Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Neil Cook <neil.cook@open-xchange.com> Wed, 17 July 2019 16:10 UTC
Return-Path: <neil.cook@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9B412086B for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 09:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOnvEqi3O2b0 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 09:10:33 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F098120405 for <add@ietf.org>; Wed, 17 Jul 2019 09:10:33 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id D64BF6A3B5; Wed, 17 Jul 2019 18:10:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1563379829; bh=Hiq6TWrYXuOjMh3GeTJiLV4GhRdA0F8sLFaQAMHboVE=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=jDpkHsdecbuCNt6mQoZB1cd8WL2BLBdPyFlKuywxq2Ps71+BCFiLfAVcXAiAJPMCR z68R2ipMvm8ad+oxcRDfW8m3+xTSXhXzrjj9X33Jzf+veyojMu65NwU2PKUxBs5pNe D4/0GeFaM25vb7cjEhBuxMaSkOtn2nbxtVg7yWKFEtR90vbq0LIZ4lk/8v+xgSO10Q lHGy5WDnG6gvkW/sQM/deoUlhJ5Q2F5Bjvfl0pi8PKPT+0h9e1PnvBFmSnrBiDjMvh HjbqCs5a8IcHJQqyOzGhXEIud8UxZDIHRRziXbJfsuwkoJJXB977IjrPGmTfE1GEZ+ ZqFZuWqDRV5Rg==
Received: from [10.242.2.29] (unknown [10.242.2.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id EDCF13C0101; Wed, 17 Jul 2019 18:10:28 +0200 (CEST)
From: Neil Cook <neil.cook@open-xchange.com>
Message-Id: <39359BFE-231A-4621-8648-E9D424A31342@open-xchange.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3C6CE891-E254-4ED1-A8CD-7436B644D146"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 17 Jul 2019 17:10:27 +0100
In-Reply-To: <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
Cc: Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/04c3frTjDXzDp78-jIqUaSWXb-4>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 16:10:36 -0000
Hi Ted, Thanks, I guess I misunderstood what you were trying to say regarding the draft, Neil > On 17 Jul 2019, at 16:57, Ted Hardie <ted.ietf@gmail.com> wrote: > > Hi Neil, > > I am sorry if I was not clear, The point of the draft is to enable the network operator to signal this: > If the user agent can check for the presence of a policy, this could be > used as a signal that the network operator wishes its resolver to be > used as a condition of using the network, and that DoH or DoT should > be disabled. > That permits your guests to know of your network policy and to abide by it if they choose; presumably you would not provide network access if they chose not to. > > regards, > > Ted Hardie > > Neil > >> On 17 Jul 2019, at 16:25, Ted Hardie <ted.ietf@gmail.com <mailto:ted.ietf@gmail.com>> wrote: >> >> Hi Vittorio, >> >> On Wed, Jul 17, 2019 at 1:06 AM Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org <mailto:40open-xchange.com@dmarc.ietf.org>> wrote: >> >>> Il 17 luglio 2019 07:01 Rob Sayre <sayrer@gmail.com <mailto:sayrer@gmail.com>> ha scritto: >>> >>> >>> On Tue, Jul 16, 2019 at 12:30 PM Jim Reid < jim@rfc1035.com <mailto:jim@rfc1035.com>> wrote: >>> >>> Whether or not these tools/services work well is another issue entirely. And IMO not something to discuss at the IETF. >>> >>> Hi Jim, >>> >>> I thought about this email a lot today. >>> >>> I think the problem with its sentiment is that whether or not tools/services work on the Internet might be fairly called "engineering", and this is the Internet Engineering Task Force, right? >> But if you have tools that work well enough that millions of people rely on them and that they are encouraged or even mandated in many countries, and you decide to develop and implement technologies to prevent them from working >> >> The IETF builds building blocks that meet specific needs. In building DNS over TLS, DNS over DTLS, and DNS over HTTPS, it was adding the protocol functionality to make DNS queries confidential from inspection by network observers. The energy for that work was the reaction to pervasive surveillance, but it is clear that other attackers had been gathering data for some time. The IETF was not building these protocols to stop the use of the DNS as a policy enforcement mechanism and it is entirely possible to integrate them into a system which does this by offering the policy enforcing resolver over one of these confidential protocols. >> >> But, and this is the crux of the matter, that integration requires the cooperation of the endpoint or its control by an organization's system administrators. If you do not have their cooperation or the right to manage them by tools like those Eric mentions, it is difficult for the endpoint to distinguish a network-level interception by a mandated policy engine and by an attacker. >> >> Rather than falling back to the state where the endpoint simple accepts that its traffic is visible to all and possibly intercepted, this new work is an effort to make it easier for you to gain the cooperation required. I hope you can see that this is in both the interest of policy enforcement bodies and the end users. >> >> best regards, >> >> Ted >> >> >> -- >> Add mailing list >> Add@ietf.org <mailto:Add@ietf.org> >> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add> > > Neil Cook > neil.cook@open-xchange.com <mailto:neil.cook@open-xchange.com> > > ------------------------------------------------------------------------------------- > Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738 > Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin > Chairman of the Board: Richard Seibt > > European Office: > Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 > Managing Director: Frank Hoberg > > US Office: > Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA > ------------------------------------------------------------------------------------- Neil Cook neil.cook@open-xchange.com ------------------------------------------------------------------------------------- Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738 Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin Chairman of the Board: Richard Seibt European Office: Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 Managing Director: Frank Hoberg US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA -------------------------------------------------------------------------------------
- [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- [Add] Firefox DoH behaviour Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason