Re: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 26 September 2020 21:20 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215003A0B25 for <add@ietfa.amsl.com>; Sat, 26 Sep 2020 14:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CHGqfgkA7ks for <add@ietfa.amsl.com>; Sat, 26 Sep 2020 14:20:33 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59E473A0B20 for <add@ietf.org>; Sat, 26 Sep 2020 14:20:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 95D25389A3; Sat, 26 Sep 2020 16:59:05 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RhH7u-QHj1Y9; Sat, 26 Sep 2020 16:59:01 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 4F40E389A2; Sat, 26 Sep 2020 16:59:01 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E3CFC75; Sat, 26 Sep 2020 17:20:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tirumal reddy <kondtir@gmail.com>, add@ietf.org
cc: Mohamed Boucadair <mohamed.boucadair@orange.com>
In-Reply-To: <CAFpG3ges4D_X=_YO6kpLb0SE-ZciZ3X_CwV1-wrOk6YyyTEo_g@mail.gmail.com>
References: <160070133695.29542.17938288314819681829@ietfa.amsl.com> <4877_1600701839_5F68C58F_4877_262_3_787AE7BB302AE849A7480A190F8B9330315439B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <17447_1600766250_5F69C12A_17447_63_24_787AE7BB302AE849A7480A190F8B933031544085@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAFpG3ges4D_X=_YO6kpLb0SE-ZciZ3X_CwV1-wrOk6YyyTEo_g@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 26 Sep 2020 17:20:26 -0400
Message-ID: <4625.1601155226@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2Iax1l3ajk1HBJCVzynjGvxHXSE>
Subject: Re: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Sep 2020 21:20:36 -0000
Tiru and authors, I read through draft-btw-add-home-09. First, I found the CLOUD-ish icon for the "LAN" confusing. It looks like it is the "H" is inside the CPE. ,--,--,--. ,-' +--+ `-. ( LAN |H | CPE- `-. +--+ ,-' `--'|-'--' My eyes see a BOX, with an ISP facing interface labelled "CPE" and a LAN facing interface labelled "LAN", and then I am confused by the H inside, and thought it was the CPE acting as a Host. Only after a few figures did I understand that this was a LAN "cloud" I suggest: +-+ |H| +-+ .-------. | LAN | CPE +--- .. ISP-cloud +----------+ | '-------' There is a tool written in perl called "asciio" which is fabulous for making these kinds of ascii-art diagrams. Highly recommended, but alas, it has no cmd-line options, so integrating it into Makefile is a PITA. section 3.1: As I-D.ietf-v6ops-rfc7084-bis has not been worked on in awhile, can you say what section deals with IPv4 service continuity, maybe it is worth quoting the relevant text. I would rather have four section (3.1.1/3.1.2/3.1.3/3.1.4) rather than just four figures. 3.2: Unmanaged CPEs. Well, I they are unmanaged by the ISP. In may small offices, they are managed by a third service. While some home owners neglect the devices, I wouldn't call them unmanaged. They are home-owner managed. As for: (assuming the CPE is compliant with the network access technical specification that is usually published by ISPs) There is an EU guidelines that suggests that be required. Some countries have this as a regulation. Perhaps one of our european correspondants could provide a useful reference. They key point is, I think, that the device has no (private) trust anchors pointing at the ISP, so the device can not validate ISP provided DoH/DoT/DoQ if the ISP isn't using a public anchor. There is no TR69 by which to configure the ADN. the point starting at: Customers may also decide to deploy internal home routers is really a third kind of "CPE", which could appear in both managed and unmanaged situations, and it's really this third situation that really motivates getting this DHCP/RA option right. section 4.1. DHCPv6 DNS Option. I suggest you call it "Enc DNS Flags" rather than "Type", since it is split up in bits. I suggest you leave the comment about Unassigned Bits to the IANA Considerations section. I don't think that there is any reason to leave three bytes unassigned. I don't think the ADN needs to be 32-bit aligned, since it is interpreted as a sequence of bytes. It seems to me that if we have the ADN, then the encrypted DNS service can be reached at any IP address, including RFC1918, IPv6-LL, ULA, as long as the service's certificate can be validated using the ADN. For instance, a CPE device could advertise an IPv6-LL address for DNS, and then form Circuit Proxy (aka Forward Proxy) to the ISP's service, without necessarily requiring routing/forwarding to be active. Any device on the LAN could provide such service, actually. It is worth remembering that openwrt's swiss-army-knife DNS/DHCP server "dnsmasq" started life doing exactly that. I suggest section 4.2, "DHCPv4 Encrypted DNS Option" Can the OPTION_V4_ENC_DNS, Encrypted DNS Address Option, OPTION_V6_ENC_ADD be ommitted (sending just the ADN), in which case the existing DNS address options are assumed to work for Encrypted DNS at the "normal" port numbers? Section 5: "DoH clients re-iterates" -> _re-iterates_ reads wrong. "repeats" is probably what you want. section 7.1.1 please split the second paragraph into a new section. Clearly, if the CPE is relaying the encrypted DNS server info, then it doesn't need a ACME certificate. That's exactly the case where the CPE is not hosting encrypted DNS. Maybe that's section 7.0 section 7.1.2: mention of sub-domains... and *left-most* label of the pre-configured ADN I think the entire label has to match the certificate. I think that it's that the ADN is a sub-domain of the pre-configured domain. ("blessed" might be the better term, channelling Perl more than D&D/Rogue), Hate the diagram. Here the DoH/DoT client is not inside the LAN cloud :-) I think that section 7.2 should be split up into three sections: 1) the CPE will pass the ISP information on. 2) the CPE will provide reference to third-party service. 3) the CPE will be provide encrypted DNS itself thanks to the "security service provider" (possible, a person) section 9.1 is great, and reflects the consensus about DHCP trust from the virtual interim meeting. I would reword: Because DHCP/RA messages are not encrypted or protected against modification within the LAN, their content can be spoofed or modified by active attackers (e.g., compromised devices within the home network). to: DHCP/RA messages are not encrypted or protected against modification within the LAN. Unless mitigated (described below), the content of DHCP and RA messages can be spoofed or modified by active attackers, such as compromised devices within the home network. rework: Encrypted DNS sessions with rogue servers spoofing the IP address of a DNS server will fail because the DNS client will fail to authenticate that rogue server based upon PKIX authentication [RFC6125], particularly the authentication domain name in the Encrypted DNS Option. too many embedded noun-phrases for non-native speakers :-) 9.4: This results in the key being shared to attackers resulting in security breach. Man-in-the-middle attacks are possible within home networks because WLAN authentication lacks peer entity authentication. -> The shared key is available to all nodes, including attackers, so it is possible to mount an active on-path attack. section 10, IANA lacks a repeat of the consideration for the Unassigned bits. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Add] TR: New Version Notification for draft-btw-… mohamed.boucadair
- Re: [Add] New Version Notification for draft-btw-… mohamed.boucadair
- Re: [Add] Fwd: New Version Notification for draft… Michael Richardson
- Re: [Add] Fwd: New Version Notification for draft… mohamed.boucadair
- Re: [Add] Fwd: New Version Notification for draft… mohamed.boucadair
- Re: [Add] Fwd: New Version Notification for draft… Michael Richardson