IETF Logo Mail Archive

Re: [Add] Private IPs, DDR, and PR#11

Andrew Campling <andrew.campling@419.consulting> Thu, 08 July 2021 12:48 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C583A1643 for <add@ietfa.amsl.com>; Thu, 8 Jul 2021 05:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_jeRimYefUr for <add@ietfa.amsl.com>; Thu, 8 Jul 2021 05:48:13 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110082.outbound.protection.outlook.com [40.107.11.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFB113A163E for <add@ietf.org>; Thu, 8 Jul 2021 05:48:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EpqIGHDFj6SbbMhcTMBtekeMoCCRpZeB6lwuW/wDcjoePvkJvPvafR6tZYVfPhNQDPZfBDDJLLPS5j5eI9+anQaxSPNc4oVJx4xXhUJfz+ihKJGhrNEeHZE94NZus+jSnlDNGhj8lhhUZ743F4RZyS08EUp2XeBNuvH2CPicQec+UGUvN8/sweEvF8jgAfSSyPkULnne3+W3mS2AL2EmexiJ41ohitJ2hVyqgLI7pxezYV7S0vUJQHu+0KpjElcFKus2Xig/Syu7gJPkm2PaGyjO9L7snvp2afWLTESDdUcVFIJJARW3tPplBvEukalciKae6vdq3iC8QOjPUOYCVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7+vasBS6PUSSlrYqCKx+Ac4G5RLG8RvJ8JDfG0I/snc=; b=UZxzns9hh2qg774D0ZaiRsKZusqIpnLWHsxEsunWwRqQ8vLAPnF6AYEZf/E/NdAttJNZIWCaj8bt4Gn4YVZ0wEJBnUJqZZIVfAn5k1oR+aeJ3vI1LhAW9M7PrthmFWVdsGVkVs26d1m99+yOdNJGbtG+QhvPEjIpg8VF1ZuP0+876+moviJfbfz0/Jup4g+zhZUgd0QpbXNhUpuahHVVu3ngUQwQPWhxrVajTkjvilN9ji09TZgcDTgFSzu7ntVWrbC3zbBBoIYTFvQtR2uCHofJCdLpUzxd7h9hAvCSXkbiIRv0qj5/h2WYmcO9v6l9RGin9kYbhWGlidxEhI45Bg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7+vasBS6PUSSlrYqCKx+Ac4G5RLG8RvJ8JDfG0I/snc=; b=gVwuE1V92Q8yxxQR35iyhwfL7V/YfAu3SQa3z62kWwXl6EF8JppCExLPPv095o3e5urBy/OdQfdxWd8CmSfWmAahRjhx+k07h1rstSZriVh/sdn29HowoI/u9xROWMjqmtAMYFxXjP+AQ0vd4uf/k/T6vQQTkCdmdkruFaddkrQ=
Received: from LO2P265MB0399.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:67::18) by LO0P265MB3995.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:1db::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20; Thu, 8 Jul 2021 12:48:08 +0000
Received: from LO2P265MB0399.GBRP265.PROD.OUTLOOK.COM ([fe80::cc51:70f0:c6ab:c8f7]) by LO2P265MB0399.GBRP265.PROD.OUTLOOK.COM ([fe80::cc51:70f0:c6ab:c8f7%3]) with mapi id 15.20.4287.033; Thu, 8 Jul 2021 12:48:08 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Eric Rescorla <ekr@rtfm.com>, Ben Schwartz <bemasc@google.com>, "Box,C,Chris,TLW1 R" <chris.box@bt.com>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] Private IPs, DDR, and PR#11
Thread-Index: AQHXc/RJAl4ia5LwZEinNEkDe3mZVqs5AkVQ
Date: Thu, 08 Jul 2021 12:48:08 +0000
Message-ID: <LO2P265MB0399A7D2549B4626546B5AE9C2199@LO2P265MB0399.GBRP265.PROD.OUTLOOK.COM>
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com> <CAHbrMsBDT1G2qT8g1e+5yOdQkq7nfKw1vNemYE4zJ7J5qL8z=A@mail.gmail.com> <CABcZeBMYavozy81+OiytxsE7QZ0EOPfucx6wHzFbB9M9ag5Z8w@mail.gmail.com>
In-Reply-To: <CABcZeBMYavozy81+OiytxsE7QZ0EOPfucx6wHzFbB9M9ag5Z8w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=419.consulting;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 56c1681e-6c27-4dfe-1368-08d9420ea31d
x-ms-traffictypediagnostic: LO0P265MB3995:
x-ld-processed: 9c2ced3e-7522-4755-87dc-f983abc66ec3,ExtAddr
x-microsoft-antispam-prvs: <LO0P265MB399588EB44921AA4B2B78CDEC2199@LO0P265MB3995.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mho/Vyv8kVTFDWwTs5cL5fMpxN1R4kKucBEw7KNzTxnzrmjAo6lXtXmhc9ZVY7Z89OfqfcvDl24WNcZgLQi1lTLtS1RjXo0Z47iwnrBcfczs5jxV9RyfL+C1rFV2ycSOxi0GOWaZZ3QFb5Yb9wiX7wLxXfiHOfcDE3LX1e7FJPc+X4osB8QhvY7Jh5MEIPPKy1+rteHT12ks7ygWOwsH2WlsnBvg1ypKIrWs13MllS4pLmdMTjUfpn8Jnrt6FDfkuf8OCh3WIgQ/aKAyh4iH4VQCQCfdDeFiX1pYJ6UlKqBcGnLzUQcFrZO0nxpT1Rz3QTatb0G0a8zwHKS0SiBn9muUJ4bWaodQMR8oqWlos1uGW5kaU0JB3RYCVl1UBzGNHsDCMMfWrjcv//kzrWXxw3uQr7S/RaOqEWHYX5OAcnqebGyBAx2Zbgzqk7ommyhUcjKK4TQFmlqMdj+U2cNOkF7Lbb5DYdcil7O77BJ/bHqZUrOhPHW2yIGZVJdi0qtC+S0cm1U+rL/k2uUVDwTQmLer2S9Xk7tX5tkqu7MmjNYDNjHEOu3OqG1PrkCI4rmt7Gmj1pBGRT5oqEDHunCOnka+5JCnXLVcNQcNW6j6RhevorELb7DgLmWK5JglU09fC2PFEOdSJEwCvhjK5Xi/vVGr3c5V/5a31icd8ofEZnKq8dHG0t8BaaXE/cqcBDol4xBvVoa8eCvaUVjqwUsM6A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P265MB0399.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39830400003)(346002)(136003)(396003)(376002)(366004)(52536014)(44832011)(66446008)(66476007)(64756008)(66556008)(66946007)(76116006)(9686003)(33656002)(83380400001)(2906002)(55016002)(110136005)(71200400001)(8676002)(122000001)(478600001)(53546011)(7696005)(186003)(6506007)(26005)(86362001)(8936002)(38100700002)(316002)(5660300002)(4326008)(46492011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: myRe4sq1h8KWTu2k91W1A40SqVG6rrDPYU1t8hapBWyVEiDo1w0WlZjCTEAygUQrkcNd5Poypku/n+ZpR7SO/S6aA0PRzWzescQMlmdvdtMnhUDA5K33yq/mCxnVrpuav0fvN6ouk6s9QN/fJwr045QiKVS2l2xE9Ao55sWOaZ4SRsNhfsyf3/CTQveEsr9MflBrgqOWtG8mO+IotMu7KTdpsPFHC1C95xS5WCw2AjJ/1X6rFckc1t/IYWVROrU8Y8AogS9WBFsfablCPskOzQy8DrIco6tGDQ1vPhACemboQURO2fpHVDPIUcdtnA0vIvSBkL1jLsRPJ8FTPMY3fwYh43cTv7gLForRNmZgGzfWmtSA/CysBRK6AppUnnGDNtAbU/jwq3M7j0eFvEVZQ5/aFbKWGG5jhu/uy/zyjFuSzVdJpWIH/oWZVlyu9CJm8vDf/DKiusxOsCJWSgA25wddM00GnGtaHKkfYXaMgc7xOzoUfMTgGxtzjSiPpPv2FlfZWoZaQQJFiL64X/TFtwDRnrgK+v2RLPgUFMf0achO++P4Iin9aQXVQCPePptLlSRGjBqaiWmYOZqvZUtIey7uWUaGVn5MS3W3ZlMXNk/kQ/2V5UdocjRpGiLp6hwfXbUnNpwgqKYElZbfMSCgfZuZ6gL9XwC6ujFevOuLrmX5XxxAOZyP9vrEDc/g1gHhGylsIe12TIaKuBR+zMIdp13BzuLKUwugWwmnKTuKtlE+SHh9D/Vq8T6jYE4pTX1I0/rrvOvLSUFEHwbv9QzbtXT2zZf71iGgf7Cit74GeBBMCmd8yuqtSwqqkv05Ww3Us9VxidkUXq3dckOnREy4RJxu5gplvWjdt64m2l5+1qHjiKQ7nL+MlBQvtLMsW72xr93VhV5dAoP+UpVIXN+K0ynShHNJVBJ+isi/Y0+wYmnPSzF3aMQoCD1EErt7Qdyg9e/W86tlvs5kiXqNlT4GK1gAnJZjRLgyDsp6z90zENGLsSYcuZlG7sA7NTXC4kCW8gjFLlFmDhDDgNk+qCyoQ0K3bPQ2s/E/7TyOpI4xFnt0bItEphaqmLPSzoWYSZlMfO3BfaOLje1z7x7w2IR4j7VTRC1MIWephzt+4Piim4iTG8ab/n6x05yEZXVwFoEBfPbEsRXSSH1nlWX375BlQsOU8Wg7xFmFaGwl0bX6QnL0CO+mVpt7Sqg3WnZ1eSn5MisdoYnNhIwAxGUN/E6h6RQjIa0qxaz/AvOIAAAYILS42G42Kli2t17aOChbMd1C9G/JIP9WJQKLKTPBZTFwVYozAO/QczfR8VErfnEniE+/a1bIHNrtk07xUymWD2hO
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P265MB0399A7D2549B4626546B5AE9C2199LO2P265MB0399GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P265MB0399.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 56c1681e-6c27-4dfe-1368-08d9420ea31d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2021 12:48:08.2553 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MrF3HwgYP9UNn6l1Vvr9SYle2n4Nch12Np5AmcRCx9Y5sTV95HrRPTXpZFVmxIhaYntmES5BdRm/Ea2EPo0Wpl5SHqQA41UmEWt1vRmuOYk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO0P265MB3995
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Uj7Yf0qQPwZg9jopZoWT9qstquM>
Subject: Re: [Add] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 12:48:19 -0000

On Wed, Jul 8, 2021 at 04:11 Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

> On Wed, Jul 7, 2021 at 8:01 AM Ben Schwartz <bemasc@google.com<mailto:bemasc@google.com>> wrote:

On Thu, Jul 1, 2021 at 6:18 PM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

Can we get this documented before we start designing mechanisms?

I'm not sure what you mean.  Section 5 of the requirements draft [1] says

    +-------------+---------------------------------------------------+
    | R4.1        | If the local network resolver is a forwarder that |
    |             | does not offer encrypted DNS service, an upstream |
    |             | encrypted resolver SHOULD be retrievable via      |
    |             | queries sent to that forwarder.                   |
    +-------------+---------------------------------------------------+
    | R4.2        | Achieving requirement 4.1 SHOULD NOT require any  |
    |             | changes to DNS forwarders hosted on non-          |
    |             | upgradable legacy network devices.                |
    +-------------+---------------------------------------------------+
    | R5.1        | Discovery MUST NOT worsen a client's security or  |
    |             | privacy posture.                                  |
    +-------------+---------------------------------------------------+
    | R5.2        | Threat modelling MUST assume that there is a      |
    |             | passive eavesdropping attacker on the local       |
    |             | network.                                          |
    +-------------+---------------------------------------------------+
    | R5.3        | Threat modelling MUST assume that an attacker can |
    |             | actively attack from outside the local network.   |
    +-------------+---------------------------------------------------+
    | R5.4        | Attackers MUST NOT be able to redirect encrypted  |
    |             | DNS traffic to themselves when they would not     |
    |             | otherwise handle DNS traffic.                     |
    +-------------+---------------------------------------------------+

I think these requirements (except perhaps R5.3) represent the goal of PR #11.

Just reflecting on R5.1, if a user has currently opted for an unencrypted resolver with filtering of malicious content, moving them to an encrypted resolver with unfiltered content would present an interesting case given the increased exposure that this implies.  I know that some are not fans of DNS filtering, however it is used widely (possibly not in the USA?).  Taking into account the additional protection that such filtering offers when determining appropriate options via discovery seems to be a reasonable expectation from a user perspective, particularly a non-expert user.

Andrew

v2.23.0 | Report a Bug | By Email