IETF Logo Mail Archive

Re: [Add] Draft "ABCD" WG Charter

Tommy Pauly <tpauly@apple.com> Mon, 23 December 2019 16:30 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 904DC12098A for <add@ietfa.amsl.com>; Mon, 23 Dec 2019 08:30:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNGRNHqkRH8q for <add@ietfa.amsl.com>; Mon, 23 Dec 2019 08:30:57 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E72AE12098E for <add@ietf.org>; Mon, 23 Dec 2019 08:30:56 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id xBNGMCih001159; Mon, 23 Dec 2019 08:30:45 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=aibbQtgxWdaBjXwmfCu/y3AIB5QasRlF78jsLhq+1eE=; b=nm8wooxqlsjpGv9UDvUg9yWpzTuWL/m5D11H2QOgNyzbuhuNDtrfQ0GuiNCB3rc7IVlv cEmJ/g9bZRK4N60KAWEKGLgAGcxpTPFSZC3WCFMHqgjgWOiN9ZtJjLzNrMOz1Kekn0lV bTdyXuzPcRYbT4MOBgH1sFsFlhn6tvHS6ck3oI/P9P2gu7EA4NYZzgB8P5ZebJbEwbbw mFadaHSBEK0af2BalEXzuyZWFwoimWWfMzOYbLsWZn4T5GDVHYMb38hiCVayGnylP4hn dSFoG0D1k4NMo1tebCJi8/igkXW7RwmPok/VGxpz0oduZzJFCUG/I5Vl3yvQVXJFwr9i bg==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2x1k8y736k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 23 Dec 2019 08:30:45 -0800
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q2Z00JI24J8QG30@ma1-mtap-s01.corp.apple.com>; Mon, 23 Dec 2019 08:30:45 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q2Z008004I5F900@nwk-mmpp-sz12.apple.com>; Mon, 23 Dec 2019 08:30:44 -0800 (PST)
X-Va-A:
X-Va-T-CD: b885964abc53914bb4dc9f6410fd4b52
X-Va-E-CD: ba16466e1dc1051acc73ae86f79e134b
X-Va-R-CD: 3e4c0cc65ca4c974f92734817aa7470f
X-Va-CD: 0
X-Va-ID: b8b8b2a4-fd10-4383-b8e0-cf7f9ba2fe5d
X-V-A:
X-V-T-CD: b885964abc53914bb4dc9f6410fd4b52
X-V-E-CD: ba16466e1dc1051acc73ae86f79e134b
X-V-R-CD: 3e4c0cc65ca4c974f92734817aa7470f
X-V-CD: 0
X-V-ID: 2ca844bf-75fa-4df6-a9df-219441293a3b
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-12-23_07:,, signatures=0
Received: from [17.234.8.9] by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q2Z0029T4J6BJ00@nwk-mmpp-sz12.apple.com>; Mon, 23 Dec 2019 08:30:43 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <92EF155B-52D1-4BCB-B035-F98C6190C4E9@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_C0990C95-BFD0-4587-B7F3-091A864E6165"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Mon, 23 Dec 2019 08:30:39 -0800
In-reply-to: <80e0c557-99af-57f6-8eab-eff973137fb5@cs.tcd.ie>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>, Andrew Campling <andrew.campling@419.consulting>, Alissa Cooper <alissa@cooperw.in>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <LO2P265MB0573A6E93A79F178666947A3C25B0@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <848A030E-3E15-4951-9F18-E496DE3C140C@cooperw.in> <5B01A964-5CFF-4389-BFA2-9B9452B59A54@apple.com> <80e0c557-99af-57f6-8eab-eff973137fb5@cs.tcd.ie>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-12-23_07:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/D9fgk9qZlyht3iUxSw1lmJOVbBU>
Subject: Re: [Add] Draft "ABCD" WG Charter
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 16:30:59 -0000

Hi Stephen,

Thanks for the comments! Responses inline.

Best,
Tommy

> On Dec 20, 2019, at 4:42 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
> I'm supportive of progressing [1], but I'm not sure if a
> WG as envisaged by this is the right vehicle for doing
> that. (It may be, I'm honestly not sure.)
> 
> If this text were to be the starting point for a WG
> charter then I have some comments below. I think some of
> those would really need to be fixed or a WG could end up
> ratholing in a couple of ways.
> 
> Cheers,
> S.
> 
> [1]
> https://datatracker.ietf.org/doc/draft-pauly-dprive-adaptive-dns-privacy/ <https://datatracker.ietf.org/doc/draft-pauly-dprive-adaptive-dns-privacy/>
> 
> On 20/12/2019 00:13, Tommy Pauly wrote:
>> Hello ADD,
>> 
>> I wanted to share a charter proposal for the ADD/ABCD work to get 
>> this discussion underway. Based on the discussion at the BoF in 
>> Singapore, there was a desire to have more clearly scoped 
>> deliverables. We had presented our draft on Adaptive DNS Privacy, 
>> which described a few mechanisms that help clients discover and 
>> interact with local networks. Several people indicated at the mic 
>> that they would be interested in seeing a version of a charter based
>> around the mechanisms we had presented.
>> 
>> Note that this is just one direction we can take, and I expect that 
>> the authors of the original charter will share another revision soon
>> as well. Hopefully, this provides a useful input for the
>> discussion!
>> 
>> Any comments or thoughts are welcome.
>> 
>> Best, Tommy
>> 
>> 
>> 
>> Adaptive DNS Discovery (ADD) ==================================== 
>> Proposed Working Group Charter
>> 
>> Sending DNS messages over encrypted transports, as defined in DNS 
>> over TLS (DoT) [RFC 7858] and DNS over HTTPS (DoH) [RFC 8484], 
>> provides benefits to the security and privacy of DNS data. Clients, 
>> such as applications and host operating systems, have started 
>> adopting these protocols to provide these user benefits. Depending on
>> the situation and use case, this can involve selecting a DNS server
>> other than one provisioned by a local network.
>> 
>> Clients that want to adopt encrypted DNS protocols need to determine 
>> which DNS servers support encrypted transports,
> 
> That bit seems wrong in two ways. The first is easy;-)
> 
> - DNS servers can be authoritatives, I don't think you
> want to include that discovery problem in scope as it's
> being tackled in dprive already. (The same issue crops up
> elsewhere, so an editing pass to clarify that you're only
> talking about stub/recursive interactions would be good,
> assuming that's the case.)
> 
> - A client does not "need to determine" the set of all DNS
> recursives on the Internet that support DoH/DoT etc. I
> think getting this bit right is tricky though, as it goes
> to the heart of what discovery problem the putative WG is
> to address. (I was trying to come up with suggested text
> that's better, but none of the options I came up with
> really worked, sorry;-)

Right, I agree with your clarifications here. Clients certainly don't need to discover *all*
resolvers that support encrypted transports. Rather, they need to discover which among
the resolvers they normally deal with support encryption; as well as any other external
resolvers that may be appropriate if the client wants to use an encrypted transport.

In some ways, it's similar to marking ALT-SVC for moving TLS/TCP connections to QUIC:
there needs to be a way to indicate, "this resolver may not support the protocol you want,
but you can get that service at this other resolver".

> 
>> and which server to use in which context if multiple servers are 
>> available. These decisions can vary based on the network
>> environment, and also based on the content and purpose of the client
>> queries.
> 
> I don't think the decisions vary. It's the right answers
> that vary.

Indeed. A good fix.

> 
> 
>> For instance, the use of DNS servers associated with a particular 
>> content or domain when accessing that content or domain may be 
>> beneficial from a privacy perspective.
>> 
>> Network operators that start offering DNS encryption on their
>> servers need a way to indicate this support to clients.
> 
> Why say "start" there? Do you envisage something different
> happening when DoT/DoH is first turned on?

No, we can remove "start". That was just indicating that this is a relatively
new development without a lot of deployment experience yet.

> 
>> Beyond support for encrypted DNS, local networks may also have
>> policy about the use of DNS to non-local DNS servers. Communicating
>> such network policy to clients would allow clients to make more
>> informed decisions about which DNS servers to use.
> 
> "Communicating such network policy" is such a potential can
> of worms (with a history of failure!) that I think it'd be
> way better to leave this out *or* to be much more specific
> about how this is limited and what it's for.

I think we can clarify this. I can imagine something similar to how we
are working on specifying the captive portal behavior, which is a similarly
complicated effort, but one where we can hopefully add value.

> 
>> 
>> The Adaptive DNS Discovery (ADD) working group will define mechanisms
>> and protocols to:
>> 
>> - allow clients to discover encrypted DNS resolvers, such as DoH 
>> servers, that are available publicly or on local networks;
> 
> Why call out DoH like that? If there's no reason then I'd
> leave it out.

I called it out here to ensure that any mechanism was sufficient to support discovering
the DoH URI (which requires a bit more than what you need for DoT, etc).

> 
>> 
>> - allow network providers to communicate DNS policy to clients, 
>> including information about locally-accessible names;
> 
> See above - "communicate DNS policy" is a potential giant
> rathole. If it were limited to describing the scope of
> locally-resolved names then that might well be useful and
> make sense. (But would that not be more of a dnsop spec I
> wonder?)

Agreed that clarifying the scope here would help. At first pass, I would see this include:
- Locally managed names/zones
- If this network allows external access at all (for captive/walled-garden networks)

> 
>> 
>> - inform clients about how to select appropriate encrypted and 
>> unencrypted resolvers for DNS queries in various network
>> environments and use cases.
> 
> I don't know what that means. If the client has code for
> picking between recursives then it knows "how to select"
> already. Unless you're sending down JS or something then
> a server can provide input only.

I think this ought to be more about specifying the client behavior algorithm for managing
its split-DNS environment of local and external resolvers.

> 
>> 
>> The mechanisms defined by this working group will consider several 
>> deployment scenarios, including public networks, home and mobile 
>> networks, enterprise networks, captive networks, and school 
>> networks.
> 
> I don't think it's our business to develop protocols to
> support the censorship common in some countries' school
> (or prison) networks. I do understand that's a real problem
> but I don't think we have consensus that it's the IETF's
> problem. I'd say best to just omit that.

While we can certainly leave "school networks" off of the charter text,
and we don't need to explicitly provide mechanisms for that case, defining
graceful behavior for networks that may aggressively block any connections
that looks like encrypted DNS might need to be considered.

> 
>> 
>> Any mechanisms that specify interactions between clients and servers
>> must provide the security properties expected of IETF protocols, 
>> e.g., confidentiality protection, integrity protection, and 
>> authentication with strong work factor.
> 
> So no DHCP then?
> 
> I'm also unsure what you mean by confidentiality here - to
> do discovery we have to expose information or we end up in
> a loop. That's probably just a wording thing though?

This was mainly lifted from some boiler-plate security text for charters, so happy to
see it modified. =)
> 
>> 
>> This working group will coordinate with dnsop, doh, and dprive for 
>> any changes required in DNS protocols. It will also work with capport
>> to ensure that solutions are applicable to captive networks.
>> 
>> The starting point for the group's work is Adaptive DNS 
>> (draft-pauly-dprive-adaptive-dns-privacy), subject to the working 
>> group's design choices.
> 
> I do like that draft. But I think it's complex enough that
> it ought be progressed as an experimental RFC. That's not a
> huge deal but I do think it's appropriate in this case.
> There are so many moving parts that may change during the
> development of the RFC, and after people start deploying,
> that I think experimental is the right category and sends
> the right signal.

Sure, that's fine! With regards to how it fits into these efforts, I can certainly
see it being broken up into multiple documents with individual mechanisms
that progress as we have experience deploying things.
> 
> Cheers,
> S.
> 
>> 
>> 
>>> On Dec 19, 2019, at 6:30 AM, Alissa Cooper <alissa@cooperw.in <mailto:alissa@cooperw.in>> 
>>> wrote:
>>> 
>>> There are charter-drafting efforts underway so I suspect updates 
>>> will be sent to the list shortly.
>>> 
>>> Best, Alissa
>>> 
>>> 
>>>> On Dec 10, 2019, at 5:02 PM, Andrew Campling 
>>>> <andrew.campling@419.consulting <mailto:andrew.campling@419.consulting> 
>>>> <mailto:andrew.campling@419.consulting <mailto:andrew.campling@419.consulting>>> wrote:
>>>> 
>>>> Message to ADs Any update on the draft WG Charter?  We seemed to
>>>> get to consensus in the BoF that a WG was needed, just timed out
>>>> on getting to agreement on the content.  It would be good to get
>>>> the draft charter out to the list for comment so this can be 
>>>> finalised and the group up and running well in advance of IETF 
>>>> 107 if possible.
>>>> 
>>>> Andrew
>>>> 
>>>> 
>>>> Regards
>>>> 
>>>> Andrew Campling  MBA  MSc  DipM  FRSA  MCIM  MIoD  Liveryman 
>>>> Director | 419 Consulting Ltd | Tel: +44 (0) 7710 303010 | E: 
>>>> Andrew.Campling@419.Consulting <mailto:Andrew.Campling@419.Consulting> <mailto:Andrew.Campling@BT.Com <mailto:Andrew.Campling@BT.Com>>| 
>>>> t: @Andrew_Campling
>>>> 
>>>> This email contains information from 419 Consulting Ltd that 
>>>> might be privileged or confidential. And it's only meant for the
>>>> person above. If that's not you, we're sorry - we must have sent
>>>> it to you by mistake. Please email us to let us know, and don't
>>>> copy or forward it to anyone else. Thanks.
>>>> 
>>>> We monitor our email systems and may record all our emails. 419 
>>>> Consulting Ltd Registered in England: No 11944258
>>>> 
>>>> <Picture (Device Independent Bitmap) 1.jpg>
>>>> 
>>>> 
>>>> 
>>>> -- Add mailing list Add@ietf.org <mailto:Add@ietf.org> <mailto:Add@ietf.org <mailto:Add@ietf.org>> 
>>>> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add> 
>>>> <https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>>
>>> -- Add mailing list Add@ietf.org <mailto:Add@ietf.org> 
>>> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>
>> 
>> 
>> 
> <0x5AB2FAF17B172BEA.asc>-- 
> Add mailing list
> Add@ietf.org <mailto:Add@ietf.org>
> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email