IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Neil Cook <neil.cook@open-xchange.com> Wed, 17 July 2019 15:38 UTC

Return-Path: <neil.cook@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2449120105 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 08:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWrHeXTwlDPg for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 08:38:51 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B73B12008A for <add@ietf.org>; Wed, 17 Jul 2019 08:38:51 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id E8C886A3B4; Wed, 17 Jul 2019 17:38:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1563377928; bh=qaIsKN3aocgVJiVTTwpFkywsg10NwBvFDa0cAdG+qe4=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=vIRElPLbz+vj/t8kNPJrHZ+z9xyzedguojsk+EgjWrUZgxJ+bcao/JaLk4gY48V9S RXXBb9ldhPol5wTMf42JV4IIPnPHOJaInqH6bDOPxyqRslDbraLO4a17uiPklkJwWJ 1DoJ213vlYC+F4F4O/8gXh6KRk/SEsgLiNxDRgwYMxYxfVnBjq7dKyIrcqtFirs2rr Q+R94xjMn6PQtElrEBGCwBN5imB9iDT1HrRUQpiUit0aOUiR67biUodXfentAg6cCd NVdyEPcYk7NhdRH5q95QUEUjYxGtcHw3wYCIP6t07qvIwYU/FgWqGdVyC6Y6CTpGuJ Qkf3FP8E9Gvuw==
Received: from [10.242.2.29] (unknown [10.242.2.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 4BAFC3C0101; Wed, 17 Jul 2019 17:38:48 +0200 (CEST)
From: Neil Cook <neil.cook@open-xchange.com>
Message-Id: <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B06E432F-C5A5-4491-8708-014353C1D1C3"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 17 Jul 2019 16:38:46 +0100
In-Reply-To: <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com>
Cc: Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/NdWXXvZdNzSf2H5zY2wUFqU0vh4>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 15:38:55 -0000

Hi Ted,

> But, and this is the crux of the matter, that integration requires the cooperation of the endpoint or its control by an organization's system administrators.  If you do not have their cooperation or the right to manage them by tools like those Eric mentions, it is difficult for the endpoint to distinguish a network-level interception by a mandated policy engine and by an attacker.  
> 
> Rather than falling back to the state where the endpoint simple accepts that its traffic is visible to all and possibly intercepted, this new work is an effort to make it easier for you to gain the cooperation required.  I hope you can see that this is in both the interest of policy enforcement bodies and the end users.

So I use DNS filtering in my own house (along with millions of other people as already stated on this thread), provided by my network operator (but it doesn’t have to be - I used to use OpenDNS for example, and I have the capability to run my own resolver if I so desired). I have malware filtering as well as parental controls enabled. I am the de-facto network administrator in my house,  but I don’t have the tools or software that enterprises use so I won’t benefit from the work being done to help enterprises control this. I also have other people coming into my house and using my network, and I also like to control what they can access when they are in my home. All of this works very well for me today. It doesn’t work for me when applications/endpoints start deciding that my network is an attacker because it does filtering, and bypassing that filtering "in the interest of end-users".

> I hope you can see that this is in both the interest of policy enforcement bodies and the end users.

I’d like to ask, ask an end-user, how is this in my interests?

Neil

> On 17 Jul 2019, at 16:25, Ted Hardie <ted.ietf@gmail.com> wrote:
> 
> Hi Vittorio,
> 
> On Wed, Jul 17, 2019 at 1:06 AM Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org <mailto:40open-xchange.com@dmarc.ietf.org>> wrote:
> 
>> Il 17 luglio 2019 07:01 Rob Sayre <sayrer@gmail.com <mailto:sayrer@gmail.com>> ha scritto:
>> 
>> 
>> On Tue, Jul 16, 2019 at 12:30 PM Jim Reid < jim@rfc1035.com <mailto:jim@rfc1035.com>> wrote: 
>> 
>> Whether or not these tools/services work well is another issue entirely. And IMO not something to discuss at the IETF. 
>> 
>> Hi Jim, 
>> 
>> I thought about this email a lot today. 
>> 
>> I think the problem with its sentiment is that whether or not tools/services work on the Internet might be fairly called "engineering", and this is the Internet Engineering Task Force, right?
> But if you have tools that work well enough that millions of people rely on them and that they are encouraged or even mandated in many countries, and you decide to develop and implement technologies to prevent them from working
> 
> The IETF builds building blocks that meet specific needs.  In building DNS over TLS, DNS over DTLS, and DNS over HTTPS, it was adding the protocol functionality to make DNS queries confidential from inspection by network observers.  The energy for that work was the reaction to pervasive surveillance, but it is clear that other attackers had been gathering data for some time.  The IETF was not building these protocols to stop the use of the DNS as a policy enforcement mechanism and it is entirely possible to integrate them into a system which does this by offering the policy enforcing resolver over one of these confidential protocols.  
> 
> But, and this is the crux of the matter, that integration requires the cooperation of the endpoint or its control by an organization's system administrators.  If you do not have their cooperation or the right to manage them by tools like those Eric mentions, it is difficult for the endpoint to distinguish a network-level interception by a mandated policy engine and by an attacker.  
> 
> Rather than falling back to the state where the endpoint simple accepts that its traffic is visible to all and possibly intercepted, this new work is an effort to make it easier for you to gain the cooperation required.  I hope you can see that this is in both the interest of policy enforcement bodies and the end users.
> 
> best regards,
> 
> Ted
> 
> 
> -- 
> Add mailing list
> Add@ietf.org <mailto:Add@ietf.org>
> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>

Neil Cook
neil.cook@open-xchange.com

-------------------------------------------------------------------------------------
Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin 
Chairman of the Board: Richard Seibt

European Office: 
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 
Managing Director: Frank Hoberg

US Office: 
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA 
-------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email