Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
Paul Vixie <paul@redbarn.org> Sat, 20 March 2021 04:32 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79AC33A19CD for <add@ietfa.amsl.com>; Fri, 19 Mar 2021 21:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nl1421q6b2QY for <add@ietfa.amsl.com>; Fri, 19 Mar 2021 21:32:43 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01673A19CB for <add@ietf.org>; Fri, 19 Mar 2021 21:32:43 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c0b:d988:3630:9c71] (unknown [IPv6:2001:559:8000:c9:1c0b:d988:3630:9c71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id ADA717599A; Sat, 20 Mar 2021 04:32:43 +0000 (UTC)
To: Tommy Pauly <tpauly@apple.com>
Cc: ADD Mailing list <add@ietf.org>
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com> <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com> <20210312191835.rhsyikec46uzmnk4@family.redbarn.org> <C778A810-CF36-4893-8AC9-49C1C3A651C8@apple.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <5084fc39-326e-a7a4-2bbd-fb5ef9c983e7@redbarn.org>
Date: Fri, 19 Mar 2021 21:32:41 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.47
MIME-Version: 1.0
In-Reply-To: <C778A810-CF36-4893-8AC9-49C1C3A651C8@apple.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/BqMqSFLnktMys2hUJrecmurxKtQ>
Subject: Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2021 04:32:47 -0000
Tommy Pauly wrote on 2021-03-12 15:50: >> On Mar 12, 2021, at 11:18 AM, Paul Vixie <paul@redbarn.org> wrote: >> >> not all networks are public, and not all on-path actors are >> authoritarian governments or surveillance capitalists, and not all >> devices have users. i'd like to see this discussion move to a >> broader use case that isn't smartphone centric or web-centric or >> coffee-shop-wifi centric. > > To be clear, for the private or home network case, I don’t think this > needs to be a problem. i hope you're right, and i'm glad we're discussing it. > If you are using a device on a network that you control, and you want > you network to see all of the details, great! That should be possible > to configure for sure. Set up your devices the way you want to. In an > enterprise, there are also many solutions for this. there are important and common instances in which this guidance is inapplicable, because DoH is deliberately an extreme-entropy encoding, designed not to be subject to interference by an on-path actor such as my firewall. therefore my tools for detecting noncompliance with policy have been limited for me. examples of noncompliance include: 1. misconfigurations which i would once have been able to detect with tcpdump or netflow or PF are now invisible. 2. intruders, supply chain poisoners, and malware that wish to operate without oversight by the local network operator are free to do so. 3. IoT devices that will never be profitable from their manufacture or sale will not require my permission to reach their motherships. the enterprise (MDM) solution you refer to is unavailable to me at home. i don't think a fully viral internet where data paths can be established without the knowledge or consent of the vast majority of network operators and one's only choice is to plug something in or not will be seen as beneficial. i can choose not to use or permit browsers who set their own RDNS policy without first gaining informed consent from the humans around them -- and i have done so. i cannot as easily choose not to have misconfigurations, intruders, poisoned supply chains, malware, or surveillance capitalist IoT devices. therefore i'm asking for a choice i can make, which is to express a policy, so that anything witnessed to not follow that policy ("detected") can be hunted (and possibly killed). > ..., if a device has a configuration that makes it think it > needs a certain privacy stance, and the network wants to enforce an > incompatible policy, the best thing we can do is to make that > conflict easy to identify and understand. The options to resolve > depend on the situation: > > - The device didn’t intend to join a network with those policies, so > it leaves> - This is a device that is in fact owned by the same > entity, or intended to be used in this way on this network, so it > saves some local policy - A user is presented with a choice - …etc i support your described model, except that "enforce an incompatible policy" is not as obvious after RFC 8484, since such enforcement was exactly what it desires to prevent, and this is the only salient difference from RFC 7858 a few years earlier. "to enforce" must now be interpreted as "detect, hunt, and kill". it's not just a firewall setting any more. vixie
- [Add] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eliot Lear
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Victor Kuarsingh
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Bill Woodcock
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] New Version Notification for draft-redd… Vittorio Bertola
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXT] Re: New Version Notification for … Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy