IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-dnr-01.txt

mohamed.boucadair@orange.com Wed, 05 May 2021 05:50 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A793A0E52 for <add@ietfa.amsl.com>; Tue, 4 May 2021 22:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.116
X-Spam-Level:
X-Spam-Status: No, score=-2.116 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LL4S91gkhAGN for <add@ietfa.amsl.com>; Tue, 4 May 2021 22:50:54 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A3913A0E50 for <add@ietf.org>; Tue, 4 May 2021 22:50:54 -0700 (PDT)
Received: from opfedar00.francetelecom.fr (unknown [xx.xx.xx.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar21.francetelecom.fr (ESMTP service) with ESMTPS id 4FZm6336fJz7tvB; Wed, 5 May 2021 07:50:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1620193851; bh=3FwtGzEVw0nsh4xtFfvso4qPEpg2MDhssoZD8gR4RCk=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=tsdvngpFDjdrAq4BDlyuZl1BoZGV/wEwR8DRcbU7nJ884ua45y+q3lchm97jUxdMj cjKTwZFmbL7+Mx+bad/50xwDWinaQ+6hceYRlNgjbK6kyQRJZ970B6JF0cJVLnKfqx 3PBg6SQK8jeu5E2aJZiuQ/yOvN37hkXIHp7M2pKj+gAFcMzkkVUJDAUhJhCSusPjw2 vmMblgZFaHl+EAHmyAvlEWDi8G7BnKJp25zJoOpImY9o/P8KVIoJGYS6SSzEoYybPM ghcdSvBaVukvZAguQRF3nRE/bTbK1IreD68VUz+gsVB/gI8CFQNUmljVWqkkVx1rp9 2P/30h0kYiF8w==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfedar00.francetelecom.fr (ESMTP service) with ESMTPS id 4FZm632BJgzCqkN; Wed, 5 May 2021 07:50:51 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Ben Schwartz <bemasc@google.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-dnr-01.txt
Thread-Index: AQHXQTrOjz6UO8JlxE6tmjzXSLQrcqrUVuKw
Date: Wed, 05 May 2021 05:50:50 +0000
Message-ID: <13298_1620193851_6092323B_13298_83_1_787AE7BB302AE849A7480A190F8B933035376BA3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <162013212867.27298.8042102801502765376@ietfa.amsl.com> <31475_1620133405_6091461D_31475_9_1_787AE7BB302AE849A7480A190F8B93303537667E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAHbrMsC1O6LA-MLL6XX2H2_0SZ6B-x1=A2yCLWxuLge-4xLJ6Q@mail.gmail.com>
In-Reply-To: <CAHbrMsC1O6LA-MLL6XX2H2_0SZ6B-x1=A2yCLWxuLge-4xLJ6Q@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933035376BA3OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/5UInLn5guFvMVCXZhXtNbfFsOmg>
Subject: Re: [Add] I-D Action: draft-ietf-add-dnr-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 05:51:00 -0000

Hi Ben,

Thank you for the comments.

Please see inline.

Cheers,
Med

De : Ben Schwartz [mailto:bemasc@google.com]
Envoyé : mercredi 5 mai 2021 01:11
À : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>
Cc : add@ietf.org
Objet : Re: [Add] I-D Action: draft-ietf-add-dnr-01.txt

Thanks for this update.  I think this is a good design.

Some notes:

Sections 4-6:
The ADN is self-delimiting, so the ADN length field is redundant in both encodings.  (It's also unnecessarily wide in the IPv6 encodings, since domain names are limited to 255 octets.)  I would suggest getting rid of the ADN length field.  For precedent, see the DNSSL option (RFC 8106 Section 5.2).

I wonder if anyone else would prefer an Addr Count instead of Addr Length?  That would allow us to have a consistent 1-byte field for v4 and v6, and avoid the divisibility requirements.  Better to multiply than divide!
[Med] I confirm that we first considered “Addr Count” but changed it. This was one of the discussion points I had with Bernie and which triggered this thread in dhc WG: https://mailarchive.ietf.org/arch/msg/dhcwg/baHgUt99kHmqSB5pmhPm6YyN4O4/. For the your two points above, we will be following the guidelines from the dhc wg.

I think the draft should probably have a one-sentence warning like "Senders SHOULD NOT include ipv4hint or ipv6hint SvcParams, which would be superseded by the included addresses."
[Med] I went for a more strict wording:

“The service parameters MUST NOT include "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the included IP addresses.”

Section 7 and Appendices A+B:

I think these sections should move to a separate draft (where they can be full-fledged body text, and not merely appendices).  This guidance is not specific to DNR (it also applies to DDR), and applies to very particular deployment scenarios.  I also think that this operational guidance is much more speculative than the format itself, and I'd like them to be able to make progress independently.
[Med] I’m not sure if all applies to DDR, but it is fair to ask for separating the options design vs. deployment considerations. Let’s see what others think about this.

Section 8:

I would like this section to take a different approach.  Rather than simply enumerating attacks, I think we should be discussing the security properties that this process provides.  In particular, we need to be clear that DNR can guarantee that the resolver is the one selected by the DHCP sender, but it cannot provide any information about who that sender is.
[Med] This is more valid on the LAN side, not the WAN side.

One particular note: The draft says "Also, an attacker can use a public IP address and get an 'IP address'-validated public certificate from a CA to host an Encrypted DNS server.".  This is currently not supported: DNR requires an Authentication Domain Name, which cannot be an IP address.  (That's OK with me; I just think the text should be consistent.)
[Med] This one is left on purpose as the current spec does not preclude returning an “ADN Length” set to 0. In such case the IP address will be used as the authentication reference identifier. We don’t have an explicit text for it but this is a point we would like to have more feedback from the WG.

On Tue, May 4, 2021 at 6:03 AM <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote:
Hi all,

This version takes into account the inputs received during the last IETF meeting: that is, leverage SVCB. One single option is thus defined to carry the authentication domain name, IP address(es), and service parameters. The service parameters are encoded as SvcParams specified in the SVCB I-D. We added text to explain the rationale of reusing that encoding + why one single option is defined.

We also updated the structure of section 3 to take into account some of the comments from Michael.

The DHCP part was reviewed by Bernie (co-chair of dhc wg). All seems good.

Cheers,
Med

> -----Message d'origine-----
> De : Add [mailto:add-bounces@ietf.org<mailto:add-bounces@ietf.org>] De la part de internet-
> drafts@ietf.org<mailto:drafts@ietf.org>
> Envoyé : mardi 4 mai 2021 14:42
> À : i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
> Cc : add@ietf.org<mailto:add@ietf.org>
> Objet : [Add] I-D Action: draft-ietf-add-dnr-01.txt
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Adaptive DNS Discovery WG of the
> IETF.
>
>         Title           : DHCP and Router Advertisement Options for
> the Discovery of Network-designated Resolvers (DNR)
>         Authors         : Mohamed Boucadair
>                           Tirumaleswar Reddy
>                           Dan Wing
>                           Neil Cook
>                           Tommy Jensen
>       Filename        : draft-ietf-add-dnr-01.txt
>       Pages           : 30
>       Date            : 2021-05-04
>
> Abstract:
>    The document specifies new DHCP and IPv6 Router Advertisement
> options
>    to discover encrypted DNS servers (e.g., DNS-over-HTTPS, DNS-over-
>    TLS, DNS-over-QUIC).  Particularly, it allows to learn an
>    authentication domain name together with a list of IP addresses
> and a
>    set of service parameters to reach such encrypted DNS servers.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-add-dnr/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-add-dnr-01
> https://datatracker.ietf.org/doc/html/draft-ietf-add-dnr-01
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-add-dnr-01
>
>
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> tools.ietf.org<http://tools.ietf.org>.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> --
> Add mailing list
> Add@ietf.org<mailto:Add@ietf.org>
> https://www.ietf.org/mailman/listinfo/add

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email