Internet-Draft On-Path Proxy Discovery November 2024
Welzl Expires 10 May 2025 [Page]
Workgroup:
Path Aware Networking RG
Internet-Draft:
draft-welzl-panrg-oppd-latest
Published:
Intended Status:
Informational
Expires:
Author:
M. Welzl
University of Oslo

On-Path Proxy Discovery

Abstract

This document surveys possibilities for On-Path Proxy Discovery (OPPD). It is meant to help the conversation in a planned side meeting at IETF-121 in Dublin (see the github page linked under "About This Document" for coordinates).

The draft title indicates PANRG as a target of this document just because we thought that PANRG should be informed. What a suitable target is, and if this is even the right type of document, should all be discussed at the side meeting.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://mwelzl.github.io/oppd/draft-welzl-panrg-oppd.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-welzl-panrg-oppd/.

Discussion of this document takes place on the Path Aware Networking RG Research Group mailing list (mailto:panrg@irtf.org), which is archived at https://mailarchive.ietf.org/arch/browse/panrg. Subscribe at https://www.ietf.org/mailman/listinfo/panrg/.

Source for this draft and an issue tracker can be found at https://github.com/mwelzl/oppd.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 10 May 2025.

Table of Contents

1. Introduction

Proxies can carry out functions that improve the performance of an end-to-end connection. These function can be quite diverse, ranging from minimal help (e.g. just offering information) to more significant interference, e.g. splitting an end-to-end connection in half, for reliability, congestion control or both.

It is commonly desirable for such proxies to be located on the path(s) that a connection already traverses, rather than using a tunneling or forwarding approach to enforce a path. This is naturally the case for transparent "Performance Enhancing Proxies" (PEPs) that have been implemented for TCP, but the transparent nature of such proxies has caused a number of problems in the past. Non-transparent proxies leave the choice of utilizing and configuring a performance enhancing function to end systems -- and such a choice requires a means to detect the proxy and explicitly communicate with it. With QUIC, the encryption of packet headers necessitates using non-transparent instead of transparent proxies, and research works such as the Sidekick [Sidekick] and Secure Middlebox-Assisted QUIC (SMAQ) [SMAQ] have shown that this is both possible and beneficial.

There are various ways in which On-Path Proxy Discovery (OPPD) can work, and they differ from the ways in which end systems learn about proxies that are not necessarily on-path.

This document surveys some possibilities that are available for OPPD.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Terminology

4. General assumptions

5. A survey of possibilities

Please insert your ideas below -- or add a description of a scheme that already exists.

5.1. Endpoint to proxy

5.1.1. Special packet of base connection

Sidekick [Sidekick] endpoints signal proxy support by sending a distinguished packet containing a 128-byte sidekick-request marker over the base connection's 5-tuple. Such inline signaling could confuse receiving endpoints, but sidekicks target protocols such as QUIC that discard cryptographically unauthenticated data anyway.

Secure Middlebox-Assisted QUIC [SMAQ] leaves the design of a proxy discovery solution as future work, but also suggests to multiplex the necessary signaling over the same 5-tuple as the base connection.

5.1.2. Header options

An endpoint could use a newly defined TCP option or UDP option [I-D.ietf-tsvwg-udp-options] to signal proxy support. Such an option could be specified to be ignored by the receiving endpoint, and receiving endpoints that are not upgraded to support the option should ignore it anyway. In case of QUIC, for example, the QUIC implementation at the receiving endpoint would not even be informed about the message in the option. This approach might have the advantage of not possibly confusing the receiving endpoint, and it does not require the endhost to send an additional packet.

5.2. Proxy to endpoint

5.2.1. Special packet of base connection

A sidekick proxy replies to a sidekick-request packet by sending a special packet from the receiver's IP address and port number back to the endpoint [Sidekick]. This packet contains a sidekick-reply marker, an opaque session ID, and an IP address and port number for communicating with the proxy. Upon receiving the sidekick-reply packet, the sender begins communicating directly with the proxy from a different UDP port. It initially sends back the session ID and configuration parameters to start receiving quACKs (special ACKs crafted by a Sidekick proxy).

5.2.2. Header options

A proxy could insert a newly defined TCP option or UDP option [I-D.ietf-tsvwg-udp-options] in a returning packet (e.g., an ACK) to answer back to the endpoint that originally announced its proxy support. This approach does not require the proxy to send an additional packet.

6. A survey of open issues

Just an idea, having a separate list of common problems to be considered might be helpful. For example:

This list will become longer as we add mechanisms to the preceding section.

7. Examined material that was not included

[I-D.kuehlewind-quic-proxy-discovery] lists several possibilities for proxy discovery, but the proxies in question need not be on-path. One notable possibility mentioned in [I-D.kuehlewind-quic-proxy-discovery] is the use of Port Control Protocol (PCP) options; this is, in some sense, an on-path discovery method since PCP talks to NATs, which are necessarily on-path. However, there is no reason to limit the discovery process described in the present document to scenarios with NATs only.

OPPD shares the on-path communication constraint with Path Layer UDP Substrate (PLUS). As such, there are commonalities between PLUS and OPPD such as the potential sharing of ports. However, the PLUS wire image in [I-D.trammell-plus-spec] was designed for the endpoint-to-network direction of signaling, which eliminates the need for an on-path proxy to prove that it has seen a packet. Being designed to support in-network measurement and state maintenance, PLUS is generally a much more sophisticated construct than what we expect to need for OPPD.

8. Security Considerations

The idea of OPPD is only to discover on-path proxies. These devices must make it reasonably credible that they are indeed on-path; see the last item in Section 4.

Further security considerations will depend on the use case.

9. IANA Considerations

This document has no IANA actions.

10. References

10.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

10.2. Informative References

[I-D.ietf-tsvwg-udp-options]
Touch, J. D. and C. M. Heard, "Transport Options for UDP", Work in Progress, Internet-Draft, draft-ietf-tsvwg-udp-options-38, , <https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options-38>.
[I-D.kuehlewind-quic-proxy-discovery]
Kühlewind, M. and Z. Sarker, "Discovery Mechanism for QUIC-based, Non-transparent Proxy Services", Work in Progress, Internet-Draft, draft-kuehlewind-quic-proxy-discovery-01, , <https://datatracker.ietf.org/doc/html/draft-kuehlewind-quic-proxy-discovery-01>.
[I-D.trammell-plus-spec]
Trammell, B. and M. Kühlewind, "Path Layer UDP Substrate Specification", Work in Progress, Internet-Draft, draft-trammell-plus-spec-01, , <https://datatracker.ietf.org/doc/html/draft-trammell-plus-spec-01>.
[RFC2663]
Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, , <https://www.rfc-editor.org/rfc/rfc2663>.
[RFC2992]
Hopps, C., "Analysis of an Equal-Cost Multi-Path Algorithm", RFC 2992, DOI 10.17487/RFC2992, , <https://www.rfc-editor.org/rfc/rfc2992>.
[RFC792]
Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, , <https://www.rfc-editor.org/rfc/rfc792>.
[Sidekick]
"Sidekick: In-Network Assistance for Secure End-to-End Transport Protocols", Usenix NSDI 2024 , .
[SMAQ]
"Secure Middlebox-Assisted QUIC", IFIP NETWORKING 2023 , .

Author's Address

Michael Welzl
University of Oslo