IETF Logo Mail Archive

Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

Tommy Pauly <tpauly@apple.com> Fri, 12 March 2021 23:50 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5292C3A0ADF for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 15:50:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2QcM4nyfGjwH for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 15:50:15 -0800 (PST)
Received: from ma1-aaemail-dr-lapp02.apple.com (ma1-aaemail-dr-lapp02.apple.com [17.171.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C972C3A0AD6 for <add@ietf.org>; Fri, 12 Mar 2021 15:50:14 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp02.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 12CNn9OO024664; Fri, 12 Mar 2021 15:50:10 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=L56AfIzFYELE7uK4fLXY/nAR4Lqj8LD4EMK/+/Qvuis=; b=jsSTKK1+5zj3SdXeW+Bj0hOHQcBGNjHFPwGL5nEhhgJ/bgc3wlwNsObteV9pS6ltthXI LSMfAcgzxq8uEXZ9ms8450w8VAblL4LBWcYKjA61VbmsNtJNg+NeBuZtPNEOLh+sXlSo uLiCmiK3HSp1ZsTmkVQQdmH1m93PIZpagjd7k6TWZFqjsAA58Rb2RIXFAY9AUVm8PUE0 XA0WOG03UfYL5peR5VjmY9W897VvcOAyRniOKdg6xVzK9kRm4hnkqOfsTyU+aV+j695c XEVLrfcPPhDnoNQGKwk1Xra9clH96adIGCrExG4jubzr0uk2Fu7qK8w3xG6+GHRq15K9 fg==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp02.apple.com with ESMTP id 37479xxtyx-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 12 Mar 2021 15:50:10 -0800
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QPV00QOQRJLAA00@rn-mailsvcp-mta-lapp03.rno.apple.com>; Fri, 12 Mar 2021 15:50:09 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QPV00W00RJF0V00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 12 Mar 2021 15:50:09 -0800 (PST)
X-V-A:
X-V-T-CD: aa7babf35d3d7eb1b25ba2986d67a26a
X-V-E-CD: 833231a848c0302c1b0cb6d23edb536e
X-V-R-CD: 14f198413e362f13d7ac09b053dc6d36
X-V-CD: 0
X-V-ID: 06cf6955-f021-47a4-9a2e-dcb7cb72fcb6
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-12_13:2021-03-12, 2021-03-12 signatures=0
Received: from smtpclient.apple (unknown [17.11.11.171]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QPV00O6ERJKVO00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 12 Mar 2021 15:50:09 -0800 (PST)
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3668.0.5\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <20210312191835.rhsyikec46uzmnk4@family.redbarn.org>
Date: Fri, 12 Mar 2021 15:50:08 -0800
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>
Content-transfer-encoding: quoted-printable
Message-id: <C778A810-CF36-4893-8AC9-49C1C3A651C8@apple.com>
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com> <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com> <20210312191835.rhsyikec46uzmnk4@family.redbarn.org>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: Apple Mail (2.3668.0.5)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-12_13:2021-03-12, 2021-03-12 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/twsnrNE8aP4CmAHiv7VEQsV_R7c>
Subject: Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 23:50:16 -0000


> On Mar 12, 2021, at 11:18 AM, Paul Vixie <paul@redbarn.org> wrote:
> 
> On Fri, Mar 12, 2021 at 11:00:11AM -0800, Tommy Pauly wrote:
>>> This is clearly a policy prescription, and is out of scope.  ...
>> 
>> Agreed. I think the main issue is that this ends up being an "evil bit".
>> There's no reason for a client to trust or respect this value, unless they
>> already have a strong MDM-style relationship, in which case this wouldn't
>> be needed.
> 
> i understand why someone working at microsoft or google would confidently
> assert the above positions, but the rest of the world doesn't work that way.
> 
> it's not an evil bit. it's a policy expression. as someone who operates and
> secures managed private networks, the ability to detect noncompliance is
> vital to _everything else_. therefore the state of compliance must be easily
> expressed. there are also some non-security benefits, such as configuration
> management to tell BYOD (who won't be participating in MDM) how to get reliable
> service. but it's the work flows leading to anomaly detection which provide
> the strongest motive for being able to express this policy.

I think this leans towards a bit that says that the network will try to block DNS to other entities. That might make sense, but it’s different from a bit that says “please voluntarily disable your device security policy”.
> 
>> I am in favor of letting the network prove authority for private domains, or
>> even present an identity for itself as the network operator. It's up to the
>> client to use those or ignore those.
> 
> a mobile device on a public network probably needs that kind of signaling. any
> device on a managed private network probably needs different signaling. can we
> come up with a unified proposal that serves both situations?
> 
>> The one thing the network could do that might be useful is provide a flag
>> that it will be actively hostile to any DNS traffic it detects that does not
>> go to itself, with some reason text. The (minimal) value there is to allow a
>> client to present a reason for things being broken if the user of the client
>> device also has a strict policy to not trust this network.
> 
> not all networks are public, and not all on-path actors are authoritarian
> governments or surveillance capitalists, and not all devices have users. i'd
> like to see this discussion move to a broader use case that isn't smartphone
> centric or web-centric or coffee-shop-wifi centric.

To be clear, for the private or home network case, I don’t think this needs to be a problem.

If you are using a device on a network that you control, and you want you network to see all of the details, great! That should be possible to configure for sure. Set up your devices the way you want to. In an enterprise, there are also many solutions for this.

I think the reason that any of this discovery or signaling matters is when you have devices joining networks where the devices and the networks are owned and managed by different entities. Yes, that’s sometimes a mobile phone user in a cafe; but it could also be someone visiting your house, or when you first put a new device onto an enterprise network before settings things up.

The point is, if a device has a configuration that makes it think it needs a certain privacy stance, and the network wants to enforce an incompatible policy, the best thing we can do is to make that conflict easy to identify and understand. The options to resolve depend on the situation:

- The device didn’t intend to join a network with those policies, so it leaves 
- This is a device that is in fact owned by the same entity, or intended to be used in this way on this network, so it saves some local policy
- A user is presented with a choice
- …etc

Tommy

> 
> -- 
> Paul Vixie
> 
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email