Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Ted Hardie <ted.ietf@gmail.com> Wed, 17 July 2019 18:56 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24C871208C4 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 11:56:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mcTKzXd0agQO for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 11:56:30 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68E461208C1 for <add@ietf.org>; Wed, 17 Jul 2019 11:56:30 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id s7so47349687iob.11 for <add@ietf.org>; Wed, 17 Jul 2019 11:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NbcgnzeiwF+Ce4211ZqN5ryqf4YS/FV/LPf/rl2SCK0=; b=iOPMksoE8Gw4YCgsz9DJZw7MSgUSB8eU2i0QhcGzxp3SIXuDOxeokOlfwW6ZazHq5V ygQ9LnhC4F3a6To1f61Qx//MbM33T9Yh/sVX9z3RSgTjGSvvkA8cC2X0sD/4nQAJzz2m imx1eV58eEmyJfzMyRxSk9+s2B6Rz10k3dR2WGf+vluCmfmqEsHagEJdekZIbzF4E1u1 in9cJHtNbuTY/WC9caJEB2OE39iecr5hNAdKoojgUh6q30aY+JZzmTpBt5zl5GwOvCq5 ULj+5F+4nD7YLmzSlonYrCpsHF+19hg2NHdJOJc+p944Dglfw/msBl6slRTxJGnhLkij r2Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NbcgnzeiwF+Ce4211ZqN5ryqf4YS/FV/LPf/rl2SCK0=; b=hEKh/rhajvwUqJGc/W3/Yct7sFZGzKh1q3w8Dgb3cKvvJzztAEM3r6SSDxNUJ8GAxU iahrSzNZSN1S3qxn/dyJXEMnH2YjbzwCvhPkKlgKoiUDGy9VeoWgEP3TPDp2zMT4fG2J cawVFSdbZim8d5SnZeN2Nt0JyPW72IYIeQsv6flK46UrRzU7erGkvEMsOiC2MmeJtUNg amwIExHrdFcczjtYaEcDVoUAr625DocDL/4i/d5DY/tYBJZwqSrddhbUEv0/is8Opb/4 Um0WOW8wdEi7Tox2qBO0U0XNlgfI3w2NvM6BPLu+C7w7Kk3m6DmoPVL3K6RYV3ztZW/K yu2w==
X-Gm-Message-State: APjAAAXSya2ER/ZarHfFlG5Ge3LsbAnoCZxWrci6kI/LO3vPvHp6fk5r QteQCwHgwiZj23/CuCuqOkek3Bblsib2V2rjL9Y=
X-Google-Smtp-Source: APXvYqyGXdVSXa9RiT0vmr7Peaj20Pz3ZW/0q0qrLTqMN1N1CpEewS89b3j32D7vr6eMioPloCOhYULDpXG0zGV9Fh8=
X-Received: by 2002:a02:b883:: with SMTP id p3mr44991466jam.79.1563389789560; Wed, 17 Jul 2019 11:56:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com> <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com>
In-Reply-To: <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 17 Jul 2019 11:56:02 -0700
Message-ID: <CA+9kkMBjL5VqiH+vjxgTFq2d76O0yoyeJdQF6HhKvO_pOdzDgA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Neil Cook <neil.cook@open-xchange.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000000d61c6058de50dc4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/oEvRa-HXFEumKIzuXzocEuhEN_o>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 18:56:32 -0000
On Wed, Jul 17, 2019 at 11:40 AM Brian Dickson < brian.peter.dickson@gmail.com> wrote: > > The root of the problem is visible in "if they chose not to". The nature > of DoH, is that the network operator (regardless of who they are) is unable > either detect or prevent guests (or users or BYOD or whoever) from not > complying with your network policy. > > I disagree. It forces the existence of the network policy to be visible, but it is entirely possible to deny network access to a system which is non-compliant. It is not as simple as blocking or intercepting all port 53 traffic, but that method never addressed the reality that cleartext traffic on that port was available to an observer. To get both confidentiality and policy enforcement via this means, practice will need to change. It will need to be visible to the system consuming the DNS (be it a browser, an OS, or some other application), and the enforcement mechanism will have to be better integrated into reachability mechanics. That is definitely new code for most people, but it is not impossible. regards, Ted Hardie
- [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- [Add] Firefox DoH behaviour Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason