IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Ted Hardie <ted.ietf@gmail.com> Wed, 17 July 2019 15:58 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E6B1203CF for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 08:58:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCvSzTFUuXIb for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 08:58:09 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E589712019C for <add@ietf.org>; Wed, 17 Jul 2019 08:58:07 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id z3so46598094iog.0 for <add@ietf.org>; Wed, 17 Jul 2019 08:58:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PCUA4mb10vQBx4L8KDewvPFCtNb0WPZXjo6Rwskd4Hw=; b=MK7zVLkWMeZ/t/GPQgMKBZUmaynii42C26+iC+iTygpXlm7ikVZe3MsKRHoHtLwFCn PYqqKY3443bATu81hG34eWuV8Z7PovpXznAiHqgWuZK7y3i93Fe9InMEAf+hohEw1iHz UHHhEx0WSJ2vLbPrz/u/mjdshir5K90/njaKVBOs3nTKFfQSRdTCT62Ma9QgdoKGv/F3 MsNytpjeYzpsQWr+oFBG/p/qxEtxtrrgZKASSzrv/O7dQvhKr0prLcsviWSg9cPudNAf ZfMsDDWTH8l/9R9Es9LX2HtlpYQhl66gRD0wxBnRPuhUQPF8ymLO38k+peyuKDlJeQS9 8QWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PCUA4mb10vQBx4L8KDewvPFCtNb0WPZXjo6Rwskd4Hw=; b=AF1aL7NONxIZimhesHjZbHEKobqhqmFYJSKS6wf1EPCeSNxq5aE9PimnXMYjgyop4n wrlkEg6SVqPhm2HNdxdSQQ5pCiAmkYtfceWL19gz1kdA74d8RR1AZLNv8Qa046esp8hT EfJlpK7ZnuAVw38nNjFzSsCpPPVCFw9gc+mmVgk7TVxAnsMShe0Q7JRZAj1qspums3wg /thReFVJY4Di6jo04jmZ+FgBemDX/4b7s/4URfFFGpvc9b5M7RnHYsXfLITf7cKzqNKC 3yy4rDqdzo+dCKz54HcGJdyDOdqYir6w1kXFOe5PPn1FY5qSFWuyd4WctIxXZleJ5hXo 4CuA==
X-Gm-Message-State: APjAAAVUvxvjOT3RHF06cB1yhIVIdg7DTFiRtP3Z+3rG3qdJKymTc+U9 h9nFtgm0KQzzo+wJ1ahC8glXdqARuKLiVzkkmGU=
X-Google-Smtp-Source: APXvYqzXV5Qmgn0bgXUXxxYGFFpiDOHCJEUZFnOV23r6yGU65e4wz8KqN32qswpQay7irbym0bPUwDMznfUyr4afHN4=
X-Received: by 2002:a6b:7017:: with SMTP id l23mr36162719ioc.159.1563379087047; Wed, 17 Jul 2019 08:58:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com>
In-Reply-To: <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 17 Jul 2019 08:57:39 -0700
Message-ID: <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com>
To: Neil Cook <neil.cook@open-xchange.com>
Cc: Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000002206d5058de28f85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rf_udZugk-ZrTohm-cS95OxN6CA>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 15:58:12 -0000

Hi Neil,

On Wed, Jul 17, 2019 at 8:38 AM Neil Cook <neil.cook@open-xchange.com>
wrote:

> Hi Ted,
>
> But, and this is the crux of the matter, that integration requires the
> cooperation of the endpoint or its control by an organization's system
> administrators.  If you do not have their cooperation or the right to
> manage them by tools like those Eric mentions, it is difficult for the
> endpoint to distinguish a network-level interception by a mandated policy
> engine and by an attacker.
>
> Rather than falling back to the state where the endpoint simple accepts
> that its traffic is visible to all and possibly intercepted, this new work
> is an effort to make it easier for you to gain the cooperation required.  I
> hope you can see that this is in both the interest of policy enforcement
> bodies and the end users.
>
>
>
So I use DNS filtering in my own house (along with millions of other people
> as already stated on this thread), provided by my network operator (but it
> doesn’t have to be - I used to use OpenDNS for example, and I have the
> capability to run my own resolver if I so desired). I have malware
> filtering as well as parental controls enabled. I am the de-facto network
> administrator in my house,  but I don’t have the tools or software that
> enterprises use so I won’t benefit from the work being done to help
> enterprises control this. I also have other people coming into my house and
> using my network, and I also like to control what they can access when they
> are in my home. All of this works very well for me today. It doesn’t work
> for me when applications/endpoints start deciding that my network is an
> attacker because it does filtering, and bypassing that filtering "in the
> interest of end-users".
>
> I hope you can see that this is in both the interest of policy enforcement
> bodies and the end users.
>
>
> I’d like to ask, ask an end-user, how is this in my interests?
>
>
I am sorry if I was not clear,  The point of the draft is to enable the
network operator to signal this:

   If the user agent can check for the presence of a policy, this could be
   used as a signal that the network operator wishes its resolver to be
   used as a condition of using the network, and that DoH or DoT should
   be disabled.

That permits your guests to know of your network policy and to abide by it
if they choose; presumably you would not provide network access if they
chose not to.

regards,

Ted Hardie

Neil
>
> On 17 Jul 2019, at 16:25, Ted Hardie <ted.ietf@gmail.com> wrote:
>
> Hi Vittorio,
>
> On Wed, Jul 17, 2019 at 1:06 AM Vittorio Bertola <vittorio.bertola=
> 40open-xchange.com@dmarc.ietf.org> wrote:
>
>>
>> Il 17 luglio 2019 07:01 Rob Sayre <sayrer@gmail.com> ha scritto:
>>
>>
>> On Tue, Jul 16, 2019 at 12:30 PM Jim Reid < jim@rfc1035.com> wrote:
>>
>>
>> Whether or not these tools/services work well is another issue entirely.
>> And IMO not something to discuss at the IETF.
>>
>>
>> Hi Jim,
>>
>> I thought about this email a lot today.
>>
>> I think the problem with its sentiment is that whether or not
>> tools/services work on the Internet might be fairly called "engineering",
>> and this is the Internet Engineering Task Force, right?
>>
>> But if you have tools that work well enough that millions of people rely
>> on them and that they are encouraged or even mandated in many countries,
>> and you decide to develop and implement technologies to prevent them from
>> working
>>
>
> The IETF builds building blocks that meet specific needs.  In building DNS
> over TLS, DNS over DTLS, and DNS over HTTPS, it was adding the protocol
> functionality to make DNS queries confidential from inspection by network
> observers.  The energy for that work was the reaction to pervasive
> surveillance, but it is clear that other attackers had been gathering data
> for some time.  The IETF was not building these protocols to stop the use
> of the DNS as a policy enforcement mechanism and it is entirely possible to
> integrate them into a system which does this by offering the policy
> enforcing resolver over one of these confidential protocols.
>
> But, and this is the crux of the matter, that integration requires the
> cooperation of the endpoint or its control by an organization's system
> administrators.  If you do not have their cooperation or the right to
> manage them by tools like those Eric mentions, it is difficult for the
> endpoint to distinguish a network-level interception by a mandated policy
> engine and by an attacker.
>
> Rather than falling back to the state where the endpoint simple accepts
> that its traffic is visible to all and possibly intercepted, this new work
> is an effort to make it easier for you to gain the cooperation required.  I
> hope you can see that this is in both the interest of policy enforcement
> bodies and the end users.
>
> best regards,
>
> Ted
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>
>
>
> Neil Cook
> neil.cook@open-xchange.com
>
>
> -------------------------------------------------------------------------------------
> Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court
> Nuremberg HRB 24738
> Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael
> Knapstein, Stephan Martin
> Chairman of the Board: Richard Seibt
>
> European Office:
> Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District
> Court Siegen, HRB 8718
> Managing Director: Frank Hoberg
>
> US Office:
> Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA
>
> -------------------------------------------------------------------------------------
>
>

v2.23.0 | Report a Bug | By Email