Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 17 July 2019 18:40 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56BDD12085E for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 11:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oh74fX2aiPA1 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 11:40:47 -0700 (PDT)
Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13D261201DC for <add@ietf.org>; Wed, 17 Jul 2019 11:40:47 -0700 (PDT)
Received: by mail-vk1-xa30.google.com with SMTP id v68so1479912vkd.1 for <add@ietf.org>; Wed, 17 Jul 2019 11:40:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rJKljxFIvy+FwBlAZW/5ybOG/wFquIiNCyS4TPDYSjA=; b=dw8CK15qkFdffr5Lj71gU4o04jZOlRJt1HFYmH9DTg7TmkkK9vdshKK2RFJj1/nt36 +m26osAH79f080PtmDL92e6vDLzYPLTmY+Hswhle4d5VZDNHBKOLz8qxVQ7xrR2gPk7a wL96gwttUf7L5opItqlYqyYh+oqXjPH9QHfzh4cMbdLuuYMj9/ZyCxYOaOeqoeAX5jvU m2njQ9hqFyVCZQ4lLleShzQGfo+PUS2BhY2VLl29HXuAcDl46all+VD91LK3b9JN05XK Gx3bNjzkQKY2B2AXTZ/0DqNNFMK/MVbHPNC62PG3t5HBlJt+E8jozwo5mTa0dN6viaCI Lrpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rJKljxFIvy+FwBlAZW/5ybOG/wFquIiNCyS4TPDYSjA=; b=lAXV8Xe1YBvgfq8zu/557MAt4DvMk1gnpPcvzhssraeVlSxe2BQg7svYL2lgelVrym 5vxguJ+Fv/IVYVf9tfebw0g02S3NhMHKY28p9qbBgnxAaMQ0EgCy4SD9cMa2KhT1WIyZ 40FaIyZCsvVV6kcAZmbOwL+etnSWVoTnIXBGA39BVpsMW+mZ8bS7+0BmpIrNVgiU17tv pmhtbcvIs82qhBPlpnv41BJ7wno9ae5TLT7EZXedp6c9tLGDBDFS0klGHqYTCc+W64XG VrvkBTvXfnjNINTeq2wIZkogukeN5ckH54QaidAn5s8FLzxRxbHI5wqq9dwKSn5f+bJD Ixtg==
X-Gm-Message-State: APjAAAW+toLU9ZGgKVqRWdKC68xFYe/gWMxXYfgunHjbnHibtARUzNP+ zDKSGVQ5uitjDXUnKYQf0GTPEj3hv3fngtfmJQo=
X-Google-Smtp-Source: APXvYqzt9rwDY3dWil6dF+ZSoHJCtVvW1LCCyrAjAyqbQrOINn+JJuD6ZvDv6G6TZOOcZFuvbOXWWpG6Hoz9Y08ODKE=
X-Received: by 2002:a1f:9ecc:: with SMTP id h195mr9804043vke.72.1563388846045; Wed, 17 Jul 2019 11:40:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
In-Reply-To: <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 17 Jul 2019 11:40:34 -0700
Message-ID: <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Neil Cook <neil.cook@open-xchange.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d07d86058de4d4a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/9bWRXtgVCsAsPkuILlIJKoXYNew>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 18:40:50 -0000
On Wed, Jul 17, 2019 at 8:58 AM Ted Hardie <ted.ietf@gmail.com> wrote: > Hi Neil, > > On Wed, Jul 17, 2019 at 8:38 AM Neil Cook <neil.cook@open-xchange.com> > wrote: > >> Hi Ted, >> >> But, and this is the crux of the matter, that integration requires the >> cooperation of the endpoint or its control by an organization's system >> administrators. If you do not have their cooperation or the right to >> manage them by tools like those Eric mentions, it is difficult for the >> endpoint to distinguish a network-level interception by a mandated policy >> engine and by an attacker. >> >> Rather than falling back to the state where the endpoint simple accepts >> that its traffic is visible to all and possibly intercepted, this new work >> is an effort to make it easier for you to gain the cooperation required. I >> hope you can see that this is in both the interest of policy enforcement >> bodies and the end users. >> >> >> > So I use DNS filtering in my own house (along with millions of other >> people as already stated on this thread), provided by my network operator >> (but it doesn’t have to be - I used to use OpenDNS for example, and I have >> the capability to run my own resolver if I so desired).. I have malware >> filtering as well as parental controls enabled. I am the de-facto network >> administrator in my house, but I don’t have the tools or software that >> enterprises use so I won’t benefit from the work being done to help >> enterprises control this. I also have other people coming into my house and >> using my network, and I also like to control what they can access when they >> are in my home. All of this works very well for me today. It doesn’t work >> for me when applications/endpoints start deciding that my network is an >> attacker because it does filtering, and bypassing that filtering "in the >> interest of end-users". >> >> I hope you can see that this is in both the interest of policy >> enforcement bodies and the end users. >> >> >> I’d like to ask, ask an end-user, how is this in my interests? >> >> > I am sorry if I was not clear, The point of the draft is to enable the > network operator to signal this: > > If the user agent can check for the presence of a policy, this could be > used as a signal that the network operator wishes its resolver to be > used as a condition of using the network, and that DoH or DoT should > be disabled. > > That permits your guests to know of your network policy and to abide by it > if they choose; presumably you would not provide network access if they > chose not to. > > So, as far as I can tell, there are some minor problems with the DoH deployment scheme proposed by various vendors (on the client in an "applications doing DNS" manner), which this draft is fundamentally unable to overcome. This draft would probably work just as well, with a bit of work, and without those fundamental issues, for DoT. The root of the problem is visible in "if they chose not to". The nature of DoH, is that the network operator (regardless of who they are) is unable either detect or prevent guests (or users or BYOD or whoever) from not complying with your network policy. In the current unencrypted DNS world, in some specific environments (enterprise, etc), non-compliance is enforced at a port/protocol level (ACLs denying port 53). A similar model that enabled both discovery and enforcement, and if appropriate bypass of enforcements, would look roughly like: client -> obtain policy -> (comply with visibility into compliance by network, e.g. via DoT port/protocol) | (no-comply with visibility and blocking -> obtain explicit information about risks and informed consent from user -> violate/bypass e.g. via DoH) When only DoH is used, if there is no informed consent, this short circuits completely to client-> obtain policy -> comply or no-comply. This breaks all of the existing detection and enforcement for network-level tools applicable to DNS-based systems. Given that DoT provides everything that DoH provides, from a privacy perspective, so long as DoT isn't blocked and/or so long as any existing DNS resolver(s) have an upgrade to DoT, and so long as relevant clients (system or application) have the corresponding upgrade for DoT, I don't understand the non-use of DoT. Reminder: DoT clients have to build wire-format DNS queries, and then send them over TLS sessions. DoH clients haveh to build wire-format DNS queries, encode them, add HTTP headers, and send them over TLS sessions. DoH ALREADY, by definition, has all the necessary code paths to build the wire-format DNS queries required by DoT. Adding DoT to a resolver involves duplicating the DoH bits, and then removing the HTTP-handling bits, i.e. almost entirely removing code. I think the fundamental asymmetry, where the guest can know the network's policy but the network cannot detect or enforce its own policy, is easy to see and understand. And, I think the issue where this asymmetry is fundamental to DoH, but is not an attribute of DoT, is also clear to anyone who looks. This is why many of us are advocating for replacing DoH with DoT. The harm that DoH does in an intractable fashion, far outweighs (by many orders of magnitude) the benefits to an admittedly important set of users and use cases. I may have said it before, but I think it bears repeating: the DoH bypassing of network policy, SHOULD be restricted via several important safeguards (in widely distributed software systems): Disable DoH by default; restrict enabling DoH to admin-level accounts; restrict DoH usage to certain modes (e.g. incognito or equivalent); restrict DoH usage to the lifespan of a browser tab; restrict DoH usage/enabling via "informed consent" that may be very complex to implement, but which is nonetheless needed to ensure users are informed about their specific, concrete, literal risks (e.g. company policy violations, geopolitical environments, operator terms/conditions, etc.). Brian
- [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- [Add] Firefox DoH behaviour Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason