Multiplexed Application Substrate over QUIC Encryption
charter-ietf-masque-03

* 4th paragraph says "over MASQUE" without previously declaring the term
  MASQUE.  Suggest either to reword without MASQUE or add sentence declaring
  "all of the above proxying games are collectively called MASQUE", or
  something.

Concur with Ben Kaduk.  It would be helpful to qualitatively describe the security properties we want ensure.

[nit] s/Multicast UDP and multicast IP support are out of scope./Multicast support is out of scope.

Just "HTTP" does not imply any particular level of security mechanism, though
"HTTP/3" would.  I think we need to say something about what security
properties we expect MASQUE to provide, even if it's just "equivalent to HTTP/3
or better".  (This would be a BLOCK at external-review time but may not need to
hold up asking for external review.)

  Proxying technologies such as SOCKS and HTTP(S) CONNECT exist, albeit with
  their own shortcomings. For example, SOCKS signalling is not encrypted and HTTP
  CONNECT is currently limited to TCP. In contrast, HTTP/3 is a viable candidate
  protocol for proxying arbitrary traffic, as it provides secure connectivity,
  multiplexed streams, and migration for a single connection while taking
  advantage of a unified congestion controller. An HTTP/3 datagram construct

Am I parsing this properly that the last thing in the list of what HTTP/3
provides is just "migration", and that the "for a single connection [...]"
stuff applies to all of it?  I'm not sure if another comma would help make
that separation more clear.

  The primary goal of this working group is to develop mechanisms that allow

nit: maybe "mechanism(s)"?

  and/or HTTP/3 extensions to enable this functionality. The group will focus on
  a limited set of client-initiated services: (1) UDP CONNECT and (2) IP
  proxying. Server-initiated services are out of scope. The working group will
  first deliver a protocol solution for UDP CONNECT and a requirements document
  for IP proxying. Once both are complete, the working group will focus on a
  protocol solution for IP proxying.

I assume there's a reason to do UDP separately instead of just letting UDP
run on top of proxied IP.  (Expediency?)

  The working group will consider fallback to versions of HTTP that operate over
  TCP as a mitigation to UDP or HTTP/3 blocking. Moreover, the working group will
  consider implications of tunneling protocols with congestion control and loss
  recovery over MASQUE, and may issue recommendations accordingly. New congestion

This sounds like "nested congestion controllers".  Is that more of a research
question or an engineering one?

  Multicast UDP and multicast IP support are out of scope. However, the group may
  specify extension points that would enable future work on multicast. Specifying
  proxy server discovery mechanisms is also out of scope, but the group may
  specify techniques for identifying proxy servers to aid future discovery
  mechanisms.

How do "techniques" differ from "mechanisms"?

  Impacts on address migration, NAT rebinding, and future multipath mechanisms of
  QUIC are not anticipated. However, the working group should document these
  impacts if they arise.

Presumably we also want to pay attention to any other developments in QUIC
that would be impacted by MASQUE, and document those, too.