HiNT and HELIUM for UDP (and IP?) tunnelling

Transcription

1 HiNT and HELIUM for (and?) tunnelling Presentation to bis WG at IETF th July 2018 Lucas Pardue

2 Internet-Drafts HiNT - -initiated Network Tunnelling draft-pardue-httpbis-http-network-tunnelling-00 HELIUM - Hybrid Encapsulation Layer for and Messages draft-schwartz-httpbis-helium-00 Discussion is framed in terms of client-server proxying but tunnelling can be applied to other use cases. 1

3 /1.1 via forward proxy /1.1 Client* /1.1 Proxy* /1.1 2 * Typically configured with http_proxy variable

4 /1.1 over via /1.1 proxy /1.1 Client* /1.1 Proxy* S/1.1 CONNECT 3 * Typically configured with https_proxy variable

5 /2 over via /1.1 forward proxy /2 Client /1.1 Proxy /2 CONNECT /2 stream 4

6 /2 over via secure / forward proxy / Client* transport security stream CONNECT /2 stream / Proxy* /2 One context plus one context in the same association. over on one stream. Streams within streams. 5 * / advertised by the / proxy, or set up using prior knowledge (proxy.pac)

7 over via forward proxy? / Client / Proxy / transport security stream 6 / to server via proxy is not standardised today. TURN / SOCKS5- could be used

8 Hypothetical: over via secure / forward proxy / Client* transport security stream??? transport security stream / Proxy* / 7 * / advertised by the / proxy, or set up using prior knowledge (proxy.pac)

9 -initiated Network Tunnelling (HiNT) Generalise the existing CONNECT-based tunnelling. Conversion of an connection (in whole or in part) into a, or tunnel. Design considerations: Version(s). Tunnel proxy discovery and chaining. Message destination agility. Path MTU discovery. Proxy s role in message passing - Blind forwarding vs. in-the-loop. HoL blocking. Padding for traffic obfuscation. I-D presents some options and weighs up pros and cons. 8

10 HiNT proposed solution spectrum Initiation Request method /2 or / setting Message transfer Framing of messages Reservation of streams for particular tunnel There are many permutations CONNECT Method Augmentation ASSOCIATE request method with HINT Frames for /2 and / HELIUM over WebSockets for all Versions HELIUM over WebSockets for /1.1, Native Framing for /2 or / 9

11 HELIUM HELIUM: A lightweight, flexible proxy protocol based on. Designed to span many use cases: Forwarding (c.f. SOCKS5-) WebRTC (c.f. TURN) proxy with ICMP support (e.g. traceroute, PMTUD) VPN (c.f. OpenConnect, OpenVPN, L2TP) Currently uses CBOR, runs over a WebSocket (proposed solution ). Possible to natively frame in /2 or / (proposed solution ). See detailed slides from DISPATCH. 10

12 Closing There are already many ways to do and network tunnelling -based (-initiated) tunnelling has some unique benefits. There seems to be interest: Is there enough interest in the community that warrants investing more time/effort? Input/guidance required: Can/should we drive toward one solution? Those presented or some new derivative. Does this belong at a lower layer? What is a suitable home in IETF for this work? 11

13 Thank you bbc.co.uk/rd

14 Backup slides

15 /1.1 basic client-server interaction /1.1 Client /1.1 14

16 /1.1 over /1.1 Client S/1.1 15

17 /2 over /2 Client /2 stream /2 /2 stream GET /bar 16

18 over / Client / transport security stream stream GET /bar 17

19 /1.1 over via secure /1.1 forward proxy S/1.1 Client S/1.1 Proxy S/1.1 CONNECT 18 Two independent contexts in the same connection. over.

20 /2 over via secure /2 forward proxy /2 Client* /2 stream CONNECT /2 stream /2 Proxy* /2 Two independent contexts in the same connection. over on one stream. Streams within streams. 19 * /2 negotiated using ALPN

21 HiNT framing Message transfer of proposed solution. Client is unaware of / in the tunnel: packetisation is done by the proxy. Frames sent on a stream contain payload for packetisation. e.g. a packet Pad Length? (8) Payload (*) Padding (*) Figure 3: HINT /2 frame payload HiNT HiNT Application-layer frame Payload (*) Figure 4: HINT / frame payload /2 over over 20 Indicates a single reserved stream

22 ASSOCIATE and HiNT framing / Client transport security stream ASSOCIATE transport security stream / Proxy / HiNT 21 * / advertised by the / proxy, or set up using prior knowledge (proxy.pac)

23 HELIUM over WebSockets and native framing HELIUM over WebSocket HELIUM native framing (light or full) H-CBOR H-CBOR H-CBOR WebSocket WebSocket H H Application-layer frame WebSocket /1.1 over /2 over over * *WebSockets over not defined (yet?) /2 over over 22 Indicates a single reserved stream