Re: [Add] [EXTERNAL] My single use case
Martin Thomson <mt@lowentropy.net> Sun, 13 September 2020 23:00 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA253A08C0 for <add@ietfa.amsl.com>; Sun, 13 Sep 2020 16:00:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=DXtAkWqK; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=UrIUPw2p
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvtCqDrdApM7 for <add@ietfa.amsl.com>; Sun, 13 Sep 2020 16:00:24 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B163A08B9 for <add@ietf.org>; Sun, 13 Sep 2020 16:00:24 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 91F3C5C012A for <add@ietf.org>; Sun, 13 Sep 2020 19:00:23 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute2.internal (MEProxy); Sun, 13 Sep 2020 19:00:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=kIhmGH16L8jNQXLiToIJLXCvOoZ7UB6 iymiUCClf6OY=; b=DXtAkWqKiT5o3cBwACQvqC3lIv7nJ2YvMCN2qeKG3gaJfhJ +pgkpqV6qfvLVKnX33rN1xG9MULG5iSnboqEW0Ebv5Ud0BRknZplpNhJCs7wwxIR y5kRLz2frloAiJv8ycoMiqEoQkKQecKCU5qFPpGsXNsrJxHP+T8TjWovgpZc2qef aQljmn/VASd9udSytKTRWizyW55iILq6YwP4+bhVXD3xojm5wm2z7tcJ2YHbyX6L 5eKbDhdlDYG9rnt5W/AhVtJ5f2UAAVSGzLij7GQv6p3PDp/YrYh/nnzfoNyfEA7r sFrzfm2lMSEUOLSnTWSksCpUXlhy9IY3wqNZqXQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=kIhmGH 16L8jNQXLiToIJLXCvOoZ7UB6iymiUCClf6OY=; b=UrIUPw2phhaUvx41jmMuGX RNzBS82+V1vzEPibqygDdU3aB+DwNt/oeG9AvDRX/mj6Rh2dYrzfm9IevBklaMzn uCluR2t4D467dzpu4L8hR3eYbEnCgT2yOO3DESwyyZWIYDgiQ7YHzdJPiMyBd27h tVpMLEKEOQdkP+x0cgaU6OzosBT3c7cbpEEH46pZgVcurVIEHaQqw8rUXoCo21hN dXd6/RTFaBtvr0pwOf7TadRt6ALck0MrF1XAZ/atOCUoW+C1wY27JosOB9C7DudB ToTcW5byBgXfETaXmx9BQPzBVsV1YKuoImftiXFwbQKPtjsehRP/J0IoQgtxiqrA ==
X-ME-Sender: <xms:h6ReX01N1hSzYQ0yAMcSee4Z3SRUuhTnMR3P9n0s57hB3HzRLIFZiw> <xme:h6ReX_EzpLlAp0FUJB-hArqVZPMMBZiRWBndu2P9I4ADwmT1rNAl7GYyTOquGWNTP B_GmLlgQKiaKQWwvXU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudeihedgudehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:h6ReX877IGm1cf3tiwHhZ4Lt9jDcffUztH4XkbRAg8N3ZYhIHqo6jQ> <xmx:h6ReX922EXDG9erxhwrkLzpYAxe99HPJyM7WtMgweeGCQXQR6yZ60A> <xmx:h6ReX3Eu1RcvaTxXNdx1I3vCTY3A-LOQKvu12lEnMxKGL-2MITUm1g> <xmx:h6ReX7Q0FFWxiFaf0UQpX4dQLMlR_pAtSGjSIR1xFjwBH4jysNzKgQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3000020064; Sun, 13 Sep 2020 19:00:23 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-259-g88fbbfa-fm-20200903.003-g88fbbfa3
Mime-Version: 1.0
Message-Id: <97d64ef8-756e-44c3-89a4-aa263993e7c0@www.fastmail.com>
In-Reply-To: <BY5PR00MB077332F0EDAAE11B5CBA4CE3FA241@BY5PR00MB0773.namprd00.prod.outlook.com>
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com> <f60fdeb1-a1cc-4636-8e6e-2c497051bed3@www.fastmail.com> <BY5PR00MB077332F0EDAAE11B5CBA4CE3FA241@BY5PR00MB0773.namprd00.prod.outlook.com>
Date: Mon, 14 Sep 2020 09:00:02 +1000
From: Martin Thomson <mt@lowentropy.net>
To: add@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/RuoA8H22usP-XWZDaV6i5GS7oxo>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 23:00:26 -0000
On Sat, Sep 12, 2020, at 06:34, Tommy Jensen wrote: > My concern is 2) encompasses more use cases than 1). 1) is limited to > the use case of joining a network and needing a recommendation. 2) > includes other channels of address acquisition such as offline endpoint > configuration. I can accept feature parity for 1) which is no > authentication. I can possibly accept lower security for 2) when the > address came from network advertisement such as DHCP which isn't secure > today, but not when it came from endpoint configuration which may be > secured. This is a good summary of this situation. I share those reservations also, but would add that even in cases where the discovery is not cryptographically authenticated, that doesn't mean it isn't protected somehow, so the second case (talk to the resolver or something akin to that) increases exposure to attacks even when configuration isn't authenticated sometimes. So you have: 2a) unsecured discovery/configuration 2b) discovery/configuration secured by means that is not apparent (e.g., at layers 1 or 2) 2c) discovery/configuration secured cryptographically (and thus known to the endpoint) The former two are indistinguishable to the client; the latter two are cases you might want a different policy for. In the end, this is a subjective decision that might be made in client policy, so our responsibility is to identity the scenario and document the consequences, not necessarily decide it. The reason I think that this remains in scope is the forwarder case. This is so common a deployment topology. And, as those devices are a mix of hard to upgrade or unmaintained, finding some way to route around them seems to be important.
- [Add] My single use case Martin Thomson
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] My single use case Chris Box (BT)
- Re: [Add] [EXTERNAL] My single use case Jim Reid
- Re: [Add] [EXTERNAL] My single use case Robert Mortimer
- [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Ben Schwartz
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] My single use case Martin Thomson
- Re: [Add] My single use case tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery Vittorio Bertola
- Re: [Add] Zone ownership in DNS server discovery Joe Abley
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] My single use case tirumal reddy
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] [Ext] My single use case Paul Hoffman
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] Re: [Ext] My single use case Geist, Dan (CCI-Atlanta)
- Re: [Add] [EXTERNAL] Re: Zone ownership in DNS se… Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] My single use case Daniel Migault
- Re: [Add] [EXTERNAL] My single use case Vittorio Bertola
- Re: [Add] [EXTERNAL] My single use case Andrew Campling
- Re: [Add] My single use case Steffen Nurpmeso
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen