IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 31 July 2020 08:13 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFD833A108E for <add@ietfa.amsl.com>; Fri, 31 Jul 2020 01:13:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDN-mfSqnlIB for <add@ietfa.amsl.com>; Fri, 31 Jul 2020 01:13:46 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140051.outbound.protection.outlook.com [40.107.14.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3BFF3A1087 for <add@ietf.org>; Fri, 31 Jul 2020 01:13:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gKEbMDGNfHcFhtWyYAnsH46BnzSswHQi35XcZqn8zWByXR1GSDWfZ8zvtvs925UUFngjKCrtwXof30i9X3MHq7bBAgtDsG8kFt3rVt3XhxbwUnvO6txSy2HBXZ7/EB4uUKPZd+fOvPF46j44WkfQ0+kdlwfNiNxEozg7lMIcRtwdo5zaWvYv7rlC/ToUB3IglP4hMKC4eTEHFZFrdW9xvdRoGhhGD+sydGsJ/0meFxOqjFO8uZd/a6xIyw1R14WE4SSZtrc3ic9Yjih1yZOLe/sjsz4zOpI6AtRFRFf4QWSzBR7hXoVeh6Cxl6SqlMDob65SVz5VsYrLaOij/6t/lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1z3hSWvTnJLQJp4M7YlNMraueXW4fAGh7wS2lAbGhSc=; b=PBn/aQVrzJmXAaHwXpbPgUsOmLlLdSeU1sF3pc7efeeZF3k1lRmwki/V7jNE50lnMW/YlQlwav9Z0mHptGdC4Q1X+f3HDK3G6/yltOzPusvuEKruhUgxZd0liXCA3+UMkUl3x8GACvAlz1fEqGqRnzwTgmCh0P0OaIglceCn0mcY+PYBUwz53L0mCKGFeHp90FO6kja2ZxA1LEFQ3ABp+irY7BIprBxu68FvfvG4Q5nkumiQM/mc/4BpnoqHjvqXB7fQc7ef/qfc9y2Cfpay/E8cKgUHdAuG6mhgjK1Nh25SPiVsI52HLhSQJBADfv0a5SPpoShu/nh4h2OsPnxoVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1z3hSWvTnJLQJp4M7YlNMraueXW4fAGh7wS2lAbGhSc=; b=jSzZ9LCQOEm7pmgEaF6jH5qhLIIbvg5fWXKvFMePZ1S0NFLgLmrGjlKty7v2H+M94Rvr7W4zgZv4tp2WcOvbTMS3SR9weyRgrTO+SWWQgr08ZMcQGt5QK4bl3E34HbWAkVoSgMKcYt97YjQliCJybyOIKc8czDadHIu56yHHgGM=
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com (2603:10a6:7:2d::25) by HE1PR07MB4155.eurprd07.prod.outlook.com (2603:10a6:7:98::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.9; Fri, 31 Jul 2020 08:13:35 +0000
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::e01c:9809:43db:67d3]) by HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::e01c:9809:43db:67d3%6]) with mapi id 15.20.3239.020; Fri, 31 Jul 2020 08:13:35 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: tirumal reddy <kondtir@gmail.com>, "Chris Box (BT)" <chris.box.ietf@gmail.com>, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, Andrew Campling <andrew.campling@419.consulting>, ADD Mailing list <add@ietf.org>, Ted Lemon <mellon@fugue.com>, Rob Sayre <sayrer@gmail.com>, Steffen Nurpmeso <steffen@sdaoden.eu>
Thread-Topic: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt
Thread-Index: AQHWZxJ8SVhzWvLyv0ioNm43LMOPEg==
Date: Fri, 31 Jul 2020 08:13:35 +0000
Message-ID: <0587c41a-2b3d-b453-387a-abb8e867875e@ericsson.com>
References: <3954080.qUnaP1aulD@linux-9daj> <CACJ6M15WSivqf33-UNAORJV9SRWVbYi66CA-rX4=y3A0meOB2g@mail.gmail.com> <CAChr6Sz6uWWniuKpwW2cUV0oCW7HKxCK1cnQxTpr44ksBCiCtA@mail.gmail.com> <6CDFB1BB-9AEB-411B-B338-CCBC1BA54C03@fugue.com> <CAChr6SwvAaLjDUjJfBt-H9=97mLJcM1264p63ZHVoPUfnef1OA@mail.gmail.com> <EB22CB7C-B69C-44E7-AC42-448C32514E23@fugue.com> <CAFpG3gd6yBQqMWV50tMY-Q5y+zHEJ=+b+VCzc4ae2FKArNBogA@mail.gmail.com> <CAChr6Sx6=teqbtHW4+swjc14zjwSJti0b7m7u3LvwN0K0JOU=w@mail.gmail.com> <CAFpG3gfgTjiM0bmru-hKEMLZDw+VVd=KYP+KohwwpwghsUih1g@mail.gmail.com> <CAChr6Sy4+NkzDHBb0AE+gqjFcPA_Yj9hM8i+GzyjsojvoWfwhA@mail.gmail.com> <CAFpG3gf8P61ViKzKqpusthTZf4z+RzQVJUOtOwA5_zJkxWm8Kw@mail.gmail.com> <CACJ6M1529TnShk81S-Wdeqhoo6Mc5medktSB5DYWVhuWAqt0tQ@mail.gmail.com> <CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com> <20200730132857.6MGkL%steffen@sdaoden.eu> <CAFpG3gehFJ8muZOFp7RrWA_9tNv43+9zWjA_P8On3c_M_o5SMg@mail.gmail.com>
In-Reply-To: <CAFpG3gehFJ8muZOFp7RrWA_9tNv43+9zWjA_P8On3c_M_o5SMg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:150:b8c:83de:5051:e943:c8b1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc73e879-c8f3-43d6-bb79-08d835299f86
x-ms-traffictypediagnostic: HE1PR07MB4155:
x-microsoft-antispam-prvs: <HE1PR07MB415597726B81DD1AB6B07F3BD04E0@HE1PR07MB4155.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aegsvi3RxXP/9JfiWAXapQY7hNPxLZhTYujhuq9RZcp0j/GeOH1yYjRku9OQnRqp7+LUxTKpSgXs5lKPQK4jHeMWCD+Y+HYFhxhWmoz/nDNsyogzhav5138AmeqHu+Tg7rwjF39GWwPyjP75z2Tyw5ol/l6+rpSHNwaifJ38GftWwEqrac0i8zyUnx/C6HqM42CXvV+IeQvBQDB/Tc6hIuqG57cV4rl0PPTBuD6RmNs0sgvY3KrMLzUk55n6qTaR82QZk/JZwJoPCh7kckwhesvwFd+g+KZASDyIFs4QgimDD9oHodqCi3qu4ly2vER7q8gFUquPn0mN00k4AScwTZSBuZEcqwNroHho/c9GJP1o2V+GzG58bAome6vQ213wQyU+52VgQrOV6QF9Fjq2A7OpN9iyyiHe+kA9XLDGwTBUWjg+vnljSQeNnGooRjhYQsZ5BNsWcFDNjO7yt82XNg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3386.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(396003)(346002)(366004)(136003)(15650500001)(316002)(2906002)(110136005)(36756003)(6486002)(6512007)(8936002)(8676002)(53546011)(6506007)(31686004)(186003)(966005)(66946007)(5660300002)(64756008)(76116006)(478600001)(66476007)(66556008)(66574015)(2616005)(66446008)(83380400001)(166002)(71200400001)(31696002)(86362001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: YDC3WeKAFAOLYf99FhQDifoyB9rAbAZWr0h43WeVf8mlWZSv0SuTvUXwL3oc15geZuGpfZPCOox6vUPy5W7WwwewRv+5EAptn/fHuVl7IsymmDDm7qnpWgPQQC6b7ecNolNR5gKtYWPG9VbigrzUVAwOW+UUNXrSk9XrlOG2Zx/s91jZW6DfBQg1PfJXbuGl9TGZ2t7MMiqkE1xrdm9xqQartE1usxGTB6HsaU4u9d2NawscjJNjAArI5TaktMFb77NYlQD+DMXzAJUkk6c2VcniNUkz8680MhfHtPLBBqU/p1sg8gz33mojrWUWojoBxaCCmfkDsfItX/9L6clXKW8dvHk6s7QryHeGxupWxABkHU72ybgIW/Unw3eLbk+6rwxrEecY4Aa3Y9wE0/stX/G9+ql5ig2OPxDnHXZbFW07nXy2bdd4YBHTT0tVWpb+I5I8G6SPATYkAfqQSZyePvFvlv696PK1sqFo2C86i9uMQ0z8KhEVlqbdHAVwh6h4IoOxx8fnLlMuMsMsoJHaTITzcbdm+/Sw40lGNe8lE1ijIGwdpFu2Dssmy3HwmY9QWto8QBWdDJuTZzKuYUmxtN3/qpeyqIQJvZBm1os0dehFi5Y4JWe+jHotd1TarJlixG1L8ifiMONj+oIDofB4XmnTEJf30YJyRW9VOFd33QaFFZw3CwqQk3voAs3oxtYlKo4t9iJBo+yFnVlfVHNUxA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0587c41a2b3db453387aabb8e867875eericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3386.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bc73e879-c8f3-43d6-bb79-08d835299f86
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2020 08:13:35.8074 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sgW8MwD9HdDqMV7vHIlGvrIkFbGYHYEtX3FHC5Pguv8MTHH49c37xODK2bd6VP1KlFAKG/jNUrN5v3w9Rxk3hTefztpNPoEhKuIy6QmrF1A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4155
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/J_1EAW1ZpFYL6QGyDuL-jHb3f1A>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 08:13:49 -0000

Hi Tiru,

https://tools.ietf.org/html/draft-sarikaya-t2trg-sbootstrapping-08 isn't adopted by T2TRG yet. Of course (as an author) it would be nice. It probably requires a couple of iterations and reviews before it can be considered for adoption.

I would also add EAP-NOOB to the list (https://tools.ietf.org/html/draft-ietf-emu-eap-noob-01).

--Mohit

On 7/31/20 9:20 AM, tirumal reddy wrote:
On Thu, 30 Jul 2020 at 13:28, Steffen Nurpmeso <steffen@sdaoden.eu<mailto:steffen@sdaoden.eu>> wrote:
tirumal reddy wrote in
 <CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com<mailto:CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com>>:
 |Hi Chris,
 |
 |Good points, please see inline
 |
 |On Thu, 30 Jul 2020 at 06:00, Chris Box (BT) <chris.box.ietf@gmail.com<mailto:chris.box.ietf@gmail.com>>
 |wrote:
 |
 |> Rob you appear to be saying you don’t need such features to secure a home
 |> network, but I would certainly appreciate having Tiru’s (a) to (e) \
 |> deployed
 |> in my house. I don’t want the smart TV equipped with microphone and \
 |> webcam
 |> to be remotely compromised, nor any other device. Without such
 |> network-level control, enabled by standards, my only defence is to
 |> physically unplug the TV from the network when not in use.
 |>
 |
 |> Following Eva’s talk in HRPC, I’ll put myself in the shoes of a dissident
 |> in a hostile regime. In such a case I would feel even greater need \
 |> for such
 |> security. Of course I would choose my security supplier carefully, \
 |> and not
 |> one aligned to the regime. I then need one or two devices that route
 |> through Tor.
 |>
 |> I fully agree the challenge is to distinguish legitimate network signals
 |> from those of an attacker. Robustly identifying who they came from is
 |> non-trivial, but hopefully not impossible?
 |>
 |
 |Yes, identifying the trustworthiness of the peer is discussed in RATS WG
 |(see https://datatracker.ietf.org/wg/rats/about/). Remote attestation
 |procedures (RATS) enable relying parties to establish a level of confidence
 |in the trustworthiness of remote system components through the creation of
 |attestation evidence by remote system components and a processing
 |chain towards the relying party. A relying party can then decide whether
 |to consider a remote system component trustworthy or not.
 |
 |The claims used as evidence and attestation for DNS server is discussed in
 |https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-04.

I personally do not get what yet another line of authorities
transported via JSON encoded structures fetched via another DNS
record that just exposes that JSON structure gives the world anew.

RATS allows the attestation to be represented in JSON or CBOR (see https://tools.ietf.org/html/draft-ietf-rats-eat-03#section-1.1).  The PAT object is retrieved using RESINFO RRtype (https://tools.ietf.org/html/draft-pp-add-resinfo-01) and it uses JSON to return the resolver information.


Indirection may make everything possible, but, i mean, to me the
key point of RFC 8572 for example is the

  3.3 Ownership Voucher
  [this] artifact is used to securely identify a device's owner,
  as it is known to the manufacturer.  The ownership voucher is
  signed by the device's manufacturer.

_If_ i can find my way home i can securely update myself, where
securely means manufacturer here.  Great that standard CMS is
used.

https://tools.ietf.org/html/rfc8572 is specific to zero-touch provisioning of networking devices and IoT devices in Enterprise networks. The owner certificate can be used to validate the PAT signature (see the last paragraph https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-04#section-10).



  Even if DNSSEC [RFC6698] is used to authenticate the various DNS
  resource records [.] the device cannot be sure that the domain
  returned to it, e.g., from a DHCP server, belongs to its
  rightful owner.

It then refers back to RFC 6763, DNS-based service discovery.
Which has really nice, easy to parse content, and does not use
JSON only to represent key/value pairs.  (Why not a fixed CBOR
thing instead, they are talking maps at the moment, for example.
And can easily be converted back and forth to JSON while still
being parsed directly, as it is binary.)  What is so wrong with
this service discovery thing, i think it could very well serve
additional things.  But especially so if another registry is
introduced for the concept.  RFC 8572 also says

  Using a DHCP server may be a compelling option for deployments
  having existing DHCP infrastructure, as it enables a touchless
  bootstrapping option that does not entail utilizing an
  Internet-based resource hosted by a third party.

  A DHCP server is an untrusted source of bootstrapping data.
  Thus, the information stored on the DHCP server either MUST be
  signed or MUST be information that can be processed
  provisionally (e.g., unsigned redirect information).

I do not know (people can agree here), but if that could improve.
Also being x-rayed yesterday (untreated bike accident last
November) my pictures are now at healthdataspace.org<http://healthdataspace.org> even without
me agreeing with that, they have a German data security seal of
approval, but then it is just a QR-code and/or an access code
(alphanumeric and length of 10 or 12, iirc).

It is not an option for a light bulb, but that thing surely
belongs behind a household router, and easy usable routers with
why not ample-style use cases would be great, imho.  With a short
fingerprint printed on a device that shows up on that router, just
like for Bluetooth pairing.  I could imagine people could get used
to that.  (Especially with some kind of those terrible apps on
their smart phones which are linked to the "router" of the
household, then, so they get informed of that event.  I think DHCP
even allows ident strings to be emitted from DHCP client to
server.)

There are several mechanisms to securely bootstrap IoT devices, you may want to look into the recently adopted draft https://tools.ietf.org/html/draft-sarikaya-t2trg-sbootstrapping-08 by T2TRG and
within the scope of IETF is BRSKI and SZTP.

Cheers,
-Tiru

Sorry, i do not seem to understand.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

v2.23.0 | Report a Bug | By Email