Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

Paul Wouters <paul@nohats.ca> Fri, 02 April 2021 01:11 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727B43A2AFB for <add@ietfa.amsl.com>; Thu, 1 Apr 2021 18:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XP4ktWz2h1pM for <add@ietfa.amsl.com>; Thu, 1 Apr 2021 18:11:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A235E3A2AFC for <add@ietf.org>; Thu, 1 Apr 2021 18:11:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4FBMT70Rs0zvk; Fri, 2 Apr 2021 03:11:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1617325899; bh=2vJtyuZLlTGxsSfk2IzNBWbiAtymfF8EGpPlQH1Lgt0=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=tdf2cdfKEXOEThr/MMPLx5WbgbisG8Ix0LdaHlE9Kq+nxce3KHL+3qLe/YLZrLWCU HHa8XCX7iSX80669TaW0mhdVUeHS8nruhMSfdqRZQNOvHvD28E+E5qxAW6ywEsEzGS 0uWl/SwmoQ9gK8/vgT1NVuOT/8W3fblyFUgWnHQI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 3UTNx-6yikYX; Fri, 2 Apr 2021 03:11:37 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 2 Apr 2021 03:11:37 +0200 (CEST)
Received: from [193.110.157.220] (unknown [193.110.157.220]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 64776602989B; Thu, 1 Apr 2021 21:11:36 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-A6DF098A-D1AC-4286-A86B-61ECAFA7B7C1"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Thu, 01 Apr 2021 21:11:35 -0400
Message-Id: <55ED5E7F-2595-4E6D-BBE2-36F38C9A99E1@nohats.ca>
References: <E54C6029-946B-4094-A753-5DD5A881C901@nbcuni.com>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, ADD Mailing list <add@ietf.org>
In-Reply-To: <E54C6029-946B-4094-A753-5DD5A881C901@nbcuni.com>
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
X-Mailer: iPhone Mail (18D70)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/BU1jgs9zCwvrUe2yvrLkhTjh978>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 01:11:47 -0000

On Apr 1, 2021, at 18:44, Deen, Glenn (NBCUniversal) <Glenn.Deen@nbcuni.com> wrote:
> 
> 
> Let’s keep in mind the context of this discussion – It’s about Enterprise Split DNS – and not just connecting to a simple network.

My coffeeshop uses Enterprise WPA. What if they start using Enterprise Split DNS ? What is the expected UI for me to accept / decline this as enterprise network ? What if they announce Gmail.com is their enterprise domain ?

If the trust comes from enterprise MDM, why can’t the provisioning issue the domain list in a verified authenticated way, instead of adhoc untrusted network broadcasts ?

The document deems this problem solved by adding

The scope of this document is restricted to unmanaged BYOD devices
   without a configuration profile.  The unmanaged BYOD devices use the
   credentials (user name and password) provided by the IT admin to
   mutually authenticate to the Enterprise WLAN Access Point

And this is exactly the scenario where a coffeeshop that provides user/password is the distinguishable from a presumed trusted IT admin pre-arrangement with credentials.

Paul