IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Rob Sayre <sayrer@gmail.com> Wed, 01 July 2020 03:31 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8B83A0AA3 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 20:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNH0X8UJdmq8 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 20:31:15 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 234843A0A9D for <add@ietf.org>; Tue, 30 Jun 2020 20:31:15 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id k23so23393262iom.10 for <add@ietf.org>; Tue, 30 Jun 2020 20:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OA46arNKnn1vr5BbmQ8atogXiAc0KgiqGsyo+NPzc4w=; b=IIR+U93YDWNJIV04Ojd3zmkzzZexZwg1bXJHJLJXtqOFk9k8OIKtoAFKVM616qx+tl t9sJTk44sC0ozivhYMgKgY3JfgOBJErBLFIsjVmaXFF3j4OPyINTl/88lho+oawpM6p6 zvgdmtWdXD+N0OMTEzQ42T9F8QEw3+inv3NGWd8m60D9Z7f1LtcB3LV3qjzam5Vbkb49 6jhfn/MubjEdKRKhcv975gdyc/PpwX2kcwKX0LMajEvwQXIstlyhoVu4gV8ToJ1MeKHn igWP7Pdn5bvfOWowuV0V0GwF0eLk2EAPKRKTqBoKi7jotil9SnJTsxpF9/Hw51nAxXFn jmOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OA46arNKnn1vr5BbmQ8atogXiAc0KgiqGsyo+NPzc4w=; b=TxK4otsT1RHUFpnljW8C6prIgopV4iSRKG3BUwrI4uih59BgFqEbUJrBWecalBT4Mk pVdHs25M9mA1r9sifcBlq29JZeJED9Oq8Hq86kLkwPwXd/acrAO+PCDiigUmu6R1kc4V oomHgUXPLFFRN4aE33mEV56jCJMVrh2bgicOJhhS/XMJ2C171yY7gR2T2aEbfTbtrfal GfSFJxYzfuM7YDqOOflmA8Eb4f7izc1O4YNVrMAmrjdGNjRBYAe21JEZ1GZktdV/7Ifb fC5AZ7AQMS/CHopJ7KsstKs07FwuRaDfe1aqz6IxALgaDkmUXbk9dH4UqsFgRapxqnLw fnDg==
X-Gm-Message-State: AOAM533QrGWKOAz076DU2G2KG204BnKnjbI/bxd7ewo4MvgsHs6rR3rU 70pzmLkoXl/20zrogqbqGmcLxafI058ch+z+kgg=
X-Google-Smtp-Source: ABdhPJw8wEo48YfFLr+87fxUiYtLRsMFfB+vtTZuxB8zx/JBa2/FsY+/qT+eRaJdUbF1mewhXEc8n10n1Z2ufNKflCE=
X-Received: by 2002:a5e:9705:: with SMTP id w5mr225697ioj.188.1593574274334; Tue, 30 Jun 2020 20:31:14 -0700 (PDT)
MIME-Version: 1.0
References: <39AB91D2-02F7-4618-8C5E-D3ED062A8286@nbcuni.com> <CABcZeBNge-daZqnKZQveCQ8kzant_cpRtKXNRq4Yo3KTJb7g5g@mail.gmail.com>
In-Reply-To: <CABcZeBNge-daZqnKZQveCQ8kzant_cpRtKXNRq4Yo3KTJb7g5g@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 30 Jun 2020 20:31:00 -0700
Message-ID: <CAChr6SyTv7Oc3XX19b5T2uVn2MGATneVfaoKfDRpxVpYc19u1w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, ADD Mailing list <add@ietf.org>, Paul Vixie <paul@redbarn.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008b82fc05a958ec57"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wH88BiHbv5lUKSVsSsEHv2l6fy8>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 03:31:17 -0000

On Tue, Jun 30, 2020 at 5:52 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Jun 30, 2020 at 4:25 PM Deen, Glenn (NBCUniversal) <
> Glenn.Deen@nbcuni.com> wrote:
>
>> This all comes back to the three slices of access types that had been
>> discussed some months ago:
>>
>>
>>
>>    1. Trusted & known networks – this is your enterprise, your home.
>>    You have a relationship with them.
>>    2. Unknown networks – This is the café, school, hotel - you choose
>>    them because they are available, but you know very little to nothing about
>>    them.
>>    3. Hostile networks – you may not have any choice in network and must
>>    use this is you want any Internet access at all.  However, not only do you
>>    not trust them, you know they are actively acting in ways you do not want.
>>
>>
>>
>> Another slice around threat levels would be: Green, Yellow, Red networks
>>
>>
>>
>> Certainly in terms of policy and security concerns one size does not fit
>> all 3.  The question is can we fashion a discovery means that works in all
>> 3, but perhaps mitigates the policy and security concerns in each?
>>
>>
>>
>> DHCP may be a perfectly fine choice in a green network, but in a yellow
>> network there is a need for validation and assurance of the choice, while
>> in a red network – can you trust anything at all, even things you
>> explicitly specified such as IP address of resolvers without some
>> additional validation ?
>>
>
> This is a great taxonomy. Thanks.
>
> I think the question I would ask is: in a green network, how much benefit
> do you get from Do[HT]? We can probably divide this up into the local
> network environment (e.g., the wireless network) and the access link from
> the ISP.
>

There are lots of attacks that create compromised "Green" networks. For
example:

https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack

I might categorize an "enterprise" network as something managed well enough
to do an investigation in the event of a security breach. Most business and
home networks do not fit this definition, so they are category 2
("Yellow"), because people set them up and forget them.

thanks,
Rob

v2.23.0 | Report a Bug | By Email