IETF Logo Mail Archive

Re: [Add] [EXTERNAL] My single use case

Tommy Jensen <Jensen.Thomas@microsoft.com> Fri, 11 September 2020 20:34 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D554D3A0969 for <add@ietfa.amsl.com>; Fri, 11 Sep 2020 13:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHpjg80jWerg for <add@ietfa.amsl.com>; Fri, 11 Sep 2020 13:34:49 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650104.outbound.protection.outlook.com [40.107.65.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 950013A0963 for <add@ietf.org>; Fri, 11 Sep 2020 13:34:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WOBSzQvc2UcqB5Oac25VmC0SKZlY94klah2HXJLbgr28hdr6RbZM1878qd3OWzhRuxWan0bNKX21eQ7Sha/z3zlmx30ms0L60s4jGRAZOgsmN9zx4/nivCWqFINejW49zKq/dK5bjWR5KoRjpTSnXQykc+9nC7GY6qzQMJGbioS3h++jbdpDh7fg0FYCnfsYhafc6jM2nxzLEaqqo4oZ5cqnqnvX7nVS7Tqt5yRrM7ab6Upvi6oP6t1ydjda9eeyHjIGJt8ne+qHf9ytuGOnKYtEpdKxpIMcPH8nf1ef4t1FCXtPZ3029AAJea2lUN7qR75nqCjiWm0/dkrxowZkpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9biLHnkIs02G1lJoaboMyeb6ixx2xD4IAFpRMpSFNhc=; b=SHCJSx/ML0pMUrDdjdLVCSBbnl0FEgKGSmkg16athytwU3C2Hy2sxu5DgSdERLkZIN+Hv0ogG+Tb9uRI1eORRBnz8VKq9IkJt+A2eVrhS2q3BTF9USLOP9MfTeSvqs7qP0Nta+Wv09XJCs7nhiVsoA8Di4TmCuu04CRuZP3oZ2X3qGgc79f2B65fpeqGLS0H6+yBqe7WPdKlD10b/kOOwBRPQ2bA0gAb2VHL5PJZ7S1acAYSlpS8PeTKa5k4iuFqhD1Q7sXjbnAAPsZ0UltFHpo9LgXyqxOymjGB4uYq+bvkQC3l5gVxbkRkhTDfB0tjluwtVfLukGz0bmU4k9qkcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9biLHnkIs02G1lJoaboMyeb6ixx2xD4IAFpRMpSFNhc=; b=H+NzsgIrjVHyTFJ5jydYNDpHnxUFQ9gaJfI/bhuHNs1rZCPAQ6Wuy/qGyPI/Zjp+2sOuaMHr4uwKvfypF07mChY3oGdigMdGq9Z7PBy7WC7eY/OxlsbuXYfeFFsV9dzeB3AsalGxyRICpbw5ufplYRPx0/m1Gp3NyukWJlss1Jo=
Received: from (52.135.41.215) by BY5PR00MB0708.namprd00.prod.outlook.com (52.135.53.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3416.0; Fri, 11 Sep 2020 20:34:29 +0000
Received: from BY5PR00MB0773.namprd00.prod.outlook.com ([fe80::d4bb:a29b:cc69:d69b]) by BY5PR00MB0773.namprd00.prod.outlook.com ([fe80::d4bb:a29b:cc69:d69b%7]) with mapi id 15.20.3416.000; Fri, 11 Sep 2020 20:34:29 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Martin Thomson <mt@lowentropy.net>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [EXTERNAL] [Add] My single use case
Thread-Index: AQHWh4Qxrp4x8+bIDkaWPrv+5QBA76lh+4sVgAC0D4CAASd4gw==
Date: Fri, 11 Sep 2020 20:34:29 +0000
Message-ID: <BY5PR00MB077332F0EDAAE11B5CBA4CE3FA241@BY5PR00MB0773.namprd00.prod.outlook.com>
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com>, <f60fdeb1-a1cc-4636-8e6e-2c497051bed3@www.fastmail.com>
In-Reply-To: <f60fdeb1-a1cc-4636-8e6e-2c497051bed3@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-09-11T20:34:29.195Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.35.64.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 028bf3f8-6dee-4cae-e240-08d856921551
x-ms-traffictypediagnostic: BY5PR00MB0708:
x-microsoft-antispam-prvs: <BY5PR00MB070817EDB4958C90469A8658FA241@BY5PR00MB0708.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sjpcrUS5VrU2btDanFS7sQsHAEpZaPWZsmSDfbKa2YvZ5KbLYe31felHjpaRgfftCzpR2S5qHVKXNbRyyYBdnLlJxQP8z6ZbUy31MJ3apOBGTsrrw5pH1a6neRgRzbrBfN0/VIB0Iw/G1X6t7gYG8fYZ9qTJ45uqtTHYX60+yq1VJm2WS5bcPABYyoQlyHnAZpTtCNsldTZ7Q2UHRqPJM5tvoD4Y9I9Ow4i1xtSWh7NC41/NNxZRHAu+WQQVrQnoTiIEQR76hNZVoWkhLp8CKYwnJGS6kSOAr0+jTSWe5l6oX/Sy4inaB0g6MstRioT3LustDIIAHbwq/88S/fAd7+dw++vB5bOjZiNmG2/TCY2ILxYjsLdOCTfWmQFFoCxZaPsYDHsCMYZFrd7fmZKsQw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0773.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(136003)(366004)(39860400002)(376002)(316002)(7696005)(478600001)(26005)(10290500003)(33656002)(166002)(186003)(66574015)(83380400001)(82950400001)(82960400001)(19627405001)(53546011)(8676002)(66556008)(66446008)(66946007)(52536014)(966005)(8936002)(110136005)(76116006)(86362001)(6506007)(2906002)(55016002)(5660300002)(9686003)(66476007)(71200400001)(91956017)(64756008)(8990500004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: /OTJE5Efz/0ABGaOnmqM1hQngNB0gjnNDXeLN3Ln1cfkBFGFsFa5alXaVa44D0DwKpsdcXCwKNVNOcPIG6GRelfVJsxGg2q94BNBgyN+noLvfWMzPkYT/HbX1I0fE7O4yeg3Jj6lcD4sIPBWhUCcqcm4I+gzgdPp7kDDcccGYpjPhJkZBVbeILuF1a5VELhelZM4GvwWbCuCnSOpSRr5EyoFK12n7ZzKpbpgJjMJrWqerMuJePc5lA0cnwjCLncveAJguZju0x/fj41tEIwG+5A+AgOOQJQISBWofNKA++1YS6xrQGe6mVG+B7/H2I4I0sEnqaOGzZXZeB/QLmpF/NTJT5stZ6eWbytjQgYqaPfheD7yB0SJGYwTb10oc9hil0Ca+JCqCX6oVYxXPD2moKIv0HyWrTp9ynestwaZeE7IyKFG/7NxAAGRse6bjQr0mj81deTLAVUiKrLZpjlMGPCJ2cBGwwQweWOT174olZvv2U7G7hUwW0nKnsVPQWBoJrqKOqhWyWGqpetjJRah6zTgpzdSGK3iokdceYxXASF01PUc2z97Gr5uDw+Y7OeekIMhgydltngyInOmLd290KL/EoQmqebwD1VGVyNxLkgEoOV6oGs/xnrtB/4O6NwbKdzB941ZtNGmcEfuiiym8Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR00MB077332F0EDAAE11B5CBA4CE3FA241BY5PR00MB0773namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0773.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 028bf3f8-6dee-4cae-e240-08d856921551
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2020 20:34:29.4990 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wDwB4wgJOZfdNQuJM+hjPBgvlZggYqfeTTB57i1tQ+7ebkRsiz2DWyZ/r3m8wkBU9Oo8msYrrFGDW1anDlkC3A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR00MB0708
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ugRFiI-wc-vBRbzuJdyFEQlIpuY>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 20:34:52 -0000

> I think that the difference is important and we will have to work through both paths, if only because the prevalence of forwarders might mean we need two sets of solutions.

Agreed. The challenges a use case faces have nothing to do with its validity, even if it results in no adoption.

>  I don't think that this necessarily depends on the creation of new infrastructure for authentication of servers that don't have IP addresses in the public address space, but it might make that results less usable for you.

My concern is 2) encompasses more use cases than 1). 1) is limited to the use case of joining a network and needing a recommendation. 2) includes other channels of address acquisition such as offline endpoint configuration. I can accept feature parity for 1) which is no authentication. I can possibly accept lower security for 2) when the address came from network advertisement such as DHCP which isn't secure today, but not when it came from endpoint configuration which may be secured.

More simply: 1) includes both server identity and server source, but 2) only includes server property without accounting for server source.

I understand that may be an implementation decision, but I do want to call out a mechanism built to solve 2) generically may have limited usefulness for clients like me who need to use both interpretations of 2). For me, 2) splits into 2a) and 2b) and the line along which I see the bar for authentication changing is 1) and 2a) on one side and 2b) on the other.

I'll try and articulate this in response to Glenn's request for authentication homework.

Thanks,
Tommy

================================================

The latest in Windows Internet Protocols:

  Native gRPC support: https://aka.ms/grpcblogpost

  DNS over HTTPS: https://aka.ms/dohblogpost

________________________________
From: Martin Thomson <mt@lowentropy.net>
Sent: Thursday, September 10, 2020 7:00 PM
To: Tommy Jensen <Jensen.Thomas@microsoft.com>; add@ietf.org <add@ietf.org>
Subject: Re: [EXTERNAL] [Add] My single use case

On Fri, Sep 11, 2020, at 01:27, Tommy Jensen wrote:
> > As a new device or application, when I join a network that I have no prior relationship with or configuration for, I want to discover the DoT or DoH resolver that corresponds to the Do53 resolver offered by that network
>
> My issue with this scenario is I see "discover a DoT/DoH" server
> differently from "discover a DoT/DoH server that corresponds to the
> Do53 resolver". The former doesn't require authentication to meet
> security parity with Do53 server use today. The latter is a novel
> concept I would prefer to be authenticated. This means for existing TLS
> infra would only be possible for publicly routable IP addresses, a
> subset of the network-offered servers out there.
>
> Is the difference important to you? Would you be fine with the network
> offering the DoT/DoH server in the first place? If not, I just want to
> better understand why not.

Thanks Tommy, that's a good question.

I worded it this way intentionally to allow for both of the interpretations you refer to:

1. What does the network claim is equivalent (DoT/DoH DHCP/RA discovery for example)
2. What does the provided Do53 resolver claim is equivalent (resinfo for example, or maybe just the opportunistic encryption stuff)

As you point out, the latter introduces an extra hop, which might then lead to difficult questions about authentication and what it means to achieve parity.  That's why this is a non-trivial use case to resolve.

I think that the difference is important and we will have to work through both paths, if only because the prevalence of forwarders might mean we need two sets of solutions.  However, it might be that people choose to adopt policies under these different circumstances once we document the properties of the end solutions.

I don't think that this necessarily depends on the creation of new infrastructure for authentication of servers that don't have IP addresses in the public address space, but it might make that results less usable for you.  It all depends on your tolerance for using unauthenticated information.

For instance, Mozilla's TRR program means that we can be more tolerant of failures in discovery, though that requires that we also be tolerant of attacks that aim to make split horizon unavailable, for example.

v2.23.0 | Report a Bug | By Email