[mosh-devel] Connect-UDP

[Wes Medford]

That’s exactly right — and thank you so much for such a thorough response.

We’re aiming to support MASQUE as part of evolving our product, and Mosh
came up as a consistent use case that makes it harder for people to adopt
Pomerium as it stands today (or any identity-aware proxy, really). With
MASQUE enabling datagram-level HTTP traffic and Apple likely supporting it
soon, we’re trying to stay ahead of the curve. I figured if there’s a way
to help our customers and Mosh at the same time by adding CONNECT-UDP
support, it’s worth exploring.

Pomerium is fully committed to providing Zero Trust without needing a
tunneling client (similar to UberProxy, which I assume you know well). The
GitHub issue I linked was more about highlighting the core problem:
supporting proxied UDP. Nothing handles this particularly well right now,
especially without requiring a client. Wrapping something like socat or
quic-go to manage CONNECT-UDP and rewrite UDP traffic to the proxy is an
option, but at that point, you lose the key benefits of a transparent proxy.

>From my perspective, if there’s a way to make life easier for our customers
while contributing to open source, I’ll always go for it. For example, I’m
currently working on adding generic JWT auth to ArgoCD for similar reasons.

Thanks again for your time and guidance — it’s super helpful.

Best,

Wes

On Mon, Nov 25, 2024 at 12:54 PM Alex Chernyakhovsky <achernya at mit.edu>
wrote:

> Hi Wes,
>
> Thanks for reaching out. I’m one of the mosh maintainrrs, and one of the
> contributors to that RFC.
>
> To start out with, you should probably reference the latest version of
> that document,
> https://datatracker.ietf.org/doc/html/rfc9298.
>
> From there, things get a little complicated. The Github issue you
> reference started out as a ProxyCommand issue with ssh. This is not
> something that can be resolved in the mosh codebase alone, as mosh uses UDP
> and (to my knowledge) there’s no way to create a UDP tunnel over ssh.
>
> Leveraging CONNECT-UDP could be done with an outside codebase, such as
> quic-go (https://quic-go.net/docs/connect-udp/) and having your own proxy
> tunnel client.
>
> Another way to do this would be to modify mosh to natively have a
> CONNECT-UDP-aware client, rather than using the socket(7) APIs directly.
> However, this is challenging, as the highest-quality C++ QUIC
> implementation, Google QUICHE (
> https://github.com/google/quiche) is going to be tough to get packaged
> with popular linux distributions like Debian due to its pervasive use of
> Bazel.
>
> In general, I have aspirations to make mosh move over to QUIC or H3
> entirely, but that’s a far-away project. In an ideal world, this would be
> merged with SSH-over-H3 efforts, such as
> https://github.com/francoismichel/ssh3
>
> What aspects of CONNECT-UDP are you interested in supporting, here? I see
> from your email that you’re affiliated with Pomerium — is it fair to
> assume you’re hoping to support a zero-trust proxy for mosh?
>
> Sincerely,
> -Alex
>
> On Sun, Nov 24, 2024 at 7:18 PM Wes Medford <wmedford at pomerium.com> wrote:
>
>> Hi Keith,
>>
>> My name is Wes, and I came across some old issues in Mosh, specifically
>> this one
>>
>> https://github.com/mobile-shell/mosh/issues/285
>>
>> It seems like newer proxies might be able to support this now as long as
>> connections are initialized using CONNECT-UDP (
>> https://www.ietf.org/archive/id/draft-schinazi-masque-connect-udp-00.html).
>> I'd love to get this set up, but I'm not sure the best place to start
>> in Mosh's codebase. Any shot you could point me in the right direction?
>>
>> Thank you,
>>
>>
>> Wes Medford
>> _______________________________________________
>> mosh-devel mailing list
>> mosh-devel at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/mosh-devel
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mit.edu/pipermail/mosh-devel/attachments/20241125/959aa47c/attachment-0001.htm>