Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
tirumal reddy <kondtir@gmail.com> Mon, 05 April 2021 07:39 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292B13A2DE0 for <add@ietfa.amsl.com>; Mon, 5 Apr 2021 00:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id it0C7WcaogD4 for <add@ietfa.amsl.com>; Mon, 5 Apr 2021 00:39:16 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 868033A2DE2 for <add@ietf.org>; Mon, 5 Apr 2021 00:39:16 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id d12so16184861lfv.11 for <add@ietf.org>; Mon, 05 Apr 2021 00:39:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fNDjwtmyFA0jXvQqPmJkBL9+ifPk0/Z5vW3kp0oX/lY=; b=h2N5H3EauelH8ze19slsfTwerSgjLshRsgeQoXXnf2p175BsD6xWWqG0OWiu8eSsrg YesZOI1g1sTMK4Yy8lM6me4ENEGD5NvGIaI7XbD9dFXhyfSfQL3n8M5+UOK/zUCR/OAc DlcrgTX0/NTA6XV5oeUn/yXlhMmenYqgspKRL2qrt+NVNZU+l2oWu1HaUbifqOIzqMRI G9oLVgJuxtrgRVjR6qfWzLUuWLKiU8FsR2cq2xYpjKOvHjIiA2afgLRPYQN7xVwI6b+i d+6rw7RhPFueQ3rdstAJUJyIEWFzJtro1+rK/gTek31Vz2ek+FYY0UpPuaVqh1gd1uTG PPdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fNDjwtmyFA0jXvQqPmJkBL9+ifPk0/Z5vW3kp0oX/lY=; b=ZeL6o61gX7Owb9WV5pxi8ke4Va5u58pGlLha62qPLpx5efcTNjAt/aPKBQHJurB32+ TnWEKoD95e9IAXVpAoqgpH2qtZsILemCwXma0vKav57zEdTsscZA8zUXpPs0S7ZzJu1f /B0eBikWH72t33d+akAcTw6GlwMSbLyTO28gRoWv4g2hH7q1eIk4wDlBr/EBKVAP5k6v zriIliMqlKuz4Fy7nWqQiukOHnNXUceN7T4ca0pOfJFTTnQCjTh64RkmZ59yYdW9loxO 0m1SVxv6SIVjM4fIilfOYwueRCcHltfYFGTHDoQLRTecrsmvuoUbzFcYMOXl+h2J31MA dqTg==
X-Gm-Message-State: AOAM533P0KxanJd6Q7XarZ+ZlA/tzVYWbPWnrrJni2/UgyNzcnPdzmKN O4NZ+NFvMb3MFrLqXPkwCi7ELQD/YFiq4xk8FN8=
X-Google-Smtp-Source: ABdhPJx49ezGaL4Vm2TWxpieVlNsfiSwUXZ9XqnQlc4/0e7e58qx8xFIMYSA1ek2LXMq4Hh8B4fIhlN4rSC01yS5/RE=
X-Received: by 2002:a05:6512:3d16:: with SMTP id d22mr17150457lfv.111.1617608352867; Mon, 05 Apr 2021 00:39:12 -0700 (PDT)
MIME-Version: 1.0
References: <E54C6029-946B-4094-A753-5DD5A881C901@nbcuni.com> <55ED5E7F-2595-4E6D-BBE2-36F38C9A99E1@nohats.ca>
In-Reply-To: <55ED5E7F-2595-4E6D-BBE2-36F38C9A99E1@nohats.ca>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 05 Apr 2021 13:09:01 +0530
Message-ID: <CAFpG3gc4bHMGMmvTxH_PNqEgPjDHH4ESp-vFunq7Ek0MPdUBCw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000422a8505bf34cbe1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/lS2PMhWdEiN4xnb-sOdhWQikEx8>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2021 07:39:21 -0000
On Fri, 2 Apr 2021 at 06:41, Paul Wouters <paul@nohats.ca> wrote: > > On Apr 1, 2021, at 18:44, Deen, Glenn (NBCUniversal) < > Glenn.Deen@nbcuni.com> wrote: > > > > > - Let’s keep in mind the context of this discussion – It’s about > Enterprise Split DNS – and not just connecting to a simple network. > > > My coffeeshop uses Enterprise WPA. What if they start using Enterprise > Split DNS ? What is the expected UI for me to accept / decline this as > enterprise network ? What if they announce Gmail.com is their enterprise > domain ? > If a network lies about the ownership of a domain, it can be detected using the mechanism discussed in https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-10 . Any unknown or untrusted network can use Enterprise WPA but the scope is restricted to explicitly trusted networks by the user (see https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-3 ). > If the trust comes from enterprise MDM, why can’t the provisioning issue > the domain list in a verified authenticated way, instead of adhoc untrusted > network broadcasts ? > MDM is not a possible option in several enterprise deployments. > > The document deems this problem solved by adding > > The scope of this document is restricted to unmanaged BYOD devices > without a configuration profile. The unmanaged BYOD devices use the > credentials (user name and password) provided by the IT admin to > mutually authenticate to the Enterprise WLAN Access Point > > > And this is exactly the scenario where a coffeeshop that provides > user/password is the distinguishable from a presumed trusted IT admin > pre-arrangement with credentials. > No, the scope of the document is restricted to explicitly trusted networks. <snip> The scope of this document is restricted to unmanaged BYOD devices without a configuration profile and split DNS configuration on explicitly trusted networks. In this use case, the user has authorized the client to override local DNS settings for a specific network. It is similar to the way users explicitly disable VPN connection in specific networks and VPN connection is enabled by default in other networks for privacy. The unmanaged BYOD devices typically use the credentials (username and password) provided by the IT admin to mutually authenticate to the Enterprise WLAN Access Point (e.g., PEAP-MSCHAPv2 [PEAP <https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#ref-PEAP>], EAP-pwd [RFC8146 <https://tools.ietf.org/html/rfc8146>], EAP-PSK [RFC4764 <https://tools.ietf.org/html/rfc4764>]). </snip> -Tiru > Paul > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eliot Lear
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Victor Kuarsingh
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Bill Woodcock
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] New Version Notification for draft-redd… Vittorio Bertola
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXT] Re: New Version Notification for … Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy