Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
tirumal reddy <kondtir@gmail.com> Wed, 07 April 2021 13:00 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4FF73A44A2 for <add@ietfa.amsl.com>; Wed, 7 Apr 2021 06:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N7usGBVqslpg for <add@ietfa.amsl.com>; Wed, 7 Apr 2021 06:00:46 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8EF83A449E for <add@ietf.org>; Wed, 7 Apr 2021 06:00:45 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id j18so4562525lfg.5 for <add@ietf.org>; Wed, 07 Apr 2021 06:00:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rFUGJPoFmndTF6TcsAhMkTuXs69HPpVqrtvgkUfwYXc=; b=D5RWTcqNeQOr+ubcYMgPJFfkqRuUL1Hrbgm7r2v6K4qlT2g+8NGBI9vtHKzfoRzSRr Oa4we9WRkQrIlwYNn76eZkF7rZRZU9tvtBlkcHT22oa6E3iUEFlm8cBwaAm3YKCj5V/H 4fsxD8P1ly0ERxEXa4+QnWp+NGJiY7gRlMFrAo6jKYnzEo8qFNfaFB7nktNHHjCE/Ro+ 1rl1VxhA2NC/bHmdOAg7iGP7lc0lyDmqUpy850/x/tSFvGA0yiFb1ho2UtJj7swAhefn FsHCU+2FGenq/60HdfnEFcoSPvN2uEFOqZu0aR6tHJKCySDS6idRp8s/RtJwI04hEXe4 yuug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rFUGJPoFmndTF6TcsAhMkTuXs69HPpVqrtvgkUfwYXc=; b=X3ctdWQvXtaY1de/wEgql/EhQuQZyZDCuBtFyaTkvpx5zWu5g9YmCM9omBrPHRntda r7r2qLpb3WvIAVTOeMQN0OG+iV0+NxzyxeTq70boG5dCJgZPnBQFnSV/BJAIB+nEfLjZ dI114ssLjAg7i9ngxN39lPhOVR6JyF+qSPINmNad5zIf73Aw6gw8gNcbb3sy97nv5fzt TAOc+K6xbxW5vwd2kXrUFe/N1dF+3BZ+Z97yM6x17TGy3tcHBhTX+7+TIFa6EKf86wEh nI4k1bXUIRPv7/RdR5yICV9JzxzPB/K320Zd0m3SAV5QyB+RCZz4cQq6NyAqHW+oEuhd 8vYg==
X-Gm-Message-State: AOAM531Up/FTf3ct1EPbGEBBqnwBvLrCKhdHYZhiUVUFu/KuRqCantej qEK+MgWE+zMFOZOqzQqi7OB0UlcLA9iPMzl1ZDs=
X-Google-Smtp-Source: ABdhPJydC47+7/Xykif/O+jFsde3BWHUQ+i/Lnvp5DBrh56WHX+IlI3mEhomXl0UrQxCIQXq74krEWXOzWShP/z69Es=
X-Received: by 2002:ac2:454d:: with SMTP id j13mr2416365lfm.129.1617800442139; Wed, 07 Apr 2021 06:00:42 -0700 (PDT)
MIME-Version: 1.0
References: <E54C6029-946B-4094-A753-5DD5A881C901@nbcuni.com> <55ED5E7F-2595-4E6D-BBE2-36F38C9A99E1@nohats.ca> <CAFpG3gc4bHMGMmvTxH_PNqEgPjDHH4ESp-vFunq7Ek0MPdUBCw@mail.gmail.com> <2e2a54d-5470-eca6-2beb-181cd0df60ae@nohats.ca>
In-Reply-To: <2e2a54d-5470-eca6-2beb-181cd0df60ae@nohats.ca>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 07 Apr 2021 18:30:29 +0530
Message-ID: <CAFpG3gdymuFySozkbBUCj-0izqDrViVSsM=vejb6NY4x2OTqHw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000abd81105bf6184a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/_1JtvbNydYjoxnPWVWPEjaStq-8>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 13:00:51 -0000
On Mon, 5 Apr 2021 at 21:56, Paul Wouters <paul@nohats.ca> wrote: > On Mon, 5 Apr 2021, tirumal reddy wrote: > > > My coffeeshop uses Enterprise WPA. What if they start using Enterprise > Split DNS ? What is the expected UI for me to accept / decline this as > enterprise network ? What if they announce Gmail.com is > > their enterprise domain ? > > > > > > If a network lies about the ownership of a domain, it can be detected > using the mechanism discussed in > https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-10 > . > > note, it is very strange for the Security Considerations to define part > of the protocol designed. That part does not belong in the Security > Considerations section. It's not a consideration, it is part of the > protocol! > Yes, we plan to fix it in the next revision. > > It states: > > To comply with [RFC2826] the split-horizon DNS zone must either not > exist in the global DNS hierarchy or must be authoritatively > delegated to the split-horizon DNS server to answer. > > This raises a few problems. > > - The client needs to resolve the VPN internal domain externally to > prove it is NXDOMAIN or not delegated. No, 02 version of the draft does not rely on NXDOMAIN or NSEC3 response. > That means any network can > trigger the client into doing those kind of lookups to malicious > target domains, eg for tracking purposes The DNS client only performs a NS lookup to check the authority over the domains. Further, the endpoint does not automatically resolve the domains and download the content. Most importantly, the user may or may not visit the domains in the DnsZones. I don't see a privacy leakage problem or security issue because of malicious domains. > - It assumes DNSSEC for the proof, meaning there is no solution for > domains without DNSSEC. It's completely spoofable. > If the client uses an encrypted DNS connection to a pre-configured public resolver, DNSSEC is not mandatory. DNSSEC is only required when the network-designated resolver is used to detect spoofed responses. > - Most truly split corporate domains setup dummy placesholders for > their internal zones. Or just create different views for their 2LD > (eg different example.com internally and externally) and so in that > case there is a public delegation and this scheme won't work. > No, it works for both private domains and global domains but with a different version on its internal network. Please explain why the proposed mechanism does not work for global domains ? > > > Any unknown or untrusted network can use Enterprise WPA but the scope is > restricted to explicitly trusted networks by the user (see > > > https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-3 > ). > > > > > > If the trust comes from enterprise MDM, why can’t the provisioning issue > the domain list in a verified authenticated way, instead of adhoc untrusted > network broadcasts ? > > > > MDM is not a possible option in several enterprise deployments. > > sure, but that is just re-stating my observation. > > > The document deems this problem solved by adding > > > > The scope of this document is restricted to unmanaged BYOD devices > > without a configuration profile. The unmanaged BYOD devices use the > > credentials (user name and password) provided by the IT admin to > > mutually authenticate to the Enterprise WLAN Access Point > > > > And this is exactly the scenario where a coffeeshop that provides > user/password is the distinguishable from a presumed trusted IT admin > pre-arrangement with credentials. > > > > > > No, the scope of the document is restricted to explicitly trusted > networks. > > > > <snip> > > > > The scope of this document is restricted to unmanaged BYOD devices > > without a configuration profile and split DNS configuration on > > explicitly trusted networks. In this use case, the user has > > authorized the client to override local DNS settings for a specific > > network. > > As I explained, the coffeeshops will require that trust. Your protocol > will be used as something to coerce the enduser who has no choice but > to "trust" the network if they want access. It is just not going to work > in the real world to make this artificial distinction. > Some Enterprise networks already block access to public resolvers (e.g., DNS servers performing filtering can categorize DoH servers in the “Proxy / Anonymizer” content category, see https://umbrella.cisco.com/blog/doh-dns-over-https-to-block-or-not-to-block) and can possibly use a captive portal to notify the user to use the network-designated resolver. If a coffee shop wants to force the endpoint not to use public resolvers, it can use a DNS filtering server to block the “Proxy / Anonymizer” category or if destination IP addresses of flows from the endpoint are not in the DNS cache, it can block those flows. The draft currently says the following: The SplitDNSAllowed key value set to false is an internal security policy expression by the operator of the network but is not a policy prescription to the endpoints to disable use of DNS servers not provided by the network. If SplitDNSAllowed is set to false, the client MUST NOT trust the SplitDNSAllowed key in case of connecting to unknown or untrusted networks (e.g., coffee shops or hotel networks). Most importantly, the endpoint can choose to use an alternate network to resolve the global domain names. > > Note, as this can only be confirmed by the client when DNSSEC is enabled > on the public parent domain, presumbly there needs to be an internal > DNSSEC trust anchor too. How will this trust anchor be conveyed? We > went through a number of rounds with RFC 8598 for IPsec to prevent > VPN providers from installing (malicious) DNSSEC trust anchors that > could lead to TLSA records and other sensitive public key record types > in DNS from being redefined or taken over. The outcome was that > basically that list gets provisioned by the IPsec client setup. > In this scenario, I don't see the need to override the trusted certificates for TLS or install Enterprise CA certificates. > > As written, I just cannot support this document. It circles around all > security issues by stating the client trusts the server/network. > No, clients do not blindly trust explicitly trusted networks. If a network lies about the ownership of a domain, it can reject the network entirely (because the network lied about its authority over a domain). -Tiru > > Paul >
- [Add] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eliot Lear
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Victor Kuarsingh
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Bill Woodcock
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] New Version Notification for draft-redd… Vittorio Bertola
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXT] Re: New Version Notification for … Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy