IntArea WG Agenda
IETF 120 - Hybrid meeting, Vancouver (Canada) + Online
Wednesday, July 24, 2024
15:30-17:00 Wednesday Afternoon Session III (PST, UTC-8)
Chairs:
Juan Carlos Zuniga (Cisco)
Wassim Haddad (Ericsson)
Drafts to be considered dead can be brought back if the authors feel
they are still relevant.
AI: Chairs to reach out to "to-be-dead" drafts to confirm.
Dragana Damjanovic presenting...
Benjamin Schwartz (Meta): Not convinced that optimizing connection to
HTTP endpoints for direct IP access
See "Well-known ECH" draft with has JSON encoding already
Tommy Pauly: Could image a case where a proxy is only available over
HTTP/3 and only by IP, so it makes sense to have a way to signal that;
implementation can be discussed
Ben: Not going to argue against it; extensibility valuable here as you
might want ECH
Ben: DNS zones defined in 801; definition is opaque;
Dragana: Just two definitions: matched domains and excluded
Ben: More guidance needed; maybe not use DNS zones
Eric V: Should the key names be matchedDomains and excludedDomains or
matchDomains and excludeDomains?
Tommy: How do you manage excludeIPSubnets (like a PAC can do)? Either
more keys, or this key can match both domains and subnets; could have
only exclusions but the default is everything
Josh Cohen: Look at the common definitions used in PAC files; might mean
more keys or rules about current keys (such as regex)
Dragana: Thanks
David Schinazi: The fact that PAC scripts were Turing complete was
problematic; make sure you don't go crazy looking at PAC files
Dragana: We don't want to have the same security issues, so absolutely,
we won't go crazy there
Ben: Think we have work to do on client auth to proxies but doesn't seem
like it will go here; feels like it will go inline with normal HTTP
challenge flows. Not obvious why here.
Dragana: This would be a hint
Ben: URI templates are defined as unicode strings; so we might not need
to say more on charatcer sets
Dragana: Maybe key names should be simple (without space) for easy
parsing
Ben: You will need to come up with rules for the registry
Mike Bishop: You should just have a URL and let the HTTP server handle
auth in the normal flow; you might have a proxy that doesn't want one to
know it's a proxy
Ben: Normal HTTP authentication doesn't work with a proxy; normal HTTP
authenticate returns a code and guides them through a flow; with a proxy
there is no user interface (except for narrow things like Basic Auth);
wants to be able to SSO, passkeys, etc. through proxies but doesn't see
how it connects here
Mike: Progress to be made in the field, but doesn't need to be added
here
David: Lots of auth methods do work with proxies (basic, concealed auth,
privacy pass); knowing whic hthe proxy supports would be useful; don't
define anything, but hint which schemes the proxy supports
Jim Taft: Auth methods are heavily used in proxy deployments (e.g.,
Kerberos)
Tommy: Doesn't care if auth is in this JSON format; one benefit of a
hint is that it's useful for performance to do some work ahead of time
(e.g., grabbing a handful of proxy pass tokens); it's also useful to get
a full profile of a proxy ahead of time to see if you want to use it;
Can enable nice UI flows
Juan-Carlos: Are you foreseeing a HAT for this?
Bill: Could just be that I have access to the implementations, and I can
do the test and publish results;
maybe provide feedback to the vendors before publishing
Eric: You will want to change the name to a bis if it gets adopted
Bill: Yes if it gets adopted, change the name
Juan-Carlos: We will pose it on the list for adoption (chairs AI)
Joe Clarke: read the draft, very useful to see this amount of metadate
by the user (also for the operators.)
Ben: Typically when I see traceroute data, I see IPs and maybe PTR. Is
this an idea to provide more human-readable data
Bill: There's an example 5830 thdoes provide incoming interface
information which could be provided if each device had a unique IP. This
allows you to fill in the gaps by implementing both of these. The
extensions stack.
Ben: Do you want this field to be a hostname or a free-text field?
Bill: I don't want a free-text field. I want a structured text field. I
don't want JSON in ICMP. There are other bit fields available if there
are more ideas of what could be shared; I want to be cognizant of
privacy concers, so this is focused in scope. I encourage discussion on
the list if there are more concrete examples
Robert Kisteleki: This could be GeoIP info; looking at DNS PTR records,
it might be lying if the device moves, but the DNS record changes. What
is the incentive for operators to keep this up-to-date
Bill: This infor is provided by the router
Robert: Then the name is meaningful to whom?
Bill: It's as meaningful as the hostname you get in traceroute today
Robert: The human that configures the router might make a mistake and
misname the router
Bill: Yes, but operationally it is more common to have the hostname on
the router correct; this is the self-describing router model where the
device knows what it knows about itself.
Nalini Elkins: Great idea; so many routers block ICMP on the internet
Rolf: Many do. We don't talk to routers via ICMP. We talk to end-hosts;
We sent ping to 10 million hosts on the internet; once we see they
respond to ping, we try the traceroute and found there is a big chunk of
the internet where this works today; we can share the paper with you
Nalini: when I use traceroute, not a lot of nodes respond
Rolf: Yes, UNIX uses UDP; might rate limit ICMP
David Lamparter: Not clear if this will deployed broadly or in targeted
areas. That will dictate security considerations
Rolf: Let's assume this is on every host on the internet; this will be
in the kernel, and let's write security considerations considering that
David: Let's ensure this is default off and can be enabled
Eric: This presentation was clearer than the draft text; if you start
this on the internet won't some state be preserved on the server ? E.g.,
the source UDP port used for a UDP probe
Rolf: No, all the data needed will be reflected as part of the ICMP time
exceeded
Eric: Is ICMP the right protocol vs. NETCONF since others provide auth?
Rolf: ICMP is easier as it's more ubiquitous on the public internet
Ben: Can you request the traceroute server to emit traceroutes using
UDP, TCP, or ICMP?
Rolf: The request will be ICMP
Ben: I use UDP traceroute to avoid ICMP blackholing, but this won't help
with tat
Rolf: Wants to have this in the kernel, so ICMP makes more sense
Ben: There is precedent for this with UDP or TCP in the kernel (such as
the echo services)
Rolf: There is an applicability draft for ICMP and network
troubleshooting fits in that draft
Ben: Can you get some RTT information from a deeply truncated timestamp?
End of Time
Juan-Carlos: Please provide any comments to the intarea list
Eric: My understanding is that this document extends CAPWAP; could be
presented in opsawg
Lin: Will consider it
Chris Seal: Have you considered mobile networks; they don't use DHCP
Josh: Do they have an equivalent
Chris: DNS, might be an area to explore
Josh: Let's talk offline
Ben: Original WPAD was a draft that never made it to IESG; feels like
we're trying to update something that wasn't officially "created" by
IETF terminology; we don't need to modernize it because it's old; I
don't see the "why"; whay are we even talking about this? Why does a
network need to tell me these things? We need to know that to design the
correct mechanism; the thing I don't see here is to take WPAD and
restrict it so that we only leave what is useful, then elevate that
Josh: The last point is exactly what we're doing here (trying to elevate
the useful bits). The reason is that we're trying to figure out if IT
admins are using this and why; back in the day, proxies were new, and
this helped to save IT help desk people time trying to coach people to
configure their browsers; let's answer the question about what do we do
with WPAD
Ben: There is an opportunity for an info draft on an network
architectures involving proxies
Chairs: Please take this offline
Not shown on slides. Maybe merge this with Bill Fenner's draft, but it
might violate some address version issues by adding IPv6 info to IPv4
packets
Juan-Carlos: We are running out of time
Eric: Useful. I suggest creating a normative reference to Bill's draft
and re-used its extension, but to be decided, discussed
Juan-Carlos: Out of time, but please send comments to the list
End of Meeting