GENEVE?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

GENEVE?

Jonas Steinberg

Do recent versions of Squid support GENEVE?

Thank you,

 

Jonas Steinberg

Software Engineer
3M HIS (remote)
(702) 807-9888 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Alex Rousskov
On 8/25/20 2:43 PM, Jonas Steinberg wrote:
> Do recent versions of Squid support GENEVE?

I believe Squid is unaware of draft-ietf-nvo3-geneve.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Jonas Steinberg
Is there any way to definitively confirm this?  Also is this something I could submit as a feature request via github or is it too crazy or out-of-scope for the roadmap?

Jonas Steinberg
Software Engineer
3M HIS (remote)
(702) 807-9888
 

On 8/25/20, 1:54 PM, "Alex Rousskov" <[hidden email]> wrote:

    On 8/25/20 2:43 PM, Jonas Steinberg wrote:
    > Do recent versions of Squid support GENEVE?

    I believe Squid is unaware of draft-ietf-nvo3-geneve.

    Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Alex Rousskov
On 8/25/20 3:21 PM, Jonas Steinberg wrote:

> is this something I could submit as a feature request via github or
> is it too crazy or out-of-scope for the roadmap?

I am not familiar with draft-ietf-nvo3-geneve details, but I see nothing
particularly crazy on the surface of that draft: Squid is already
capable of tunneling intercepted TLS and forwarded HTTP CONNECT traffic
while GENEVE seems like one more way to tell Squid about the desired
tunnel end points.

Perhaps some form of GENEVE support is already possible via some kind of
3rd-party wrappers? FWIW, the possible existence of such protocol
wrappers was the primary reason I did not give a straight "no" answer to
your original question...


You may file a feature request on Squid Bugzilla, keeping the following
FAQ in mind:
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


HTH,

Alex.


> On 8/25/20, 1:54 PM, Alex Rousskov wrote:
>
>     On 8/25/20 2:43 PM, Jonas Steinberg wrote:
>     > Do recent versions of Squid support GENEVE?
>
>     I believe Squid is unaware of draft-ietf-nvo3-geneve.
>
>     Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Jonas Steinberg
Any advice on where I would find such a protocol wrapper, were one to exist?  Also I assume this would mean compiling my own squid then?

Jonas Steinberg
Software Engineer
3M HIS (remote)
(702) 807-9888
 

On 8/25/20, 2:39 PM, "Alex Rousskov" <[hidden email]> wrote:

    On 8/25/20 3:21 PM, Jonas Steinberg wrote:

    > is this something I could submit as a feature request via github or
    > is it too crazy or out-of-scope for the roadmap?

    I am not familiar with draft-ietf-nvo3-geneve details, but I see nothing
    particularly crazy on the surface of that draft: Squid is already
    capable of tunneling intercepted TLS and forwarded HTTP CONNECT traffic
    while GENEVE seems like one more way to tell Squid about the desired
    tunnel end points.

    Perhaps some form of GENEVE support is already possible via some kind of
    3rd-party wrappers? FWIW, the possible existence of such protocol
    wrappers was the primary reason I did not give a straight "no" answer to
    your original question...


    You may file a feature request on Squid Bugzilla, keeping the following
    FAQ in mind:
    https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


    HTH,

    Alex.


    > On 8/25/20, 1:54 PM, Alex Rousskov wrote:
    >
    >     On 8/25/20 2:43 PM, Jonas Steinberg wrote:
    >     > Do recent versions of Squid support GENEVE?
    >
    >     I believe Squid is unaware of draft-ietf-nvo3-geneve.
    >
    >     Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Alex Rousskov
On 8/25/20 3:48 PM, Jonas Steinberg wrote:

> Any advice on where I would find such a protocol wrapper, were one to exist?

Sorry, I do not know enough about GENEVE to suggest GENEVE-specific tool
aggregators.


>  Also I assume this would mean compiling my own squid then?

I would expect Squid to be unaware of that 3rd-party protocol wrapper.

For example, you are probably familiar with stunnel that "wraps"
plain-text TCP traffic into TLS, enabling TLS-unaware applications to
"support" TLS. I speculate one could create a tool that wraps GENEVE
traffic into HTTP CONNECT transactions that GENEVE-unaware HTTP proxies
like Squid can tunnel.

Alex.


> On 8/25/20, 2:39 PM, Alex Rousskov wrote:
>
>     On 8/25/20 3:21 PM, Jonas Steinberg wrote:
>
>     > is this something I could submit as a feature request via github or
>     > is it too crazy or out-of-scope for the roadmap?
>
>     I am not familiar with draft-ietf-nvo3-geneve details, but I see nothing
>     particularly crazy on the surface of that draft: Squid is already
>     capable of tunneling intercepted TLS and forwarded HTTP CONNECT traffic
>     while GENEVE seems like one more way to tell Squid about the desired
>     tunnel end points.
>
>     Perhaps some form of GENEVE support is already possible via some kind of
>     3rd-party wrappers? FWIW, the possible existence of such protocol
>     wrappers was the primary reason I did not give a straight "no" answer to
>     your original question...
>
>
>     You may file a feature request on Squid Bugzilla, keeping the following
>     FAQ in mind:
>     https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
>
>
>     HTH,
>
>     Alex.
>
>
>     > On 8/25/20, 1:54 PM, Alex Rousskov wrote:
>     >
>     >     On 8/25/20 2:43 PM, Jonas Steinberg wrote:
>     >     > Do recent versions of Squid support GENEVE?
>     >
>     >     I believe Squid is unaware of draft-ietf-nvo3-geneve.
>     >
>     >     Alex.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Leonardo Rodrigues Magalhães
In reply to this post by Jonas Steinberg
Em 25/08/2020 16:21, Jonas Steinberg escreveu:
> Is there any way to definitively confirm this?  Also is this something I could submit as a feature request via github or is it too crazy or out-of-scope for the roadmap?
>

     And please never forget that if you need some feature that is not
there yet, you can always sponsor the dev team to develop it :)

--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        [hidden email]
        My SPAMTRAP, do not email it



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Amos Jeffries
Administrator
In reply to this post by Alex Rousskov
On 26/08/20 7:39 am, Alex Rousskov wrote:

> On 8/25/20 3:21 PM, Jonas Steinberg wrote:
>
>> is this something I could submit as a feature request via github or
>> is it too crazy or out-of-scope for the roadmap?
>
> I am not familiar with draft-ietf-nvo3-geneve details, but I see nothing
> particularly crazy on the surface of that draft: Squid is already
> capable of tunneling intercepted TLS and forwarded HTTP CONNECT traffic
> while GENEVE seems like one more way to tell Squid about the desired
> tunnel end points.
>

First thing that I notice is that GENEVE is UDP/IP based. HTTP CONNECT
tunnels that Squid uses are for TCP based traffic.

Taking a slightly deeper (but still brief) look through its protocol
design I see just another IP based tunnel. There are hundreds of these
already. This type of protocol is best handled by a regular router
and/or firewall.

As Alex said, Squid can be extended. But IMO this is not worth the
effort. It would be better to wait on OS networking stacks to support
the decapsulation. The OS can pass any relevant traffic to Squid via the
regular socket APIs - like how GRE and IP-IP tunnels are supported.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Eliezer Croitoru-3
In reply to this post by Jonas Steinberg

Hey Jonas,

 

What would you expect from Squid to be able to support GENEVE?

Squid works with any tunnel the OS support:


From Squid point of view you on packets and connections there is no need to handle any level of the network stack like tunneling.

 

What would you want to try and use GENEVE for with squid?

The only setup I know about which Squid care about the actual tunnel(GRE) in a way is with WCCP.

 

I would be happy to hear about GENEVE and Squid usage.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: squid-users <[hidden email]> On Behalf Of Jonas Steinberg
Sent: Tuesday, August 25, 2020 9:43 PM
To: [hidden email]
Subject: [squid-users] GENEVE?

 

Do recent versions of Squid support GENEVE?

Thank you,

 

Jonas Steinberg

Software Engineer
3M HIS (remote)
(702) 807-9888 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Jonas Steinberg

Amos:

Your logic to me is very sound and frankly I had no idea that Squid did not handle the tunneling aspect of the network stack and furthermore it makes sense that a router or firewall would be the right appliance to implement such a protocol as the appliance requiring me to have some GENEVE-aware appliance will work with basically any firewall or router (because many support GENEVE).  At this point “I’m over it” as the kids say because it seems convoluted, tangential and I suppose even anti-patterned to implement such a feature on Squid.  In any event I’m glad to have gotten a thorough and serious response.

Eliezer:

I have no use case.  My cloud provider has written a software-defined “appliance” meant to integrate with firewalls and routers.  I was complaining that I had no way to integrate it with my DNS filtering workflows (Squid).  They told me “Hey, if it’ll support GENEVE then you can make it work.”  So I simply came here to ask.

I mean…if anyone has any ideas of how I can get something to work without buying anything expensive I’d certainly be grateful!

Jonas Steinberg

Software Engineer
3M HIS (remote)

 

From: Eliezer Croitor <[hidden email]>
Date: Wednesday, August 26, 2020 at 7:05 PM
To: Jonas Steinberg <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: [EXTERNAL] RE: [squid-users] GENEVE?

 

Hey Jonas,

 

What would you expect from Squid to be able to support GENEVE?

Squid works with any tunnel the OS support:


From Squid point of view you on packets and connections there is no need to handle any level of the network stack like tunneling.

 

What would you want to try and use GENEVE for with squid?

The only setup I know about which Squid care about the actual tunnel(GRE) in a way is with WCCP.

 

I would be happy to hear about GENEVE and Squid usage.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: squid-users <[hidden email]> On Behalf Of Jonas Steinberg
Sent: Tuesday, August 25, 2020 9:43 PM
To: [hidden email]
Subject: [squid-users] GENEVE?

 

Do recent versions of Squid support GENEVE?

Thank you,

 

Jonas Steinberg

Software Engineer
3M HIS (remote)
(702) 807-9888 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Marcel de Riedmatten
Le jeudi 27 août 2020 à 01:43 +0000, Jonas Steinberg a écrit :


> I mean…if anyone has any ideas of how I can get something to work
> without buying anything expensive I’d certainly be grateful!

Hi

i haven't  play with it but man ip-link  or 

https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-
virtual-interfaces-tunnels/#geneve

should put you on tracks


-- 
Marcel de Riedmatten

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: GENEVE?

Amos Jeffries
Administrator
In reply to this post by Jonas Steinberg
On 27/08/20 1:43 pm, Jonas Steinberg wrote:

>
> I have no use case.  My cloud provider has written a software-defined
> “appliance” meant to integrate with firewalls and routers.  I was
> complaining that I had no way to integrate it with my DNS filtering
> workflows (Squid).  They told me “Hey, if it’ll support GENEVE then you
> can make it work.”  So I simply came here to ask.
>
> I mean…if anyone has any ideas of how I can get something to work
> without buying anything expensive I’d certainly be grateful!
>

Hmm. It depends a bit on what this appliance is for and what you want it
doing.

I'm not sure what Squid has to do with your DNS filtering workflows TBH.
Squid is typically just a client for DNS like any other software. It
does not manage or control DNS.


(warning: making some big assumptions here, so this may be way off what
you need).


If you mean Squid managing that new DNS-over-HTTP stuff Browsers are
trying to have happen. Whatever message filtering you have in the HTTP
layer should work no differently with or without any extra appliance
existing in the network.

If you mean Squid ACLs to apply policy to HTTP traffic to/from the
appliance ...

If the appliance is assigned IPs from your LAN or a DMZ range your Squid
ACLs that check IP range can match it in the broad sense. Like the
localnet ACL just checks for existence of a client on LAN vs Internet.

If you need an ACL to identify/match a specific appliance with
dynamically assigned IP you can use its hostname instead of IP. Squid
finds the IP as-needed via rDNS or mDNS depending on the .local TLD
existence in the FQDN.
 NP: This has variable reliability. When the appliance IP changes the
DNS TTL determines how fast Squid can know about the change.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users