IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Ted Hardie <ted.ietf@gmail.com> Wed, 17 July 2019 18:56 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24C871208C4 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 11:56:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mcTKzXd0agQO for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 11:56:30 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68E461208C1 for <add@ietf.org>; Wed, 17 Jul 2019 11:56:30 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id s7so47349687iob.11 for <add@ietf.org>; Wed, 17 Jul 2019 11:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NbcgnzeiwF+Ce4211ZqN5ryqf4YS/FV/LPf/rl2SCK0=; b=iOPMksoE8Gw4YCgsz9DJZw7MSgUSB8eU2i0QhcGzxp3SIXuDOxeokOlfwW6ZazHq5V ygQ9LnhC4F3a6To1f61Qx//MbM33T9Yh/sVX9z3RSgTjGSvvkA8cC2X0sD/4nQAJzz2m imx1eV58eEmyJfzMyRxSk9+s2B6Rz10k3dR2WGf+vluCmfmqEsHagEJdekZIbzF4E1u1 in9cJHtNbuTY/WC9caJEB2OE39iecr5hNAdKoojgUh6q30aY+JZzmTpBt5zl5GwOvCq5 ULj+5F+4nD7YLmzSlonYrCpsHF+19hg2NHdJOJc+p944Dglfw/msBl6slRTxJGnhLkij r2Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NbcgnzeiwF+Ce4211ZqN5ryqf4YS/FV/LPf/rl2SCK0=; b=hEKh/rhajvwUqJGc/W3/Yct7sFZGzKh1q3w8Dgb3cKvvJzztAEM3r6SSDxNUJ8GAxU iahrSzNZSN1S3qxn/dyJXEMnH2YjbzwCvhPkKlgKoiUDGy9VeoWgEP3TPDp2zMT4fG2J cawVFSdbZim8d5SnZeN2Nt0JyPW72IYIeQsv6flK46UrRzU7erGkvEMsOiC2MmeJtUNg amwIExHrdFcczjtYaEcDVoUAr625DocDL/4i/d5DY/tYBJZwqSrddhbUEv0/is8Opb/4 Um0WOW8wdEi7Tox2qBO0U0XNlgfI3w2NvM6BPLu+C7w7Kk3m6DmoPVL3K6RYV3ztZW/K yu2w==
X-Gm-Message-State: APjAAAXSya2ER/ZarHfFlG5Ge3LsbAnoCZxWrci6kI/LO3vPvHp6fk5r QteQCwHgwiZj23/CuCuqOkek3Bblsib2V2rjL9Y=
X-Google-Smtp-Source: APXvYqyGXdVSXa9RiT0vmr7Peaj20Pz3ZW/0q0qrLTqMN1N1CpEewS89b3j32D7vr6eMioPloCOhYULDpXG0zGV9Fh8=
X-Received: by 2002:a02:b883:: with SMTP id p3mr44991466jam.79.1563389789560; Wed, 17 Jul 2019 11:56:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com> <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com>
In-Reply-To: <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 17 Jul 2019 11:56:02 -0700
Message-ID: <CA+9kkMBjL5VqiH+vjxgTFq2d76O0yoyeJdQF6HhKvO_pOdzDgA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Neil Cook <neil.cook@open-xchange.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000000d61c6058de50dc4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/oEvRa-HXFEumKIzuXzocEuhEN_o>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 18:56:32 -0000

On Wed, Jul 17, 2019 at 11:40 AM Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

>
> The root of the problem is visible in "if they chose not to". The nature
> of DoH, is that the network operator (regardless of who they are) is unable
> either detect or prevent guests (or users or BYOD or whoever) from not
> complying with your network policy.
>
>
I disagree.  It forces the existence of the network policy to be visible,
but it is entirely possible to deny network access to a system which is
non-compliant.  It is not as simple as blocking or intercepting all port 53
traffic, but that method never addressed the reality that cleartext traffic
on that port was available to an observer.  To get both confidentiality and
policy enforcement via this means, practice will need to change.  It will
need to be visible to the system consuming the DNS (be it a browser, an OS,
or some other application), and the enforcement mechanism will have to be
better integrated into reachability mechanics.  That is definitely new code
for most people, but it is not impossible.

regards,

Ted Hardie

v2.23.0 | Report a Bug | By Email