PTIM2020 Guest Blog - MASQUE


In the first of our guest blogs for PTIM2020, we have a contribution from David Oliver of Guardian Project. David has attended several IETF meetings, learning about new protocols that can help advance Pluggable Transports work and benefit censorship circumvention developers.

David Oliver, Guardian Project - [email protected]

MASQUE is an IETF protocol proposal defining future modes of Internet transport layer proxying. Proxying enables network endpoints to communicate when end-to-end connectivity is not possible, when it is desirable to manipulate traffic in some way (applying additional encryption, e.g.), or when it is desirable to improve client privacy (such as hiding a client’s IP address from a target server). We had earlier identified the MASQUE Internet Draft proposal as potentially useful in the circumvention space for its ability to hide connection-identifying protocol exchanges. This capability seems pertinent to Pluggable Transport developers needing to negotiate and configure use of their transport via an inline sub-protocol.

Since introduction in late 2019, MASQUE has attracted wide interest within the IETF and now has an official Working Group chartered to define both requirements for generalized proxying scenarios and specific mechanisms that implement those requirements. Despite changes from the initial drafts, the core use cases of interest to the Internet Freedom community are still supported by the Working Group. Importantly, MASQUE is being defined for use on currently-deployed HTTP/2 (based on TCP streams) as well as future-deployed HTTP/3 (based on QUIC - “Quick UDP Internet Connections” - the replacement for TCP in a wide variety of modern Internet use cases). This allows experimentation with MASQUE before QUIC is widely available to users (or for geographies where QUIC and the required TLS1.3 are already blocked).

The initial portion of MASQUE is an addition to the HTTP Protocol called HTTP Transport Authentication. As the name implies, this proposal defines a mechanism within the HTTP protocol stream to authenticate a client for the purpose of establishing a durable two-way connection through a proxy to a destination server (HTTP’s CONNECT verb). This sub-protocol leverages an obscure (but widely-implemented!) Internet Draft allowing export of the TLS keying materials to the HTTP layer. The MASQUE Working Group will then define a sub-protocol on top of this connection for negotiation of proxying types and configurations. Some early ideas for this sub-protocol are here.

Guardian Project is undertaking to create an open-source implementation of MASQUE for the purpose of experimenting with the protocol in anti-censorship applications - initially as a mechanism for Pluggable Transport proxy connection and configuration (which fits the “VPN Use Case”). This work is taking place in Google’s Conscrypt library (Google’s Java Security Provider for Android and OpenJDK on Linux/Mac/Windows) which itself uses Google’s Boring SSL library (native code). To our knowledge, no other open-source implementation of MASQUE yet exists. Two other closed-source implementations have languished as their authors focus on Working Group activities.

Nota Bene: MASQUE is an early and active IETF protocol proposal. Significant changes to its definition and modifications to its scope are probable.