IETF Logo Mail Archive

Re: [Add] [EXTERNAL] My single use case

Martin Thomson <mt@lowentropy.net> Fri, 11 September 2020 02:00 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27C773A1310 for <add@ietfa.amsl.com>; Thu, 10 Sep 2020 19:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=qc6DmjnR; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GPS/XQcm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70xkyHTyKhHu for <add@ietfa.amsl.com>; Thu, 10 Sep 2020 19:00:49 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C733A1308 for <add@ietf.org>; Thu, 10 Sep 2020 19:00:48 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id F05965D9; Thu, 10 Sep 2020 22:00:47 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute2.internal (MEProxy); Thu, 10 Sep 2020 22:00:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=XA/OrlAL4EImZWTM+CdDhXNo4xpDSm7 50orzABvLRAM=; b=qc6DmjnR7vNEAjVxC4l4i0sYj4uYgXt/qlqv0H5F2fJsYNV TO0graELcBYsQDpykj4wfWl1rhPejYBQ1eXliI/tJGe8uSml//xkwV54Mal6ouzR H3rL0KkOpgcHzCz2FQOeuV5wRPvMt7AAQ94edGww4NELSdBTFkvaDJhr98o2vZ79 nJylOtyNJBut/VGEFRSB6KfdFRdBLEONEPEVAvO95r3SAGEC4OjGQbJcSmXYo3MZ 5m0AsfzIweRkRzVkn1q2LlYnYxFOkgWKjl/gzwpVKtDW0pHjcEmO3i3m7jwls0eI tg9LgKzNhtabploUv0gdFY5pg44My6L8CPRr3rw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=XA/Orl AL4EImZWTM+CdDhXNo4xpDSm750orzABvLRAM=; b=GPS/XQcmOgWpd3ONabZyR4 LwqKD0hb92C/TQh66mSvONWhwzSzuAKj8hlbhfiEkYVayGuz6k53Q5a/26gjX2Lg PbAKCJQhTTTV2I61vGHb1E34jfhH7xthETuO83pp2UmJo1G+QSlQwtsBJfhXSpkF lvpwqbFhMMEi8KYOjmDX1YhD53Jfn8v9HxFnYxMWzhVlzB+ATajWwzO4FJCtV3zl 8ivljXmVG3O4jmjbx1wYXSNy27WZKAHmNIpVR8RADfXcHg5FrjNK0jxgm9vGtYm3 +D9stESdsrBSC0z3le/39PDvaVL6xCAIMCemhErzkp/jTun3QpAlLX7Bas51zPbg ==
X-ME-Sender: <xms:T9paX-7gsXos6HxfztIiIY9ZIr19zBx4Js7UXjR-iysNdS7rjUEh_A> <xme:T9paX361MBVFSx3jdCFcXGYIV4Z9kJAUn5RZ_EsA-lfPjEYEGE9fHRzooun4wad5B 25JAU40OWD61XY1vto>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudehkedgheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepkeetueeikedtkeelfeekvefhkeffvedvvefgkefgleeugfdvjeej geffieegtdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:T9paX9fSVFTYIuWGeoYB5Ik1ovXru6ONM3JsWsGedn1BGJjggbH8sg> <xmx:T9paX7JbojJxdl98Cg9_RTXf3xq6ZGT8mtKqMEMBTwis-kEy75xO0A> <xmx:T9paXyK73o2cWuSSoG2zWGxckjfCkqNR_dUMmMKJOKqj07ilsXl0ig> <xmx:T9paXxna-ujf1nt9ySq1ryy6dxZaFBSp-g7QFOshDGWQsbgdofR7hA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1BB4320121; Thu, 10 Sep 2020 22:00:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-259-g88fbbfa-fm-20200903.003-g88fbbfa3
Mime-Version: 1.0
Message-Id: <f60fdeb1-a1cc-4636-8e6e-2c497051bed3@www.fastmail.com>
In-Reply-To: <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com>
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com>
Date: Fri, 11 Sep 2020 12:00:27 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Tommy Jensen <Jensen.Thomas@microsoft.com>, "add@ietf.org" <add@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/AkWESSpmYKgJ9ONgS6-yjOZJ_Eo>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 02:00:50 -0000

On Fri, Sep 11, 2020, at 01:27, Tommy Jensen wrote:
> > As a new device or application, when I join a network that I have no prior relationship with or configuration for, I want to discover the DoT or DoH resolver that corresponds to the Do53 resolver offered by that network
> 
> My issue with this scenario is I see "discover a DoT/DoH" server 
> differently from "discover a DoT/DoH server that corresponds to the 
> Do53 resolver". The former doesn't require authentication to meet 
> security parity with Do53 server use today. The latter is a novel 
> concept I would prefer to be authenticated. This means for existing TLS 
> infra would only be possible for publicly routable IP addresses, a 
> subset of the network-offered servers out there.
> 
> Is the difference important to you? Would you be fine with the network 
> offering the DoT/DoH server in the first place? If not, I just want to 
> better understand why not.

Thanks Tommy, that's a good question.

I worded it this way intentionally to allow for both of the interpretations you refer to:

1. What does the network claim is equivalent (DoT/DoH DHCP/RA discovery for example)
2. What does the provided Do53 resolver claim is equivalent (resinfo for example, or maybe just the opportunistic encryption stuff)

As you point out, the latter introduces an extra hop, which might then lead to difficult questions about authentication and what it means to achieve parity.  That's why this is a non-trivial use case to resolve.

I think that the difference is important and we will have to work through both paths, if only because the prevalence of forwarders might mean we need two sets of solutions.  However, it might be that people choose to adopt policies under these different circumstances once we document the properties of the end solutions.

I don't think that this necessarily depends on the creation of new infrastructure for authentication of servers that don't have IP addresses in the public address space, but it might make that results less usable for you.  It all depends on your tolerance for using unauthenticated information.

For instance, Mozilla's TRR program means that we can be more tolerant of failures in discovery, though that requires that we also be tolerant of attacks that aim to make split horizon unavailable, for example.

v2.23.0 | Report a Bug | By Email