IETF Logo Mail Archive

Re: [Add] [EXT] Re: meeting hum: should the IETF take up this work?

Joe Abley <jabley@hopcount.ca> Thu, 01 August 2019 18:32 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59AA31201D0 for <add@ietfa.amsl.com>; Thu, 1 Aug 2019 11:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5ij2wsQhaGu for <add@ietfa.amsl.com>; Thu, 1 Aug 2019 11:32:02 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8DA1120168 for <add@ietf.org>; Thu, 1 Aug 2019 11:32:02 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id k20so146506543ios.10 for <add@ietf.org>; Thu, 01 Aug 2019 11:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=7ooFq5/NwPZuREDmFpyZW4LRge1hBz3za8oPpbAV+gI=; b=j7W4jLCE5iMNYlaYWTp/NTNvj8za7e5KsHZdLwMAeIwmm6Be7LvXPkw2O56l6AwhMK eAvujr553kVds5ac9spUU45nVx+9ttC+dn2STsZ2hTSJhASb40WVmtwbPm2WXOEOXNlL sCsJt82tMcRaZdelLPZrBV8/PnJdP+mnjkLSI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=7ooFq5/NwPZuREDmFpyZW4LRge1hBz3za8oPpbAV+gI=; b=s0KyBR6oez1LVefWEUXxdSya+A43igbXgm9zGMfe9fOBiNK3BFcFq97+4WSvtE7cAh 20EBTcP497Go96pcCb+12mGLe8VLwyRcf+jK573pJBKeX2ybRPzZZ5ptrpylydrbSgZD rh+Z9NihLGCkmiGwCGZjDK93DU/lSFwo6MjcYChFwvFENjIGfZ0roIBo4DkmFJJB7C+w ZKVSK15eGWY0F4emJpK8qQyITZYkxhA4/JVD9NXZrCSeOyxDOi9G8RjQubjnWPfkY/3d cmnrbITyLT35Li0LBBwZT+HxQ6W0Mcm8bxgP7GQ8xZwuqksQWgQCA4gRHK9nOf0yKFTY hdsQ==
X-Gm-Message-State: APjAAAXd1T3nXTh7vvkQ/nBe1sv66cSwK/bMtpxeNH7DHWwnH0eSJin+ 6SCXQlAUui81cOarN3cSC9Q=
X-Google-Smtp-Source: APXvYqzD8i3MSjQ8Akjo+avvlYYyYYQinY1B7YRoUlITqVF1rRoeFPtzz5af2pNxNooSZupKxChoiQ==
X-Received: by 2002:a02:bca:: with SMTP id 193mr94779057jad.46.1564684321737; Thu, 01 Aug 2019 11:32:01 -0700 (PDT)
Received: from [192.168.1.50] (24-246-23-138.cable.teksavvy.com. [24.246.23.138]) by smtp.gmail.com with ESMTPSA id i3sm59798774ion.9.2019.08.01.11.32.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Aug 2019 11:32:00 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <15B6E0CE-0047-4F2A-A63B-E9A8B8910412@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_985CCC0F-8FB4-4FEF-BB02-861A18C2E04B"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 01 Aug 2019 14:31:58 -0400
In-Reply-To: <a956c801f12745fb839f3a5394247002@cira.ca>
Cc: Ólafur Guðmundsson <olafur=40cloudflare.com@dmarc.ietf.org>, "Livingood, Jason" <Jason_Livingood@comcast.com>, "add@ietf.org" <add@ietf.org>, Adam Roach <adam@nostrum.com>
To: Jacques Latour <Jacques.Latour@cira.ca>
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <AAEA003A-58DB-4FEE-81B2-BBFE9BBB2A37@rfc1035.com> <CAChr6SwA+HM4u5-xpUxQXPH8G8k7sfm6AETJJ019HE=bsq+OXA@mail.gmail.com> <8F094057-DFBC-4732-9DA4-BE46E7914C8A@rfc1035.com> <20190724165951.GB29051@laperouse.bortzmeyer.org> <821B448B-F7EA-46A5-837D-DA0E8C60643A@open-xchange.com> <d653d422-4a71-9fab-fd2e-b8ddaa476f91@nostrum.com> <488E2CE0-73D5-4B9E-A5AD-28FDCB95ED2A@cable.comcast.com> <CAN6NTqyAzZY5TG8Y7ks0zEMdVuE=+m1JC0n3Dn5_1c6EKgBwwA@mail.gmail.com> <a956c801f12745fb839f3a5394247002@cira.ca>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Bc1iu6BxT1aG8N2f0ZXDXwfkwqI>
Subject: Re: [Add] [EXT] Re: meeting hum: should the IETF take up this work?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 18:32:05 -0000

Hi Jacques!

> On 1 Aug 2019, at 13:59, Jacques Latour <Jacques.Latour@cira.ca> wrote:
> 
> From the department of this-could-be-a-bad-idea and the department of omg-this-goes-against-everything-we’re-trying-do, but here it goes: a DoH operator should have a policy to blacklist IP address as requested by the network operator, since we can’t effectively block DoH at the edge of the enterprise network,

We can though, right? Depending on what you mean by "effective". It's just more expensive than blocking DoT and Do53 if all you care about is blocking the well-known ports.

We can even do this without affecting end-user privacy in some (many? most?) cases since in some (many? most?) corporate networks there's no expectation of end-user privacy in the first place. There are certainly some corporate networks that were stripping TLS using privately-issued trust anchors for client devices in order to police content long before DoH had been specified.

Given that the number of end-users who inhabit enterprise networks is a rounding error compared to the total number of users of the Internet globally, I continue to be surprised at the amount of focus the enterprise deployment case gets in these discussions.

> an enterprise network should have the ability to request the well behaved DoH recursive operators to block requests coming from their network IP address. Perhaps have some sort of trusted clearing house of IP addresses that the well behaved DoH recursive operators should blacklist from. Enterprises can block non well behaving DoH recursive operators.
> 
> Since the major problems of DoH is for all to understand the multidimensional matrix of deployment models vs. value proposition vs. user (vantage) point of view, it’s almost impossible to assess the value proposition of the above example against all the currently possible/available scenarios. But we know that DoH has a negative value proposition for Enterprises.

If we know that, I don't know how we know.

Is there a potential benefit in some enterprise security architectures to having DNS resolution not being visible across the network, perhaps?

Perhaps not being complicit in enabling DNS resolution for particular clients and particular content is a benefit in arguing for a lack of liability in some legal framework?

In the case where an enterprise is deliberately using external recursive services (e.g. the ones that CIRA and OpenDNS sell) perhaps there's a benefit to having that DNS traffic protected by TLS?

Are we conflating DoH as a protocol with the specific case of a client on an enterprise network using a non-blessed third-party DoH service when we talk about DoH and the enterprise, or an application on a client device that is acting contrary to the device's system-wide configuration? Is that helpful?

I like the questions you're asking about risk analysis for the enterprise (although it still feels a bit like a corner case) but I think there are a lot more questions to ask about the implications of DoH before we can assume that there's no benefit.


Joe

v2.23.0 | Report a Bug | By Email