IETF Logo Mail Archive

Re: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt

mohamed.boucadair@orange.com Mon, 28 September 2020 07:45 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A693A0EC0 for <add@ietfa.amsl.com>; Mon, 28 Sep 2020 00:45:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1uShVuVFijnN for <add@ietfa.amsl.com>; Mon, 28 Sep 2020 00:45:33 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C44483A0EBE for <add@ietf.org>; Mon, 28 Sep 2020 00:45:32 -0700 (PDT)
Received: from opfednr05.francetelecom.fr (unknown [xx.xx.xx.69]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 4C0F1Q6Xxxz1yTd; Mon, 28 Sep 2020 09:45:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1601279130; bh=iJC9h5ZBha37aMYKmLHdoCrUR+9egOg8ACFiDVYhBQg=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=dD0zQHr2xjEMwGjYGQWGcrJ/tsLyZiWzHKHS/CWgmY1CQJ1BkjDJcf1PqxvPA0Xvf 9UHZLxWRnZO0QDKO1/jbCh7Zbse6r3+zK/qFYBSY4BmL4IFmGJa2U+qEY5z8pxHlw+ 4GfoowGl5QoEnQ1V0B4+ye4IgoUBc0bgz2Ymzm3xUQGZDL8nb86rkUPoay84m6EYB6 zB72kDhjPTgAWuSRDJCo72Z5qCYU7NbgjxM+dFgbJiYMfN6fqXC3X7RU/9EKnMtuJ3 A9m/ARCmnfhFTFqRx4ClG2JHNFGr8T3vHvdgdzdcMK5KBxpu03PP7oevSEIL9IpogC 47hT7m1mcoGJg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.79]) by opfednr05.francetelecom.fr (ESMTP service) with ESMTP id 4C0F1Q5l5lzyQ3; Mon, 28 Sep 2020 09:45:30 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Michael Richardson <mcr+ietf@sandelman.ca>, tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt
Thread-Index: AQHWlWtW1zt5v/e8aE2Q2a7oktJnjw==
Date: Mon, 28 Sep 2020 07:45:30 +0000
Message-ID: <26930_1601279130_5F71949A_26930_275_7_787AE7BB302AE849A7480A190F8B933031548579@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160070133695.29542.17938288314819681829@ietfa.amsl.com> <4877_1600701839_5F68C58F_4877_262_3_787AE7BB302AE849A7480A190F8B9330315439B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <17447_1600766250_5F69C12A_17447_63_24_787AE7BB302AE849A7480A190F8B933031544085@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAFpG3ges4D_X=_YO6kpLb0SE-ZciZ3X_CwV1-wrOk6YyyTEo_g@mail.gmail.com> <4625.1601155226@localhost>
In-Reply-To: <4625.1601155226@localhost>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/3_2U7HFLT1gGF2yHoweVTmJI4tM>
Subject: Re: [Add] Fwd: New Version Notification for draft-btw-add-home-09.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 07:45:35 -0000

Hi Michael,

Thank you for the comments. 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Add [mailto:add-bounces@ietf.org] De la part de Michael
> Richardson
> Envoyé : samedi 26 septembre 2020 23:20
> À : tirumal reddy <kondtir@gmail.com>; add@ietf.org
> Cc : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>
> Objet : Re: [Add] Fwd: New Version Notification for draft-btw-add-
> home-09.txt
> 
> 
> Tiru and authors, I read through draft-btw-add-home-09.
> 
> First, I found the CLOUD-ish icon for the "LAN" confusing.
> It looks like it is the "H" is inside the CPE.
> 
>                       ,--,--,--.
>                    ,-'   +--+  `-.
>                   ( LAN  |H |    CPE-
>                    `-.   +--+   ,-'
>                       `--'|-'--'
> 
> 
> My eyes see a BOX, with an ISP facing interface labelled "CPE"
> and a LAN facing interface labelled "LAN", and then I am confused by
> the H inside, and thought it was the CPE acting as a Host.  Only
> after a few figures did I understand that this was a LAN "cloud"

[Med] You got it :-)

The intent was to distinguish the case where a host connected ** from within** a LAN and the case where the host is directly connected (mobile networks, for example). 

> 
> I suggest:
> 
>     +-+
>     |H|
>     +-+         .-------.
>      |  LAN     | CPE   +--- .. ISP-cloud
>      +----------+       |
>                 '-------'
> 

[Med] Will see how to make things clearer. Thanks.

> There is a tool written in perl called "asciio" which is fabulous
> for making these kinds of ascii-art diagrams.  Highly recommended,
> but alas, it has no cmd-line options, so integrating it into
> Makefile is a PITA.
> 
> section 3.1:
> 
> As I-D.ietf-v6ops-rfc7084-bis has not been worked on in awhile, can
> you say what section deals with IPv4 service continuity, maybe it is
> worth quoting the relevant text.

[Med] Can add a pointer to 

" 5.4.1.  IPv4 Service Continuity in Customer LANs  . . . . . .  16 "

> 
> I would rather have four section (3.1.1/3.1.2/3.1.3/3.1.4) rather
> than just four figures.
> 
> 3.2: Unmanaged CPEs.
> 
> Well, I they are unmanaged by the ISP.

[Med]  Will add a sentence to state this.  

> In may small offices, they are managed by a third service.
> While some home owners neglect the devices, I wouldn't call them
> unmanaged.
> They are home-owner managed.
> 
> As for:
>    (assuming the CPE is
>    compliant with the network access technical specification that is
>    usually published by ISPs)
> 
> There is an EU guidelines that suggests that be required.  Some
> countries have this as a regulation. Perhaps one of our european
> correspondants could provide a useful reference.
> They key point is, I think, that the device has no (private) trust
> anchors pointing at the ISP, so the device can not validate ISP
> provided DoH/DoT/DoQ if the ISP isn't using a public anchor.
> There is no TR69 by which to configure the ADN.

[Med] If the CPE is compliant with the spec published by an ISP, it can get the ADN using any discovery means in place by the ISP. 

> 
> the point starting at: Customers may also decide to deploy internal
> home
>                        routers
> 
> is really a third kind of "CPE"

[Med] ... but still an unmanaged one.


, which could appear in both managed
> and unmanaged situations, and it's really this third situation that
> really motivates getting this DHCP/RA option right.
> 
> section 4.1. DHCPv6 DNS Option.
> I suggest you call it "Enc DNS Flags" rather than "Type", since it
> is split up in bits.

[Med] "Flags" is too generic an does not reflect that this field is about indicating the encrypted DNS type(s).

  I suggest you leave the comment about
> Unassigned Bits to the IANA Considerations section.

[Med] This depends whether we want to create a registry to track the bits.

> I don't think that there is any reason to leave three bytes
> unassigned.

[Med] Why?  

> I don't think the ADN needs to be 32-bit aligned, since it is
> interpreted as a sequence of bytes.

[Med] Agree. 

> 
> It seems to me that if we have the ADN, then the encrypted DNS
> service can be reached at any IP address, including RFC1918, IPv6-
> LL, ULA, as long as the service's certificate can be validated using
> the ADN.

[Med] Yes. As you can see we don't have any restriction for the IP addresses to be supplied. We do have this text: 

"For example, a home
   router embedding a forwarder has to include one single IP address
   pointing to one of its LAN-facing interfaces."

We can add a statement similar to the one we have for RAs, though. 

> 
> For instance, a CPE device could advertise an IPv6-LL address for
> DNS, and then form Circuit Proxy (aka Forward Proxy) to the ISP's
> service, without necessarily requiring routing/forwarding to be
> active.  Any device on the LAN could provide such service, actually.
> It is worth remembering that openwrt's swiss-army-knife DNS/DHCP
> server "dnsmasq" started life doing exactly that.
> 
> I suggest section 4.2, "DHCPv4 Encrypted DNS Option"

[Med] If we use "DHCPv4" then we need to introduce a new term in the terminology section to basically say that: "DHCPv4 refers to DHCPv4 [RFC2131]" 

> 
> Can the OPTION_V4_ENC_DNS, Encrypted DNS Address Option,
> OPTION_V6_ENC_ADD be ommitted (sending just the ADN), in which case
> the existing DNS address options are assumed to work for Encrypted
> DNS at the "normal" port numbers?

[Med] The current text does not assume this. If only an ADD is supplied, that name will be passed to a resolution library to retrieve the IP address(es). This is done to avoid probing.

> 
> Section 5:
> 
> "DoH clients re-iterates"   -> _re-iterates_ reads wrong.  "repeats"
> is
> probably what you want.

[Med] Fixed. Thanks. 

> 
> section 7.1.1
> please split the second paragraph into a new section.
> Clearly, if the CPE is relaying the encrypted DNS server info, then
> it doesn't need a ACME certificate.  That's exactly the case where
> the CPE is not hosting encrypted DNS.  Maybe that's section 7.0

[Med] Good point. 

> 
> section 7.1.2:
>         mention of sub-domains... and
>         *left-most* label of the pre-configured ADN
> 
> I think the entire label has to match the certificate.

[Med] The certificate will include the CPE's sub-domain while the auto-upgrade is basd on the domain itself.

> I think that it's that the ADN is a sub-domain of the pre-configured
> domain.
> ("blessed" might be the better term, channelling Perl more than
> D&D/Rogue),
> 
> Hate the diagram.  Here the DoH/DoT client is not inside the LAN
> cloud :-)

[Med] :-) 

> 
> I think that section 7.2 should be split up into three sections:
> 1) the CPE will pass the ISP information on.
> 2) the CPE will provide reference to third-party service.
> 3) the CPE will be provide encrypted DNS itself thanks to the
> "security
>    service provider" (possible, a person)

[Med] Thanks for the suggestion. Will consider re-organizing the section. 

> 
> section 9.1 is great, and reflects the consensus about DHCP trust
> from the virtual interim meeting.  I would reword:
> 
>    Because DHCP/RA messages are not encrypted or protected against
>    modification within the LAN, their content can be spoofed or
> modified
>    by active attackers (e.g., compromised devices within the home
>    network).
> 
> to:
> 
>    DHCP/RA messages are not encrypted or protected against
>    modification within the LAN.  Unless mitigated (described below),
>    the content of DHCP and RA messages can be spoofed or modified by
> active
>    attackers, such as compromised devices within the home network.
> 

[Med] I like this. Deal!

> rework:
>    Encrypted DNS sessions with rogue servers spoofing the IP address
> of
>    a DNS server will fail because the DNS client will fail to
>    authenticate that rogue server based upon PKIX authentication
>    [RFC6125], particularly the authentication domain name in the
>    Encrypted DNS Option.
> 
> too many embedded noun-phrases for non-native speakers :-)

[Med] ACK.

> 
> 9.4:
>    This results in the
>    key being shared to attackers resulting in security breach.
>    Man-in-the-middle attacks are possible within home networks
> because WLAN
>    authentication lacks peer entity authentication.
> 
> -> The shared key is available to all nodes, including attackers, so
>    it is possible to mount an active on-path attack.
> 

[Med] That's better. 

> section 10, IANA lacks a repeat of the consideration for the
> Unassigned bits.
> 

[Med] Will be added if the WG want to maintain an IANA registry to track the bits. 


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email