Re: [Add] [EXT] Re: meeting hum: should the IETF take up this work?
Joe Abley <jabley@hopcount.ca> Thu, 01 August 2019 18:32 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59AA31201D0 for <add@ietfa.amsl.com>; Thu, 1 Aug 2019 11:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5ij2wsQhaGu for <add@ietfa.amsl.com>; Thu, 1 Aug 2019 11:32:02 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8DA1120168 for <add@ietf.org>; Thu, 1 Aug 2019 11:32:02 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id k20so146506543ios.10 for <add@ietf.org>; Thu, 01 Aug 2019 11:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=7ooFq5/NwPZuREDmFpyZW4LRge1hBz3za8oPpbAV+gI=; b=j7W4jLCE5iMNYlaYWTp/NTNvj8za7e5KsHZdLwMAeIwmm6Be7LvXPkw2O56l6AwhMK eAvujr553kVds5ac9spUU45nVx+9ttC+dn2STsZ2hTSJhASb40WVmtwbPm2WXOEOXNlL sCsJt82tMcRaZdelLPZrBV8/PnJdP+mnjkLSI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=7ooFq5/NwPZuREDmFpyZW4LRge1hBz3za8oPpbAV+gI=; b=s0KyBR6oez1LVefWEUXxdSya+A43igbXgm9zGMfe9fOBiNK3BFcFq97+4WSvtE7cAh 20EBTcP497Go96pcCb+12mGLe8VLwyRcf+jK573pJBKeX2ybRPzZZ5ptrpylydrbSgZD rh+Z9NihLGCkmiGwCGZjDK93DU/lSFwo6MjcYChFwvFENjIGfZ0roIBo4DkmFJJB7C+w ZKVSK15eGWY0F4emJpK8qQyITZYkxhA4/JVD9NXZrCSeOyxDOi9G8RjQubjnWPfkY/3d cmnrbITyLT35Li0LBBwZT+HxQ6W0Mcm8bxgP7GQ8xZwuqksQWgQCA4gRHK9nOf0yKFTY hdsQ==
X-Gm-Message-State: APjAAAXd1T3nXTh7vvkQ/nBe1sv66cSwK/bMtpxeNH7DHWwnH0eSJin+ 6SCXQlAUui81cOarN3cSC9Q=
X-Google-Smtp-Source: APXvYqzD8i3MSjQ8Akjo+avvlYYyYYQinY1B7YRoUlITqVF1rRoeFPtzz5af2pNxNooSZupKxChoiQ==
X-Received: by 2002:a02:bca:: with SMTP id 193mr94779057jad.46.1564684321737; Thu, 01 Aug 2019 11:32:01 -0700 (PDT)
Received: from [192.168.1.50] (24-246-23-138.cable.teksavvy.com. [24.246.23.138]) by smtp.gmail.com with ESMTPSA id i3sm59798774ion.9.2019.08.01.11.32.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Aug 2019 11:32:00 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <15B6E0CE-0047-4F2A-A63B-E9A8B8910412@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_985CCC0F-8FB4-4FEF-BB02-861A18C2E04B"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 01 Aug 2019 14:31:58 -0400
In-Reply-To: <a956c801f12745fb839f3a5394247002@cira.ca>
Cc: Ólafur Guðmundsson <olafur=40cloudflare.com@dmarc.ietf.org>, "Livingood, Jason" <Jason_Livingood@comcast.com>, "add@ietf.org" <add@ietf.org>, Adam Roach <adam@nostrum.com>
To: Jacques Latour <Jacques.Latour@cira.ca>
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <AAEA003A-58DB-4FEE-81B2-BBFE9BBB2A37@rfc1035.com> <CAChr6SwA+HM4u5-xpUxQXPH8G8k7sfm6AETJJ019HE=bsq+OXA@mail.gmail.com> <8F094057-DFBC-4732-9DA4-BE46E7914C8A@rfc1035.com> <20190724165951.GB29051@laperouse.bortzmeyer.org> <821B448B-F7EA-46A5-837D-DA0E8C60643A@open-xchange.com> <d653d422-4a71-9fab-fd2e-b8ddaa476f91@nostrum.com> <488E2CE0-73D5-4B9E-A5AD-28FDCB95ED2A@cable.comcast.com> <CAN6NTqyAzZY5TG8Y7ks0zEMdVuE=+m1JC0n3Dn5_1c6EKgBwwA@mail.gmail.com> <a956c801f12745fb839f3a5394247002@cira.ca>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Bc1iu6BxT1aG8N2f0ZXDXwfkwqI>
Subject: Re: [Add] [EXT] Re: meeting hum: should the IETF take up this work?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 18:32:05 -0000
Hi Jacques! > On 1 Aug 2019, at 13:59, Jacques Latour <Jacques.Latour@cira.ca> wrote: > > From the department of this-could-be-a-bad-idea and the department of omg-this-goes-against-everything-we’re-trying-do, but here it goes: a DoH operator should have a policy to blacklist IP address as requested by the network operator, since we can’t effectively block DoH at the edge of the enterprise network, We can though, right? Depending on what you mean by "effective". It's just more expensive than blocking DoT and Do53 if all you care about is blocking the well-known ports. We can even do this without affecting end-user privacy in some (many? most?) cases since in some (many? most?) corporate networks there's no expectation of end-user privacy in the first place. There are certainly some corporate networks that were stripping TLS using privately-issued trust anchors for client devices in order to police content long before DoH had been specified. Given that the number of end-users who inhabit enterprise networks is a rounding error compared to the total number of users of the Internet globally, I continue to be surprised at the amount of focus the enterprise deployment case gets in these discussions. > an enterprise network should have the ability to request the well behaved DoH recursive operators to block requests coming from their network IP address. Perhaps have some sort of trusted clearing house of IP addresses that the well behaved DoH recursive operators should blacklist from. Enterprises can block non well behaving DoH recursive operators. > > Since the major problems of DoH is for all to understand the multidimensional matrix of deployment models vs. value proposition vs. user (vantage) point of view, it’s almost impossible to assess the value proposition of the above example against all the currently possible/available scenarios. But we know that DoH has a negative value proposition for Enterprises. If we know that, I don't know how we know. Is there a potential benefit in some enterprise security architectures to having DNS resolution not being visible across the network, perhaps? Perhaps not being complicit in enabling DNS resolution for particular clients and particular content is a benefit in arguing for a lack of liability in some legal framework? In the case where an enterprise is deliberately using external recursive services (e.g. the ones that CIRA and OpenDNS sell) perhaps there's a benefit to having that DNS traffic protected by TLS? Are we conflating DoH as a protocol with the specific case of a client on an enterprise network using a non-blessed third-party DoH service when we talk about DoH and the enterprise, or an application on a client device that is acting contrary to the device's system-wide configuration? Is that helpful? I like the questions you're asking about risk analysis for the enterprise (although it still feels a bit like a corner case) but I think there are a lot more questions to ask about the implications of DoH before we can assume that there's no benefit. Joe
- [Add] meeting hum: should the IETF take up this w… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Sinatra
- Re: [Add] meeting hum: should the IETF take up th… Tommy Jensen
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… STARK, BARBARA H
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Reed, Jon
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Alec Muffett
- Re: [Add] fixing coffee shop brokenness with DoH sthaug
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Brett Carr
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Lars Eggert
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Diego R. Lopez
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH chris.box
- Re: [Add] fixing coffee shop brokenness with DoH Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Diego R. Lopez
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Tony Finch
- [Add] Trust and control on the Internet (was Re: … Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] Trust and control on the Internet (was … Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] Trust and control on the Internet (was … Andrew Campling
- Re: [Add] Trust and control on the Internet (was … Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH chris.box
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Petr Špaček
- Re: [Add] meeting hum: should the IETF take up th… Neil Cook
- Re: [Add] fixing coffee shop brokenness with DoH Normen Kowalewski
- Re: [Add] fixing coffee shop brokenness with DoH Joe Abley
- Re: [Add] fixing coffee shop brokenness with DoH Normen Kowalewski
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Petr Špaček
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] meeting hum: should the IETF take up th… Neil Cook
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Paul Wouters
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] fixing coffee shop brokenness with DoH Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Andrew Campling
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Ben Schwartz
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Valentin Gosu
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Livingood, Jason
- Re: [Add] meeting hum: should the IETF take up th… Paul Ebersman
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Diego R. Lopez
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Eric Orth
- Re: [Add] meeting hum: should the IETF take up th… Diego R. Lopez
- Re: [Add] meeting hum: should the IETF take up th… Thomas Peterson
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Livingood, Jason
- Re: [Add] meeting hum: should the IETF take up th… Tommy Jensen
- Re: [Add] meeting hum: should the IETF take up th… Ólafur Guðmundsson
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Jacques Latour
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Joe Abley
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Ralf Weber
- [Add] point of deploying DoH in access network (R… 神明達哉
- Re: [Add] point of deploying DoH in access networ… Joe Abley
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Eric Orth
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Christian Huitema
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Mikael Abrahamsson
- Re: [Add] point of deploying DoH in access networ… Tony Finch
- Re: [Add] point of deploying DoH in access networ… Robert Mortimer
- Re: [Add] point of deploying DoH in access networ… Alec Muffett
- Re: [Add] point of deploying DoH in access networ… Ted Lemon
- Re: [Add] point of deploying DoH in access networ… Simon Hicks
- Re: [Add] point of deploying DoH in access networ… Vladimír Čunát