IETF Logo Mail Archive

[Add] Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)

"STARK, BARBARA H" <bs7652@att.com> Thu, 07 October 2021 20:48 UTC

Return-Path: <bs7652@att.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A737B3A0E7B; Thu, 7 Oct 2021 13:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVql0paw6dbt; Thu, 7 Oct 2021 13:48:53 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A8763A0ED6; Thu, 7 Oct 2021 13:48:52 -0700 (PDT)
Received: from pps.filterd (m0053301.ppops.net [127.0.0.1]) by mx0a-00191d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 197JqbQY015680; Thu, 7 Oct 2021 16:48:51 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by mx0a-00191d01.pphosted.com with ESMTP id 3bj3bbtbvb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Oct 2021 16:48:50 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 197KmnmD013989; Thu, 7 Oct 2021 16:48:50 -0400
Received: from zlp27126.vci.att.com (zlp27126.vci.att.com [135.66.87.47]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 197Kmlkj013917 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 7 Oct 2021 16:48:47 -0400
Received: from zlp27126.vci.att.com (zlp27126.vci.att.com [127.0.0.1]) by zlp27126.vci.att.com (Service) with ESMTP id 313164013F89; Thu, 7 Oct 2021 20:48:47 +0000 (GMT)
Received: from MISOUT7MSGEX2CB.ITServices.sbc.com (unknown [135.66.184.206]) by zlp27126.vci.att.com (Service) with ESMTP id 0B7134013F8A; Thu, 7 Oct 2021 20:48:47 +0000 (GMT)
Received: from MISOUT7MSGED1BB.ITServices.sbc.com (135.66.184.220) by MISOUT7MSGEX2CB.ITServices.sbc.com (135.66.184.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Thu, 7 Oct 2021 16:48:45 -0400
Received: from MISOUT7MSGETA01.tmg.ad.att.com (144.160.12.221) by MISOUT7MSGED1BB.ITServices.sbc.com (135.66.184.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14 via Frontend Transport; Thu, 7 Oct 2021 16:48:45 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.170) by edgeso1.exch.att.com (144.160.12.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.14; Thu, 7 Oct 2021 16:48:42 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aywcY0RDaiLTZ0jB1bL7sLqpsEkaP0lDBHvLRr15gPRO55DHsAtqFWf+Fl/wcDg8TcyaRS1iM/xvezIgEhtC1YItsk6H0UVlqr3lC7/+EkpqJbKeVMuJONgzeR+WP5WWTsdapBGqZHFhhDgD+TJM8sRNBtMy1iKlVnBxfJkUzHCpZNnuYxxxYhtyrZnJVIFtCo6xvVYUCj7IRqPWYlfqEpNmqILQs9uoHyJSeWaVYYOtxtPxa1ZOocBgYvoBxQ/j9SDqkW8LiqUeXHZz7g3wdAkqBk71uGjHQJIwe08SzoYn6jWpRIQXBxJ2ec6Fr0iZt5DumzzzxxOZAiy+8qKzXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2JdzIqucBaZ85huXJUfiaGwOfN4V+1PP9SzE0B4Ebdg=; b=c5cUs5uU3LkOd5mcHJvEQNCbRIvzoQDK/VmCqNDVk287eGmteVPRtGa5FSdQpfIBcAx8F2BHrgde4p5/gidaVZmnJhOBPL5iy6lN8tH1jgL83Lqin80FknVgIbBuBFY3/Ie1NqEQgJ41l3JiFjMQyig2koBNga3l5nmXqiFs5Rm6hpa8Ve03S87TmgiqtrEmyh5o4QHgvNur3jQzU2ljk+uosS0G8MDzCoKbVpoHXDf5aO48l/gdktuzIu9msCmQurV+0w6bU/GTLO+ExSi06EPyUmUJMAuvlQ6AjFe4XVIEu10Z90XcaCOcrbbUUlzcCDUY40ArpRAZppBBvL9lOA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2JdzIqucBaZ85huXJUfiaGwOfN4V+1PP9SzE0B4Ebdg=; b=WXYtUBDnrne2zIiwxAA2grYcXWO2cLj7ysJb0ejiKvli0bjHr0eZijBKiB6vtU36CDEs0KbloUqSaprtJdWCKK+50lR1sICavR6F41MSKjjP6FI9M8enBoUpTvqgmiMaWheU49pFgpV+k0PPSB43KjVrYoo4pXxpt21/mUuRbaY=
Received: from DM6PR02MB6924.namprd02.prod.outlook.com (2603:10b6:5:25f::7) by DM5PR02MB2218.namprd02.prod.outlook.com (2603:10b6:3:55::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.20; Thu, 7 Oct 2021 20:48:41 +0000
Received: from DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::ddec:9436:4971:5d1e]) by DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::ddec:9436:4971:5d1e%4]) with mapi id 15.20.4566.022; Thu, 7 Oct 2021 20:48:40 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Ben Schwartz' <bemasc=40google.com@dmarc.ietf.org>
CC: 'ADD Mailing list' <add@ietf.org>
Thread-Topic: Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)
Thread-Index: Ade7rM3E3juJPHUES+yMnDFbR8J3zA==
Date: Thu, 07 Oct 2021 20:48:40 +0000
Message-ID: <DM6PR02MB6924A3C8D43C001C78994B01C3B19@DM6PR02MB6924.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=att.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f865478f-7b08-4a07-f168-08d989d3d848
x-ms-traffictypediagnostic: DM5PR02MB2218:
x-microsoft-antispam-prvs: <DM5PR02MB2218D760B35112ED939F4C44C3B19@DM5PR02MB2218.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IZhr7W06k787TDb7RJqM9goStG2zrJu910Whyp1sFO1f73adgSINjiJCQpCu+3wwD1/BTarFHnz/pjn0SqQUMGS/Uv8262K2tbUVLp2cMpzbGYL56PqT/SuC2RUNQZckUV8JRnQH+Cp5OoRz8XR+n0Zl3VjpvgE7NM5e5j/ohn//LekxfJQ9DxYOR+hFDftqHHelwQEc9XcWkhIVMPPIjUOMPpIqNgRaLxd9UZPW9GakV5U3/PxAg0ZWwtgBR1GhDDm0AQYI+zfF1mkUsrtBCcTJ2/fXyNQF97Sl6riQL/1cnCDMdOjCKIzYQ3cAGHfNrUETljk57pAwRtRx6AKMBkYvYF431qjRgi4PWL0ZjrAwMqeyejOdZzGTUjCz1RtTZr512Celtchbgh7Kc5DVmQu0RVSjd6a0qVQhcOGitAH7mDR3/RKiRck15CQHx50gg844xBVtL2brtXmKJ4wjAcBZ7I7ZolL1o9DcKNTt52EYtumwGBNBhWuHy61XqPlQPoLLJXA7QXdOBQ3voCONkM/w0ymI7lgu83pl4PN3kn/2PwcnDMb7bi9VeF6vryR9NAi8j66iVQp8BwXs4oCuB8dwTAY8XKxzRmGvFuVAZt1a0cpuB638cRk+rjf2DlBdA1NglG4sQDSJw8mYTfenRDgkIFy49Jz7+L59nUhfx1pYu0uAfkhCQObTDORM+t4LWChq+Vw7iiEt0o0yavr/4A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR02MB6924.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(9686003)(5660300002)(38100700002)(38070700005)(86362001)(66476007)(6506007)(66446008)(76116006)(15650500001)(33656002)(66946007)(64756008)(4326008)(2906002)(7696005)(508600001)(66556008)(122000001)(8936002)(8676002)(9326002)(82202003)(52536014)(186003)(83380400001)(316002)(26005)(71200400001)(55016002)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: KYXZaeD6NQlqwh22yMZu0YPlhv7ksoK2db07ExyOSHu4rVJPheHFP7MWsS4J1uqiQdY1Y/8rgXuGhf/wMRsR55tELF5R0sPi4zqF+qIdikScOoKKhPvnFZOz1nFTCVoBlPsbXJn5Todh6dR/U1R77Eezggm7u7oH64lBwmRieSHXkSLzUPJZiycwqYk8BsqGGXdq3vScBG1nvQZopGo6eu1mlQ95ObbENpyrP2plaVOTjFaAqYWhe3kR/6s/HCfmnsdm+C8ci6Xgg5eqzVbx0qrcify8Uj0gukSz9oZaL2OY/fxMIRb9r72dtdRtM1RkNukZADhBCbVsp0wevVq5npvflQH5schgUxRFs6vhmOkduugc1cZxKj+s7ufsJcM4OOtDb5E/JvWInPZWgQheIvjsaX6E4g8Uv0do7lI9jG0vLiN5wMurUU1+29JB7/EeksMP/zXWyP/uzmqRT4EWPemZmlijLIWdz6Rsxd0/YDTGPwLl/1E8cWEDIjZKUmyGQ3elqGNpfANSn5awJHrCKxsUYl6mFllWNyKd9CkDnSdnj1OYLSWkHBcA+dyEJVwRTxHCHxTkcYbd3szlk8xEB9L6HI9204Jamcpi7eLnzobKorW1krBsBXMuQAJZnjUfMMAyw+aP3V4r32msASbuZTfTAwC2oLAejmVe5DjSNLYOiXq7dgZYCw/NVQaK24q3rb6TGS4uYm6H24qbqA+ahFEKnaeAJRCxAU+W99/FR5tDP3+7CZUzRXeGIxXhgvz9gQSSKYGRddSStR9NcbimEHrbUM9IV2ze0mGh8dAGjOMfECg20US+uLqt4CFzMwLCztJ4MeJlAwowRPIgeu1LxrTiGFugg2JMxTloJKKHlKbV3BP1lF+LGuhGNPwED+CriekfS8KADCzPtHaPQToNiCSu5+c4I44oSt8DWCziwNTRSx7QQiKPQfU1isiSdex3iwy0BQ5WW6GcoZE3CpttSsmaIDk0gyCa65AQS32/5OciI1KDVEw3qJD/BRF06MarqilQb7u1misteRd6kYc4nP2g83TdzPSVFM3jEC3eQZj9QRIvCjwQ1r/S0a7uR6LT1QjcjVYYsP2JwmHP+UyV0yB9AO9LuyeL6o9yEcaxtuHJ4WJcgrQAZQctpxloc3fLHtgQEFZQEhn1P0BS2rsqPGyYHJcd+uzeUv2kInjX01QJ7wRF6aucifVXxrLLoshux1zEsl0tb2uMslyR2n80B6X0h3StfdWCABseYBiw9L3uF3YqDuOlFbpnNcLzXwldeBoqDr8qt3SDbBz+E8i0iufYb8xARbXD2XSR0+7DXxA=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR02MB6924A3C8D43C001C78994B01C3B19DM6PR02MB6924namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR02MB6924.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f865478f-7b08-4a07-f168-08d989d3d848
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2021 20:48:40.7985 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /jj5n4vkQ4fT6RGGt6T5YSj/C75+lZaf29B/HbFg0DJsgXwfgeifzlmiKLLcCK53
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR02MB2218
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: AFA01C474204D6705CB4C6082475CD8D6C027BF595E3F4A9C9D51685368E35FF2
X-Proofpoint-GUID: fJakzFyrFfsuHWC1Bt3rrSoJIZiPgMM8
X-Proofpoint-ORIG-GUID: fJakzFyrFfsuHWC1Bt3rrSoJIZiPgMM8
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-10-07_04,2021-10-07_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 phishscore=0 malwarescore=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 mlxscore=0 suspectscore=0 clxscore=1015 spamscore=0 mlxlogscore=727 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110070132
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/OUryQAjz_NivMNdGPkdoSldBBJo>
Subject: [Add] Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2021 20:48:59 -0000

Hi Ben,
Thanks for the draft updates. I think they're an improvement.
I just wanted to explore the topic of IPv6 delegated prefixes a little more. Comments in-line with <bhs>, with just the relevant parts of the previous email. Apologies upfront for me stream-of-consciousness expressions.
Thx,
Barbara

Note that an IPv4 subnet and IPv6 on-link prefix could be comprised of globally routable addresses - so not necessarily "non-public" as some people might understand that word.
But since we're all trying to head for IPv6, I think it's good to recognize that the IPv6 address being advertised for DNS proxies tends to be from the delegated prefix and not ULAs. And it might be good if we could support this case.

This document is focused on the case where the DNS server is only known by a private IP address.  In this case "opportunistic security" is the best we can do, because cryptographic identity validation is not possible.  This draft is about exploring subtleties within the space of opportunistic security.

If the DNS forwarder is identified by a public address (IPv4 or IPv6), then it could get a TLS certificate for that IP address.  A client policy that doesn't require authentication in this case, even though authentication is possible, would be a much bigger departure from baseline DDR.  I would prefer not to describe that behavior in this draft.

<bhs> When you say "[the DNS forwarder] could get a TLS certificate for that IP address", are you saying it would be possible for a gateway to get a PKI CA-signed certificate every time it gets delegated an IPv6 prefix (and subsequent renewal)? Would this certificate need to have an expiry (valid date) consistent with the DHCPv6 IA_PD expiry (24 hours to a week)? AFAIK, the process for getting such a certificate doesn't exist (yet?). Is there some CA that offers such a thing? But, even if it did, this would require an upgrade to the gateway to somehow request and receive this certificate from the CA (with every lease renewal). I don't think we'd want a system where the CA couldn't verify that the gateway it was providing the certificate to was in possession of the IPv6 address. And this is all to support upgrade over gateways that aren't being updated. So a certificate is probably unrealistic? So if a client is provided a private IPv4 DNS server address and a public (GUA) IPv6 DNS server address (and, BTW, both reply with identical resolver.arpa info), will the relaxed-validation client prefer IPv6 and not upgrade because the IPv6 address is a GUA? Or will the relaxed-validation client try the private IPv4 address (also?) and do the DoH upgrade? I'm ok not worrying about people with static public IPv4 address assignments (assuming the same argument that a certificate isn't realistic). That's a small population. But is it really not possible to explore allowing "same IPv4 subnet" or "on-link IPv6 prefix"?

v2.23.0 | Report a Bug | By Email