He might give you the cut off at the beginning. Dick can you study in my.

K

Fish if I feel like there are a lot of scenarios here and I'm, not sure that we actually need to solve all of them, because solving some of them would give you the means to solve the others. So, like you know, I don't know that we care about HTTP proxy. If you can do TCP, you can do quick if there's h3 support on the other side, generic IP flus seem like what you'd want for a VPN.

K

Then you know symmetric NAT versus kun, nap versus rowdy and I feel, like the scoop that has been presented is a little bit over broad and different people have different conceptions of what they're trying to achieve so I'd want to see a smaller list of scenarios before we move forward with this, and the second piece we've been discussing in jabber different ways that you could build this on as an h3 extension with unidirectional streams or the bi-directional streams will use or a new connect method, but honestly, I think if you're going to do something like this, your cleanest path is just called a new protocol.

K

One take a dependency, an echo to hide book or a call. Your ego, cheating.

B

You know thanks Mike to your first point. It very well might be that the actual solution is, you know, ESPO proxying protocol for UDP TCP in applications, and everything is built on top of that. It might have some additional expense ability points, but I don't want to get too specific into with the solutions right now.

B

So I want to cut it here, because we still have a couple more questions to get through. So my understanding is that effectively that, despite sort of lack of clarity and Christmas with how we supplied the problem and what we're actually trying to solve, there is some interest, and you know, sort of working on. You know some subset out there. Sending the challenge would be to sort of articulate what that particular subset is in a meaningful way.

B

So, nice to the end, the next two questions are really about folks here, proponent, to the boss, interested parties I'm trying to understand whether or not there's people who are interested to or interested in reviewing documents in any capacity via commenting on the mailing list or on github of over at list or even serving as an editor.

B

So I don't think you know books need to say anything if you want it's like +1 or something in the chat to indicate that you have an interest in either one of these things that would be lovely and we can kind of just put that and move on.

J

I'm, sorry did you want us to do that in the chat which goes away at the end of this room, jabber yeah.

B

We just want to get a quick sense for it right now. You can do in the chat here or jabber. It's looking.

A

Like? What's a good bit,.

B

A

Look at the chart and povel if it's happening on jabber didn't wanna, stop.

B

Alright, great uh some people are chatting and thank you very much so that brings to the last question, particularly around the existing charter, the proposed charter member group regression. We felt it was not appropriate to specifically ask if a working group should be formed. This charter text in mind, as we've discovered throughout the course of this being there are some textual edits that could be made to the Charter, as well as some content refinements. That could be made as well to sort of help us on a trajectory for success.

B

Now we will work offline to sort of address those but I'd like to take a step back and sort of ask the more general question about whether or not anyone feels like a working group should not be formed to address a problem of this type and I'm not going to specify exactly the we.

F

B

Because that's for problem, our question number one, that's still being flushed out in in more detail.

B

A

Jump in there very briefly, because we have about 20 plus ones for the community participation question so I think it's safe to say that there's a fair amount of good question. A number of them are about contributing people willing to learn and contribute with the work which is excellent, okay, so more than 20 at this point, so that is very good and just my last question I want to add that let's be careful here, the important thing here is to this state.

A

If you believe that the work group should not be from, we have heard I think the problem statement of question of scope, as mentioned earlier, is very clear. We do need to work on that in terms of the Charter, but I would like to move on to quick questions on the last one. Because did you want to say something else know how to move on to questions on this? No.

B

It's clear other questions, I think I'm. Reading this correctly Ted is first ed.

A

J

First, for speaking, I think until you have this scope problem solved, I would not agree that a working group should be formed because you might want more than one working.

F

J

It might turn out that the work belongs in an existing working group like other web transport or HTTP. So I, if you ask, does anybody feel like this work should not be done. I would keep silent, but that a working group should be formed. I'm much less sure, so I would I would currently say no to that until until we get one answer.

M

Good enough, mr. Strickland, just like cutting in Ted. So is your concern about the actual mechanics of doing this, like so you're, okay, with like some kind of work in this space, but you don't want to presuppose maybe a new booking group that does it. Would that be a fair summary of what you wanted to say.

J

If Ed Hardy speaking, yes, sir sure, that's a fair summary, I and I believe that there's enough work here, it might actually see some of the work of one group and some of the work go into new group or into a different group. It just kind of depends on how the scope gets pulled out. I just think the use cases may shovel is that the work belong somewhere else, sort of the work at least along and something else other than a worker.

A

Okay, thank you.

A

um Spencer you next.

J

Thank you for queueing that up red, because I think that some so some flavors of this work that different people have been talking about, I think should be done. I agree with Ted's comment about, maybe not in a new working group. Maybe not just in one working group and I know: God loves the quick working group, but it's not totally.

J

It's not totally obvious to me that it should it even all, belongs in one area depending on what ends up being is go so I think I think that getting the Charter nailed down really quickly is going to be really helpful for getting this going.

A

Monk 15 seconds mark.

I

Nottingham yeah +12 what Ted said I can't evaluate this charter in its current state should work me down here in this general area. Sure I, don't know that requires from this point. It and I don't know that it requires the effort.

F

I

Could be just incremental components, we need to discover yeah.

A

That's I think that's coming to loud and clear, and a part of it is just that there's a good part of it that is figuring out how to be more specific and more precise and more tighter than the Charter, and in doing that, exercise. I think we might come out and find something that we don't know yet, meaning that maybe doesn't require a working group. But that's excellent feedback and we are at time letting mark and not in the queue I mean.

M

A

All DQ yeah yeah Martin D cube and Madame Curie up again Martin. Do you want 16 seconds yeah.

E

Our housing proposing I, don't want to I. Don't want us to mate again like this I want us to work out the tartar on the list. That's all well.

A

Absolutely yes, I'm. Sorry, thanks magnificent series: you want to say something parting words yeah.

M

So I think yeah. Thank you very much for everybody for contributing. So there's like, at least in the Charter there's like a couple of issues that came up and both of them important, I think one of them is like it was kind of like underspecified a little bit. It is a little bit big like you know. What is the scope of the Charter?

M

The second thing is that, like too many specifics on how things are supposed to be done, I think like both of them need to be worked on before we go further and I saw there's like a community of participants who are willing to do work on this.

M

So that's a positive thing, but I really do think like you need to work a bit on the Charter to scope it down a bit specifically kind of like on the same lines that Kullen an acre pointer out a bit and also kind of not presuppose the actual mechanism and see how things fall. So that's kind of falls back more to like you know what Ted was saying and I think like Mark was saying too so. I think that's kind of the directions like you know.

M

We need to go, and let's do that on the mailing list and personally, it's not clear, like you know where this would end up like I picked it up, because it's like a tunneling thing and interior. So, like we'll figure like I know where it needs to go, this work needs to go once we have a better understanding of what needs to get done.

M

Thank you, Xtreme.

B

E

B

Because yeah yeah with that first thank you, everyone for tuning in entertaining us and contributing we will be in contact on the mailing list to flush out this chart. X and move forward and I hope you enjoy the rest of your IETF week.

B

A

B

All sharing one.

A

Thing last spar.

E

A

You to the Secretariat for making this possible. Yes,.

C

A

J

C

A safe everyone.

C

Thank you, bye, bye,.

M

Bye thanks Jen thanks Shannon Chris good job. Thank you that.

D

Means chairs and sanctuary foods pie looks nice here.