Re: [Add] [EXTERNAL] My single use case
Daniel Migault <mglt.ietf@gmail.com> Mon, 14 September 2020 15:54 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638E73A0C2E for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 08:54:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OvzqRsx7RXz for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 08:54:55 -0700 (PDT)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F367D3A0C26 for <add@ietf.org>; Mon, 14 Sep 2020 08:54:54 -0700 (PDT)
Received: by mail-ua1-x932.google.com with SMTP id e41so3733uad.6 for <add@ietf.org>; Mon, 14 Sep 2020 08:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=H3+LQAU7Y1tl+UtdetZCRiVufRwZxuEJ0CY8VL3vXEs=; b=E6BUDO2CCQPgiv2jWjupdiTgkBzDL9LOkwAW0Pum9xrbMT9YGFSvUhqyrnLyTSdtVG itVDrTfxVsyiveO1ZoWvt54z+21HnKiPXfKzrCNg0mLRU3rpb4gO8oVaNhYL0gid/z3m oUSoBo0zWQjH17eV/p0/99lYEIRHbqlhozWKxy88PFILx8RjuXZyEutgyrtMdD0v6b76 ZFMA+kYZ+y5zcVAtf1EtnMltZSCn768wd0Qa+sYQsbroBQxYNbTDLVJ26xtpUWkHRc1/ K7sK7GtF0riUBPrZkOXVO1jh7UjwSZJzXBwyQWkFIsvN4b+yaxA63bB1MYRgPQvx2yIx ICww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=H3+LQAU7Y1tl+UtdetZCRiVufRwZxuEJ0CY8VL3vXEs=; b=oba5B1ulop1PWHNoGfBZhlfQuJ5R+rfCcXsd04jBKBqWGc+LNhjwEEGHIIfGeNHAIu s9tN9dttmKP9s3H1K8xvmWEJDi87XLMEE8xXVQlxef+dM7Piwt2x3O6SC6qRnHz9vt9W ZlslffU2HDJL5cO0kL3t66zNTbzc4Adrz3OYC5/rYypVDdS4+2Qq11NrRFk0PtZ7hHSi dUFeQ+6nbl/RJk6beWna9exIcNqssqY4KvgqM1B/kDpwgjg+r226hGI+OXxDPFRehewi w4RHlvRYpUEuSxypQQJ2umSo8DHPY6zQaatpStmYIuSLbxB3w9bY16PBN6NFvSTDsG+J ByZQ==
X-Gm-Message-State: AOAM531QW32cT21NP/rUfPK1qWjKQaJ63eib6zTCd7XYGl3h0aveWfeW U4a2+t7FyCxILFNQ4Y7nVIiEGsHX7E+FZesVWYQ=
X-Google-Smtp-Source: ABdhPJx92ABg0S6P1BiJEVebNEIcHd46Hxtin3nniBtU3Jsngiugbwla9nnwFV5Kkqp5JrPpjSRAmO+eEp8VtIF81Zk=
X-Received: by 2002:ab0:3885:: with SMTP id z5mr6995084uav.114.1600098893824; Mon, 14 Sep 2020 08:54:53 -0700 (PDT)
MIME-Version: 1.0
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com> <CAHbrMsBduVj7fzutp9x7rYpXo6wLUK7-Pe4VvDHaF45dj==PYQ@mail.gmail.com>
In-Reply-To: <CAHbrMsBduVj7fzutp9x7rYpXo6wLUK7-Pe4VvDHaF45dj==PYQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 14 Sep 2020 11:54:42 -0400
Message-ID: <CADZyTkmeYXNiL1yt1FUdKRS=mAmde4gkbu7wkn+HBFEPcdV-4g@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="0000000000002c07f505af480eee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/tTFm3bgY6KuuGQZy17fDD_TT_7M>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 15:54:57 -0000
On Thu, Sep 10, 2020 at 4:48 PM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > > > On Thu, Sep 10, 2020 at 11:31 AM Tommy Jensen <Jensen.Thomas= > 40microsoft.com@dmarc.ietf.org> wrote: > >> > As a new device or application, when I join a network that I have no >> prior relationship with or configuration for, I want to discover the DoT or >> DoH resolver that corresponds to the Do53 resolver offered by that network >> >> My issue with this scenario is I see "discover a DoT/DoH" server >> differently from "discover a DoT/DoH server that corresponds to the Do53 >> resolver". The former doesn't require authentication to meet security >> parity with Do53 server use today. The latter is a novel concept I would >> prefer to be authenticated. This means for existing TLS infra would only be >> possible for publicly routable IP addresses, a subset of the >> network-offered servers out there. >> > > I think of this as a distinction about how the correspondence is > validated. In one scenario, the client validates the correspondence > topologically. That could be the IP network topology (e.g. using the same > IP for both Do53 and encrypted DNS) or the DNS lookup topology (in-band > upgrade, with or without forwarder bypass). > > In the other scenario, correspondence is validated using a PKI with its > own validation rules. > > <mglt> You could also validate (cryptographically) the correspondence between the encrypted DNS and the Do53, but in essence the confidence of the authentication will remain with a similar level of the Do53. The discovery could also provide some proofs that the resolver is associated to your ISP or the entity providing you the connectivity with a reasonable level of confidence. </mglt> Which of these is appropriate depends on the intended user experience (does > the user see this IP address?) and also threat modeling questions (what > does it mean to own an IP address?). This seems like a good example of how > even this seemingly narrow use case has a wide variety of potential > variations and complexities. Here are some more potential complications: > > * Increased query linkability, if multiple users' queries would otherwise > be mixed together by a NAT or a DNS forwarder. > * When should the client validate the certificate chain, and to which > trust anchor? > * Enabling a DNS-poisoning attacker to capture all DNS traffic > * Enabling a transient attacker to become persistent > * Defending against a passive+drop attacker who is trying to prevent > upgrade > * Defending against a late-arriving attacker who is trying to trigger a > downgrade > > All of these apply to the narrow use case that Martin highlighted. When > we talk about requirements, these are the kinds of questions I'd like to > see the group considering. On some points, I think we will find consensus; > on others, I think we will need to leave options open for implementers. > Which properties we can provide will depend on the details of our protocol > design. > > For developing requirements, I agree that we should focus on this use > case, which deserves its own requirements draft. When it's time to adopt > solutions, I'd prefer to consider the bigger picture, and try to find a > solution that extends naturally to other use cases as well. > <mglt> I think that is important we do not exclusively work in a single use case when it comes to designing a solution and that we do have a global picture of the use cases and requirements. More specifically, I do not think that discovery is limited to the discovery of the network provided resolvers. </mglt> > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add > -- Daniel Migault Ericsson
- [Add] My single use case Martin Thomson
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] My single use case Chris Box (BT)
- Re: [Add] [EXTERNAL] My single use case Jim Reid
- Re: [Add] [EXTERNAL] My single use case Robert Mortimer
- [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Ben Schwartz
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] My single use case Martin Thomson
- Re: [Add] My single use case tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery Vittorio Bertola
- Re: [Add] Zone ownership in DNS server discovery Joe Abley
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] My single use case tirumal reddy
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] [Ext] My single use case Paul Hoffman
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] Re: [Ext] My single use case Geist, Dan (CCI-Atlanta)
- Re: [Add] [EXTERNAL] Re: Zone ownership in DNS se… Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] My single use case Daniel Migault
- Re: [Add] [EXTERNAL] My single use case Vittorio Bertola
- Re: [Add] [EXTERNAL] My single use case Andrew Campling
- Re: [Add] My single use case Steffen Nurpmeso
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen