IETF Logo Mail Archive

Re: [Add] [EXTERNAL] My single use case

tirumal reddy <kondtir@gmail.com> Mon, 14 September 2020 09:33 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C3C93A0D71 for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 02:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMjyEYpkOp3z for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE8A83A0D7B for <add@ietf.org>; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id f82so11374538ilh.8 for <add@ietf.org>; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zc7/JbTKfJpz1OoMQX76VA2OhW7aFoWB+ELW/Yti0qk=; b=G0nhH8oNouDDWftxsCS67u3s0HbM+fhr17Xr54JM4MSuis49sz4BYhmr4JRqCtk1x+ L3ItF3/yTgaR2jcyz/zDWGo2q/Lrp0IXu9ZK1D3tu7GTqTedcLzQT+7Yh55L57bc0jKg h02ajKRjnOhapdjM0W9RE25X9SR0yITaOxjKarwAE81GV8HIWs0IsTN51X+LnU4uov2t dtuHdHUfSuor8pEPmfYLZ/KyqK9FyYY6Y/KD84TtCkiTafpm3BzsYgAG2Xzoj2LJABv0 JZoz9HAPmfDwB4pGlZeQoRW3ZnHK+inFx7f5Flob/J7k8IpO16vRZIKmZo/bHWy2+Mmk K9Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zc7/JbTKfJpz1OoMQX76VA2OhW7aFoWB+ELW/Yti0qk=; b=J3U3dyqJT/s73eySRPBJne7QH7VCLE9ykzm5U/0SnCvanVRxVajQuCiuYvMH8eruYN OPDdaeyGvsbN4Ir0WeMgaUeuaqnYmxP4E+1jIja8/Xg5tonFJJxwtDAE64cIl2T1fJyD gDano2YZpmh7EPve+zOIe7Nloh0+etc51A6gCq/QyP1PAYSjHi+rzj894GA3bZFb5s1A hR2I5craPPztuaVHm+lRFgUDVxPP8LMvKuLzvUEv/ohtWPdxZjNhk3OqwkRxEVRXzzgR F8OKbXoB4k/N+fJuJ95PDLgqFU3RO4IJpl6QKkmq/VcEYMLz1hNI7Zjiu0lz8iXd8Eo2 21UA==
X-Gm-Message-State: AOAM533K364yS6bOgFesJNbh1ZXd0xspMt9Ajo4z1vBUyuEELpX50OWN 41kexMf9iCKvbTrkkicGldZQNpKwYSd0RU/prr+ITfl7lsvfqg==
X-Google-Smtp-Source: ABdhPJy0vjj9ayR/Eju0ZcQymACPe7vy/a3Xmf1XcwbSN2yzbGhbNuJRuBP5VdWWAMLYAaTOpSP1IteO6HEDFVKCMlE=
X-Received: by 2002:a92:d792:: with SMTP id d18mr11016542iln.195.1600076016006; Mon, 14 Sep 2020 02:33:36 -0700 (PDT)
MIME-Version: 1.0
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com> <f60fdeb1-a1cc-4636-8e6e-2c497051bed3@www.fastmail.com> <BY5PR00MB077332F0EDAAE11B5CBA4CE3FA241@BY5PR00MB0773.namprd00.prod.outlook.com> <97d64ef8-756e-44c3-89a4-aa263993e7c0@www.fastmail.com>
In-Reply-To: <97d64ef8-756e-44c3-89a4-aa263993e7c0@www.fastmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 14 Sep 2020 15:03:24 +0530
Message-ID: <CAFpG3gc+7CgZA1kXq0sgFYHn=JtfC-Ya=PEX7mzzQmmBzfyn-A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c3d3f05af42bada"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/fkCOZykRYxG1A6_fQX_UXjDeQQ4>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 09:33:38 -0000

On Mon, 14 Sep 2020 at 04:30, Martin Thomson <mt@lowentropy.net> wrote:

> On Sat, Sep 12, 2020, at 06:34, Tommy Jensen wrote:
> > My concern is 2) encompasses more use cases than 1). 1) is limited to
> > the use case of joining a network and needing a recommendation. 2)
> > includes other channels of address acquisition such as offline endpoint
> > configuration. I can accept feature parity for 1) which is no
> > authentication. I can possibly accept lower security for 2) when the
> > address came from network advertisement such as DHCP which isn't secure
> > today, but not when it came from endpoint configuration which may be
> > secured.
>
> This is a good summary of this situation.  I share those reservations
> also, but would add that even in cases where the discovery is not
> cryptographically authenticated, that doesn't mean it isn't protected
> somehow, so the second case (talk to the resolver or something akin to
> that) increases exposure to attacks even when configuration isn't
> authenticated sometimes.  So you have:
>
> 2a) unsecured discovery/configuration
> 2b) discovery/configuration secured by means that is not apparent (e.g.,
> at layers 1 or 2)
> 2c) discovery/configuration secured cryptographically (and thus known to
> the endpoint)
>
> The former two are indistinguishable to the client; the latter two are
> cases you might want a different policy for.
>
> In the end, this is a subjective decision that might be made in client
> policy, so our responsibility is to identity the scenario and document the
> consequences, not necessarily decide it.  The reason I think that this
> remains in scope is the forwarder case.  This is so common a deployment
> topology.  And, as those devices are a mix of hard to upgrade or
> unmaintained, finding some way to route around them seems to be important.
>

Growing number of home routers today support easy update of config and
software, for example routers run RDK software (https://rdkcentral.com/) to
ease config/software update, support LxC container environment to run
network security services.  They can update configs & software on devices
with fine-grained control (controlled release, A/B test, roll fwd/back,
etc.) and with whatever frequency of update is necessary. In short, both
types of router exist in the field.

-Tiru


>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email