IETF Logo Mail Archive

Re: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 26 September 2020 21:20 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215003A0B25 for <add@ietfa.amsl.com>; Sat, 26 Sep 2020 14:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CHGqfgkA7ks for <add@ietfa.amsl.com>; Sat, 26 Sep 2020 14:20:33 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59E473A0B20 for <add@ietf.org>; Sat, 26 Sep 2020 14:20:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 95D25389A3; Sat, 26 Sep 2020 16:59:05 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RhH7u-QHj1Y9; Sat, 26 Sep 2020 16:59:01 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 4F40E389A2; Sat, 26 Sep 2020 16:59:01 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E3CFC75; Sat, 26 Sep 2020 17:20:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tirumal reddy <kondtir@gmail.com>, add@ietf.org
cc: Mohamed Boucadair <mohamed.boucadair@orange.com>
In-Reply-To: <CAFpG3ges4D_X=_YO6kpLb0SE-ZciZ3X_CwV1-wrOk6YyyTEo_g@mail.gmail.com>
References: <160070133695.29542.17938288314819681829@ietfa.amsl.com> <4877_1600701839_5F68C58F_4877_262_3_787AE7BB302AE849A7480A190F8B9330315439B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <17447_1600766250_5F69C12A_17447_63_24_787AE7BB302AE849A7480A190F8B933031544085@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAFpG3ges4D_X=_YO6kpLb0SE-ZciZ3X_CwV1-wrOk6YyyTEo_g@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 26 Sep 2020 17:20:26 -0400
Message-ID: <4625.1601155226@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2Iax1l3ajk1HBJCVzynjGvxHXSE>
Subject: Re: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Sep 2020 21:20:36 -0000

Tiru and authors, I read through draft-btw-add-home-09.

First, I found the CLOUD-ish icon for the "LAN" confusing.
It looks like it is the "H" is inside the CPE.

                      ,--,--,--.
                   ,-'   +--+  `-.
                  ( LAN  |H |    CPE-
                   `-.   +--+   ,-'
                      `--'|-'--'


My eyes see a BOX, with an ISP facing interface labelled "CPE"
and a LAN facing interface labelled "LAN", and then I am
confused by the H inside, and thought it was the CPE acting
as a Host.  Only after a few figures did I understand that
this was a LAN "cloud"

I suggest:

    +-+
    |H|
    +-+         .-------.
     |  LAN     | CPE   +--- .. ISP-cloud
     +----------+       |
                '-------'

There is a tool written in perl called "asciio" which is fabulous for making
these kinds of ascii-art diagrams.  Highly recommended, but alas, it has no
cmd-line options, so integrating it into Makefile is a PITA.

section 3.1:

As I-D.ietf-v6ops-rfc7084-bis has not been worked on in awhile,
can you say what section deals with IPv4 service continuity, maybe
it is worth quoting the relevant text.

I would rather have four section (3.1.1/3.1.2/3.1.3/3.1.4) rather than just
four figures.

3.2: Unmanaged CPEs.

Well, I they are unmanaged by the ISP.
In may small offices, they are managed by a third service.
While some home owners neglect the devices, I wouldn't call them unmanaged.
They are home-owner managed.

As for:
   (assuming the CPE is
   compliant with the network access technical specification that is
   usually published by ISPs)

There is an EU guidelines that suggests that be required.  Some countries
have this as a regulation. Perhaps one of our european correspondants could
provide a useful reference.
They key point is, I think, that the device has no (private) trust anchors
pointing at the ISP, so the device can not validate ISP provided DoH/DoT/DoQ if the
ISP isn't using a public anchor.
There is no TR69 by which to configure the ADN.

the point starting at: Customers may also decide to deploy internal home
                       routers

is really a third kind of "CPE", which could appear in both managed and
unmanaged situations, and it's really this third situation that really
motivates getting this DHCP/RA option right.

section 4.1. DHCPv6 DNS Option.
I suggest you call it "Enc DNS Flags" rather than "Type", since it is split
up in bits.  I suggest you leave the comment about Unassigned Bits to the
IANA Considerations section.
I don't think that there is any reason to leave three bytes unassigned.
I don't think the ADN needs to be 32-bit aligned, since it is interpreted
as a sequence of bytes.

It seems to me that if we have the ADN, then the encrypted DNS service can
be reached at any IP address, including RFC1918, IPv6-LL, ULA, as long as
the service's certificate can be validated using the ADN.

For instance, a CPE device could advertise an IPv6-LL address for DNS, and
then form Circuit Proxy (aka Forward Proxy) to the ISP's service, without
necessarily requiring routing/forwarding to be active.  Any device on the LAN
could provide such service, actually.
It is worth remembering that openwrt's swiss-army-knife DNS/DHCP server
"dnsmasq" started life doing exactly that.

I suggest section 4.2, "DHCPv4 Encrypted DNS Option"

Can the OPTION_V4_ENC_DNS, Encrypted DNS Address Option, OPTION_V6_ENC_ADD
be ommitted (sending just the ADN), in which case the existing DNS address
options are assumed to work for Encrypted DNS at the "normal" port numbers?

Section 5:

"DoH clients re-iterates"   -> _re-iterates_ reads wrong.  "repeats" is
probably what you want.

section 7.1.1
please split the second paragraph into a new section.
Clearly, if the CPE is relaying the encrypted DNS server info, then it
doesn't need a ACME certificate.  That's exactly the case where the CPE is
not hosting encrypted DNS.  Maybe that's section 7.0

section 7.1.2:
        mention of sub-domains... and
        *left-most* label of the pre-configured ADN

I think the entire label has to match the certificate.
I think that it's that the ADN is a sub-domain of the pre-configured domain.
("blessed" might be the better term, channelling Perl more than D&D/Rogue),

Hate the diagram.  Here the DoH/DoT client is not inside the LAN cloud :-)

I think that section 7.2 should be split up into three sections:
1) the CPE will pass the ISP information on.
2) the CPE will provide reference to third-party service.
3) the CPE will be provide encrypted DNS itself thanks to the "security
   service provider" (possible, a person)

section 9.1 is great, and reflects the consensus about DHCP trust from the
virtual interim meeting.  I would reword:

   Because DHCP/RA messages are not encrypted or protected against
   modification within the LAN, their content can be spoofed or modified
   by active attackers (e.g., compromised devices within the home
   network).

to:

   DHCP/RA messages are not encrypted or protected against
   modification within the LAN.  Unless mitigated (described below),
   the content of DHCP and RA messages can be spoofed or modified by active
   attackers, such as compromised devices within the home network.

rework:
   Encrypted DNS sessions with rogue servers spoofing the IP address of
   a DNS server will fail because the DNS client will fail to
   authenticate that rogue server based upon PKIX authentication
   [RFC6125], particularly the authentication domain name in the
   Encrypted DNS Option.

too many embedded noun-phrases for non-native speakers :-)

9.4:
   This results in the
   key being shared to attackers resulting in security breach.
   Man-in-the-middle attacks are possible within home networks because WLAN
   authentication lacks peer entity authentication.

-> The shared key is available to all nodes, including attackers, so
   it is possible to mount an active on-path attack.

section 10, IANA lacks a repeat of the consideration for the Unassigned bits.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email