Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

tirumal reddy <kondtir@gmail.com> Mon, 05 April 2021 07:39 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292B13A2DE0 for <add@ietfa.amsl.com>; Mon, 5 Apr 2021 00:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id it0C7WcaogD4 for <add@ietfa.amsl.com>; Mon, 5 Apr 2021 00:39:16 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 868033A2DE2 for <add@ietf.org>; Mon, 5 Apr 2021 00:39:16 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id d12so16184861lfv.11 for <add@ietf.org>; Mon, 05 Apr 2021 00:39:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fNDjwtmyFA0jXvQqPmJkBL9+ifPk0/Z5vW3kp0oX/lY=; b=h2N5H3EauelH8ze19slsfTwerSgjLshRsgeQoXXnf2p175BsD6xWWqG0OWiu8eSsrg YesZOI1g1sTMK4Yy8lM6me4ENEGD5NvGIaI7XbD9dFXhyfSfQL3n8M5+UOK/zUCR/OAc DlcrgTX0/NTA6XV5oeUn/yXlhMmenYqgspKRL2qrt+NVNZU+l2oWu1HaUbifqOIzqMRI G9oLVgJuxtrgRVjR6qfWzLUuWLKiU8FsR2cq2xYpjKOvHjIiA2afgLRPYQN7xVwI6b+i d+6rw7RhPFueQ3rdstAJUJyIEWFzJtro1+rK/gTek31Vz2ek+FYY0UpPuaVqh1gd1uTG PPdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fNDjwtmyFA0jXvQqPmJkBL9+ifPk0/Z5vW3kp0oX/lY=; b=ZeL6o61gX7Owb9WV5pxi8ke4Va5u58pGlLha62qPLpx5efcTNjAt/aPKBQHJurB32+ TnWEKoD95e9IAXVpAoqgpH2qtZsILemCwXma0vKav57zEdTsscZA8zUXpPs0S7ZzJu1f /B0eBikWH72t33d+akAcTw6GlwMSbLyTO28gRoWv4g2hH7q1eIk4wDlBr/EBKVAP5k6v zriIliMqlKuz4Fy7nWqQiukOHnNXUceN7T4ca0pOfJFTTnQCjTh64RkmZ59yYdW9loxO 0m1SVxv6SIVjM4fIilfOYwueRCcHltfYFGTHDoQLRTecrsmvuoUbzFcYMOXl+h2J31MA dqTg==
X-Gm-Message-State: AOAM533P0KxanJd6Q7XarZ+ZlA/tzVYWbPWnrrJni2/UgyNzcnPdzmKN O4NZ+NFvMb3MFrLqXPkwCi7ELQD/YFiq4xk8FN8=
X-Google-Smtp-Source: ABdhPJx49ezGaL4Vm2TWxpieVlNsfiSwUXZ9XqnQlc4/0e7e58qx8xFIMYSA1ek2LXMq4Hh8B4fIhlN4rSC01yS5/RE=
X-Received: by 2002:a05:6512:3d16:: with SMTP id d22mr17150457lfv.111.1617608352867; Mon, 05 Apr 2021 00:39:12 -0700 (PDT)
MIME-Version: 1.0
References: <E54C6029-946B-4094-A753-5DD5A881C901@nbcuni.com> <55ED5E7F-2595-4E6D-BBE2-36F38C9A99E1@nohats.ca>
In-Reply-To: <55ED5E7F-2595-4E6D-BBE2-36F38C9A99E1@nohats.ca>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 05 Apr 2021 13:09:01 +0530
Message-ID: <CAFpG3gc4bHMGMmvTxH_PNqEgPjDHH4ESp-vFunq7Ek0MPdUBCw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000422a8505bf34cbe1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/lS2PMhWdEiN4xnb-sOdhWQikEx8>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2021 07:39:21 -0000

On Fri, 2 Apr 2021 at 06:41, Paul Wouters <paul@nohats.ca> wrote:

>
> On Apr 1, 2021, at 18:44, Deen, Glenn (NBCUniversal) <
> Glenn.Deen@nbcuni.com> wrote:
>
>
> 
>
>    - Let’s keep in mind the context of this discussion – It’s about
>    Enterprise Split DNS – and not just connecting to a simple network.
>
>
> My coffeeshop uses Enterprise WPA. What if they start using Enterprise
> Split DNS ? What is the expected UI for me to accept / decline this as
> enterprise network ? What if they announce Gmail.com is their enterprise
> domain ?
>

If a network lies about the ownership of a domain, it can be detected using
the mechanism discussed in
https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-10
.

Any unknown or untrusted network can use Enterprise WPA but the scope is
restricted to explicitly trusted networks by the user (see
https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-3
).


> If the trust comes from enterprise MDM, why can’t the provisioning issue
> the domain list in a verified authenticated way, instead of adhoc untrusted
> network broadcasts ?
>

MDM is not a possible option in several enterprise deployments.


>
> The document deems this problem solved by adding
>
> The scope of this document is restricted to unmanaged BYOD devices
>    without a configuration profile.  The unmanaged BYOD devices use the
>    credentials (user name and password) provided by the IT admin to
>    mutually authenticate to the Enterprise WLAN Access Point
>
>
> And this is exactly the scenario where a coffeeshop that provides
> user/password is the distinguishable from a presumed trusted IT admin
> pre-arrangement with credentials.
>

No, the scope of the document is restricted to explicitly trusted networks.

<snip>

   The scope of this document is restricted to unmanaged BYOD devices
   without a configuration profile and split DNS configuration on
   explicitly trusted networks.  In this use case, the user has
   authorized the client to override local DNS settings for a specific
   network.  It is similar to the way users explicitly disable VPN
   connection in specific networks and VPN connection is enabled by
   default in other networks for privacy.  The unmanaged BYOD devices
   typically use the credentials (username and password) provided by
   the IT admin to mutually authenticate to the Enterprise WLAN Access
   Point (e.g., PEAP-MSCHAPv2 [PEAP
<https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#ref-PEAP>],
EAP-pwd [RFC8146 <https://tools.ietf.org/html/rfc8146>], EAP-PSK
   [RFC4764 <https://tools.ietf.org/html/rfc4764>]).

</snip>

-Tiru


> Paul
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>