IETF Logo Mail Archive

Re: [Add] Paul Wouters' Discuss on draft-ietf-add-dnr-11: (with DISCUSS)

Eliot Lear <lear@lear.ch> Fri, 15 July 2022 10:00 UTC

Return-Path: <lear@lear.ch>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9F0C159496; Fri, 15 Jul 2022 03:00:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.896
X-Spam-Level:
X-Spam-Status: No, score=-0.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UsSMIQOQ3Nrr; Fri, 15 Jul 2022 03:00:39 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DB92C1527AF; Fri, 15 Jul 2022 03:00:36 -0700 (PDT)
Received: from [IPV6:2001:bb6:40d1:2558:d1c0:31c6:2070:b8fb] ([IPv6:2001:bb6:40d1:2558:d1c0:31c6:2070:b8fb]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 26FA0Rvu012410 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 15 Jul 2022 12:00:28 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1657879229; bh=EX670jcL8TzzT1swxkqcy/4DKCiHPyDoLT7XUJylp98=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=j4w6ICC4z73qT/12ewE/oiE73SezqU8omxrPIxQ1EDlWKVqCzsk+Ucfea5RAL4tc2 /JW2w+H639S8GVSvbJxFaL1OVdPlsXy2FeXYIO2ipDekLiPnkHxEbzgurDPF331PHg 9tenFe9WTJDEMrEEe4OlUGkHXkJisfEgmPLQYfVM=
Message-ID: <00cd169e-8c68-f754-5d0b-8c038d93372d@lear.ch>
Date: Fri, 15 Jul 2022 11:00:17 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: tirumal reddy <kondtir@gmail.com>, Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-add-dnr@ietf.org, add-chairs@ietf.org, add@ietf.org, Andrew.Campling@419.consulting
References: <165774161599.52839.7342794318640205540@ietfa.amsl.com> <CAFpG3gc=Mpys9D3s8Eze=FUGXUbxHiHEzrQLnVDFST3HEQBYYg@mail.gmail.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <CAFpG3gc=Mpys9D3s8Eze=FUGXUbxHiHEzrQLnVDFST3HEQBYYg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------5mqRZupFWE00mlwWOnsQ09Rp"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ERH9ovQ69zn8KMTgT3e6VX-JQbY>
Subject: Re: [Add] Paul Wouters' Discuss on draft-ietf-add-dnr-11: (with DISCUSS)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 10:00:44 -0000

Hi,

I have one procedural point and several comments below.

My procedural point is that it is not appropriate to preface DISCUSS 
with a treatise about the very nature of the working group and protocol, 
especially when the IESG member could have contributed to that 
discussion as an individual, both during chartering and throughout the 
progression of the work, including at either WGLC or IETF LC.  It is not 
as though this work received no attention from the community, or wasn't 
hashed out in great detail by the working group.  The ADD group is 
trying to lay out some improvements on the current state of affairs, not 
what one AD personally believes Utopia is Utopia.  One can certainly 
outline such beliefs, and I'm sure the ISE would seriously consider 
publishing them (knowing him as well as I do ;-).

Tiru has answered most of your specific issues, which I think are 
appropriate.

Several points below:


>
>     ###
>
>     Encrypted DNS servers need a public FQDN because otherwise you
>     cannot get
>     a certificate for all connecting clients that are not provisioned
>     with a
>     private/enterprise CA. How do home users run their own without
>     having a
>     public domain? And how do I authenticate the encrypted DNS on 10.1.1.1
>     that has no FQDN? (and really, has no verifiable identity at all).
>
>
> The FQDN can be provisioned by the ISP managing the CPE or the 
> security service vendor offering network security service can 
> provision the CPE with a real FQDN (please see section 4 in 
> https://datatracker.ietf.org/doc/html/draft-boucadair-add-deployment-considerations-00 for 
> more details).


If this is a security consideration and you are proposing a remediation, 
then it should be listed as such with a reference to the draft you 
mention.  It is fair game for people to argue whether the remediation 
would be effective.


>  [...]
>
>     One possible method might
>     be to bind it to the ESSID. eg if the ESSID is wifi.nohats.ca
>     <http://wifi.nohats.ca>. one could only allow
>     authentication-domain-name to be a name within nohats.ca
>     <http://nohats.ca>. Some method of reducing the
>     scope of this attack is needed I believe.
>

That's an interesting speculation that it seems to me is worth fleshing 
out in a draft of its own, and possibly liaising to the 802.11 and Wifi 
Alliance folk.  It requires an analysis of the binding of names in 
ESSIDs to domain names, and associated security considerations.  Color 
me skeptical until that work is done.

[...]

>
>     ###
>
>     Multihoming is declared out of scope, but realistically most
>     devices we are
>     talking about here are phones, and those are all multihomed. So I
>     feel pretty
>     strongly that it should not be left out of scope.
>
Let's be specific.  Phones may for a brief time make simultaneous use of 
their cellular and Wifi radios so that handoffs work correctly.  This 
could lead to an inconsistency if two resolvers are returning different 
results.  There may also be different levels of trust between different 
name servers.  Both of these issues lead to policy matters in clients, 
not something I see as relevant to standards.

I don't know of situations where devices are testing different Wifi 
networks on the same radio, and the chipsets I work with don't support 
that.  A second Wifi radio would do the job, but I also don't know of 
phones that have such second radios.  Perhaps you have a reference?

Eliot

v2.23.0 | Report a Bug | By Email