IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Neil Cook <neil.cook@open-xchange.com> Wed, 17 July 2019 16:10 UTC

Return-Path: <neil.cook@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9B412086B for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 09:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOnvEqi3O2b0 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 09:10:33 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F098120405 for <add@ietf.org>; Wed, 17 Jul 2019 09:10:33 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id D64BF6A3B5; Wed, 17 Jul 2019 18:10:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1563379829; bh=Hiq6TWrYXuOjMh3GeTJiLV4GhRdA0F8sLFaQAMHboVE=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=jDpkHsdecbuCNt6mQoZB1cd8WL2BLBdPyFlKuywxq2Ps71+BCFiLfAVcXAiAJPMCR z68R2ipMvm8ad+oxcRDfW8m3+xTSXhXzrjj9X33Jzf+veyojMu65NwU2PKUxBs5pNe D4/0GeFaM25vb7cjEhBuxMaSkOtn2nbxtVg7yWKFEtR90vbq0LIZ4lk/8v+xgSO10Q lHGy5WDnG6gvkW/sQM/deoUlhJ5Q2F5Bjvfl0pi8PKPT+0h9e1PnvBFmSnrBiDjMvh HjbqCs5a8IcHJQqyOzGhXEIud8UxZDIHRRziXbJfsuwkoJJXB977IjrPGmTfE1GEZ+ ZqFZuWqDRV5Rg==
Received: from [10.242.2.29] (unknown [10.242.2.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id EDCF13C0101; Wed, 17 Jul 2019 18:10:28 +0200 (CEST)
From: Neil Cook <neil.cook@open-xchange.com>
Message-Id: <39359BFE-231A-4621-8648-E9D424A31342@open-xchange.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3C6CE891-E254-4ED1-A8CD-7436B644D146"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 17 Jul 2019 17:10:27 +0100
In-Reply-To: <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
Cc: Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/04c3frTjDXzDp78-jIqUaSWXb-4>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 16:10:36 -0000

Hi Ted,

Thanks, I guess I misunderstood what you were trying to say regarding the draft,

Neil

> On 17 Jul 2019, at 16:57, Ted Hardie <ted.ietf@gmail.com> wrote:
> 
> Hi Neil,
> 
> I am sorry if I was not clear,  The point of the draft is to enable the network operator to signal this:
>    If the user agent can check for the presence of a policy, this could be
>    used as a signal that the network operator wishes its resolver to be
>    used as a condition of using the network, and that DoH or DoT should
>    be disabled.
> That permits your guests to know of your network policy and to abide by it if they choose; presumably you would not provide network access if they chose not to. 
> 
> regards,
> 
> Ted Hardie
> 
> Neil
> 
>> On 17 Jul 2019, at 16:25, Ted Hardie <ted.ietf@gmail.com <mailto:ted.ietf@gmail.com>> wrote:
>> 
>> Hi Vittorio,
>> 
>> On Wed, Jul 17, 2019 at 1:06 AM Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org <mailto:40open-xchange.com@dmarc.ietf.org>> wrote:
>> 
>>> Il 17 luglio 2019 07:01 Rob Sayre <sayrer@gmail.com <mailto:sayrer@gmail.com>> ha scritto:
>>> 
>>> 
>>> On Tue, Jul 16, 2019 at 12:30 PM Jim Reid < jim@rfc1035.com <mailto:jim@rfc1035.com>> wrote: 
>>> 
>>> Whether or not these tools/services work well is another issue entirely. And IMO not something to discuss at the IETF. 
>>> 
>>> Hi Jim, 
>>> 
>>> I thought about this email a lot today. 
>>> 
>>> I think the problem with its sentiment is that whether or not tools/services work on the Internet might be fairly called "engineering", and this is the Internet Engineering Task Force, right?
>> But if you have tools that work well enough that millions of people rely on them and that they are encouraged or even mandated in many countries, and you decide to develop and implement technologies to prevent them from working
>> 
>> The IETF builds building blocks that meet specific needs.  In building DNS over TLS, DNS over DTLS, and DNS over HTTPS, it was adding the protocol functionality to make DNS queries confidential from inspection by network observers.  The energy for that work was the reaction to pervasive surveillance, but it is clear that other attackers had been gathering data for some time.  The IETF was not building these protocols to stop the use of the DNS as a policy enforcement mechanism and it is entirely possible to integrate them into a system which does this by offering the policy enforcing resolver over one of these confidential protocols.  
>> 
>> But, and this is the crux of the matter, that integration requires the cooperation of the endpoint or its control by an organization's system administrators.  If you do not have their cooperation or the right to manage them by tools like those Eric mentions, it is difficult for the endpoint to distinguish a network-level interception by a mandated policy engine and by an attacker.  
>> 
>> Rather than falling back to the state where the endpoint simple accepts that its traffic is visible to all and possibly intercepted, this new work is an effort to make it easier for you to gain the cooperation required.  I hope you can see that this is in both the interest of policy enforcement bodies and the end users.
>> 
>> best regards,
>> 
>> Ted
>> 
>> 
>> -- 
>> Add mailing list
>> Add@ietf.org <mailto:Add@ietf.org>
>> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>
> 
> Neil Cook
> neil.cook@open-xchange.com <mailto:neil.cook@open-xchange.com>
> 
> -------------------------------------------------------------------------------------
> Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738
> Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin 
> Chairman of the Board: Richard Seibt
> 
> European Office: 
> Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 
> Managing Director: Frank Hoberg
> 
> US Office: 
> Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA 
> -------------------------------------------------------------------------------------


Neil Cook
neil.cook@open-xchange.com

-------------------------------------------------------------------------------------
Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin 
Chairman of the Board: Richard Seibt

European Office: 
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 
Managing Director: Frank Hoberg

US Office: 
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA 
-------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email