Re: [Add] [EXTERNAL] My single use case
tirumal reddy <kondtir@gmail.com> Mon, 14 September 2020 09:33 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C3C93A0D71 for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 02:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMjyEYpkOp3z for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE8A83A0D7B for <add@ietf.org>; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id f82so11374538ilh.8 for <add@ietf.org>; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zc7/JbTKfJpz1OoMQX76VA2OhW7aFoWB+ELW/Yti0qk=; b=G0nhH8oNouDDWftxsCS67u3s0HbM+fhr17Xr54JM4MSuis49sz4BYhmr4JRqCtk1x+ L3ItF3/yTgaR2jcyz/zDWGo2q/Lrp0IXu9ZK1D3tu7GTqTedcLzQT+7Yh55L57bc0jKg h02ajKRjnOhapdjM0W9RE25X9SR0yITaOxjKarwAE81GV8HIWs0IsTN51X+LnU4uov2t dtuHdHUfSuor8pEPmfYLZ/KyqK9FyYY6Y/KD84TtCkiTafpm3BzsYgAG2Xzoj2LJABv0 JZoz9HAPmfDwB4pGlZeQoRW3ZnHK+inFx7f5Flob/J7k8IpO16vRZIKmZo/bHWy2+Mmk K9Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zc7/JbTKfJpz1OoMQX76VA2OhW7aFoWB+ELW/Yti0qk=; b=J3U3dyqJT/s73eySRPBJne7QH7VCLE9ykzm5U/0SnCvanVRxVajQuCiuYvMH8eruYN OPDdaeyGvsbN4Ir0WeMgaUeuaqnYmxP4E+1jIja8/Xg5tonFJJxwtDAE64cIl2T1fJyD gDano2YZpmh7EPve+zOIe7Nloh0+etc51A6gCq/QyP1PAYSjHi+rzj894GA3bZFb5s1A hR2I5craPPztuaVHm+lRFgUDVxPP8LMvKuLzvUEv/ohtWPdxZjNhk3OqwkRxEVRXzzgR F8OKbXoB4k/N+fJuJ95PDLgqFU3RO4IJpl6QKkmq/VcEYMLz1hNI7Zjiu0lz8iXd8Eo2 21UA==
X-Gm-Message-State: AOAM533K364yS6bOgFesJNbh1ZXd0xspMt9Ajo4z1vBUyuEELpX50OWN 41kexMf9iCKvbTrkkicGldZQNpKwYSd0RU/prr+ITfl7lsvfqg==
X-Google-Smtp-Source: ABdhPJy0vjj9ayR/Eju0ZcQymACPe7vy/a3Xmf1XcwbSN2yzbGhbNuJRuBP5VdWWAMLYAaTOpSP1IteO6HEDFVKCMlE=
X-Received: by 2002:a92:d792:: with SMTP id d18mr11016542iln.195.1600076016006; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
MIME-Version: 1.0
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com> <f60fdeb1-a1cc-4636-8e6e-2c497051bed3@www.fastmail.com> <BY5PR00MB077332F0EDAAE11B5CBA4CE3FA241@BY5PR00MB0773.namprd00.prod.outlook.com> <97d64ef8-756e-44c3-89a4-aa263993e7c0@www.fastmail.com>
In-Reply-To: <97d64ef8-756e-44c3-89a4-aa263993e7c0@www.fastmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 14 Sep 2020 15:03:24 +0530
Message-ID: <CAFpG3gc+7CgZA1kXq0sgFYHn=JtfC-Ya=PEX7mzzQmmBzfyn-A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c3d3f05af42bada"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/fkCOZykRYxG1A6_fQX_UXjDeQQ4>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 09:33:38 -0000
On Mon, 14 Sep 2020 at 04:30, Martin Thomson <mt@lowentropy.net> wrote: > On Sat, Sep 12, 2020, at 06:34, Tommy Jensen wrote: > > My concern is 2) encompasses more use cases than 1). 1) is limited to > > the use case of joining a network and needing a recommendation. 2) > > includes other channels of address acquisition such as offline endpoint > > configuration. I can accept feature parity for 1) which is no > > authentication. I can possibly accept lower security for 2) when the > > address came from network advertisement such as DHCP which isn't secure > > today, but not when it came from endpoint configuration which may be > > secured. > > This is a good summary of this situation. I share those reservations > also, but would add that even in cases where the discovery is not > cryptographically authenticated, that doesn't mean it isn't protected > somehow, so the second case (talk to the resolver or something akin to > that) increases exposure to attacks even when configuration isn't > authenticated sometimes. So you have: > > 2a) unsecured discovery/configuration > 2b) discovery/configuration secured by means that is not apparent (e.g., > at layers 1 or 2) > 2c) discovery/configuration secured cryptographically (and thus known to > the endpoint) > > The former two are indistinguishable to the client; the latter two are > cases you might want a different policy for. > > In the end, this is a subjective decision that might be made in client > policy, so our responsibility is to identity the scenario and document the > consequences, not necessarily decide it. The reason I think that this > remains in scope is the forwarder case. This is so common a deployment > topology. And, as those devices are a mix of hard to upgrade or > unmaintained, finding some way to route around them seems to be important. > Growing number of home routers today support easy update of config and software, for example routers run RDK software (https://rdkcentral.com/) to ease config/software update, support LxC container environment to run network security services. They can update configs & software on devices with fine-grained control (controlled release, A/B test, roll fwd/back, etc.) and with whatever frequency of update is necessary. In short, both types of router exist in the field. -Tiru > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] My single use case Martin Thomson
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] My single use case Chris Box (BT)
- Re: [Add] [EXTERNAL] My single use case Jim Reid
- Re: [Add] [EXTERNAL] My single use case Robert Mortimer
- [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Ben Schwartz
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] My single use case Martin Thomson
- Re: [Add] My single use case tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery Vittorio Bertola
- Re: [Add] Zone ownership in DNS server discovery Joe Abley
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] My single use case tirumal reddy
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] [Ext] My single use case Paul Hoffman
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] Re: [Ext] My single use case Geist, Dan (CCI-Atlanta)
- Re: [Add] [EXTERNAL] Re: Zone ownership in DNS se… Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] My single use case Daniel Migault
- Re: [Add] [EXTERNAL] My single use case Vittorio Bertola
- Re: [Add] [EXTERNAL] My single use case Andrew Campling
- Re: [Add] My single use case Steffen Nurpmeso
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen