IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

"Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com> Sat, 13 March 2021 00:19 UTC

Return-Path: <Glenn.Deen@nbcuni.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8719C3A0CAF for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 16:19:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nbcuni.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJ3D27MgrNtb for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 16:19:55 -0800 (PST)
Received: from mx0a-00176a04.pphosted.com (mx0a-00176a04.pphosted.com [67.231.149.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C03C03A0CAC for <add@ietf.org>; Fri, 12 Mar 2021 16:19:55 -0800 (PST)
Received: from pps.filterd (m0193508.ppops.net [127.0.0.1]) by m0193508.ppops.net-00176a04. (8.16.0.43/8.16.0.43) with SMTP id 12D0EoY7008304 for <add@ietf.org>; Fri, 12 Mar 2021 19:19:55 -0500
Received: from usushmgip003.mail.tfayd.com ([216.178.109.222]) by m0193508.ppops.net-00176a04. with ESMTP id 3743vtfwn0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <add@ietf.org>; Fri, 12 Mar 2021 19:19:55 -0500
IronPort-SDR: w9Cqdsao5UFK1JfX//aKH32x2gNlxyCay+pkFhiwc05OlHaOsgQUBs6YYnbEfbU/YV+Cr3ySAx 0sEB2jsqaUOg==
Received: from unknown (HELO ashemwp00004.mail.tfayd.com) ([100.126.24.28]) by USUSHMGIP003.mail.tfayd.com with ESMTP/TLS/ECDHE-RSA-AES128-SHA256; 12 Mar 2021 19:19:54 -0500
Received: from ashemwp00008.mail.tfayd.com (100.126.24.32) by ashemwp00003.mail.tfayd.com (100.126.24.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2106.2; Fri, 12 Mar 2021 19:19:52 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (10.56.130.76) by ashemwp00008.mail.tfayd.com (100.126.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2106.2 via Frontend Transport; Fri, 12 Mar 2021 19:19:52 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hlzvoXjL/yyW3ozLfMSUBslJqXflY1bSNLw/M0pD0+Hs/CiQWKZJt8j60sYCOqmMn2NXzXeqywi+yYmlsyphj6N2jNrmKwfOi+m/xRBYk6C/0EtOD+oNpIZSuj6BQKTNNbz3p/Ej8c3jhehW+7DT1kpSuKNr8u323bNeGtdU9SZjwb6wY9hpr6oXoOBQz6x1nUi7Zmz7c4qYNVQ1aSDgpY2WuRQ/KYyEOjmlfr++ESHbJW8Tx1KFUrfigYcmFjGDNEWvR+azXBasUuh3V21mYif7SJ2Y7gWmw5jY2oAXRm+gcHxeTZg3Xp5xzzAeEE63b9EZLDDP5F66JDJK0UfVFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tuc0DhrlOKlotLIvvU7z6OiFtHdjq2T74cqeelTRb/Q=; b=nSKbQA4g9j91cYAQoKIKqhGsa2zsA9vL4gFpW1oxmxkti5FUmDttyzr2hl7k8lwqVtYrrxp4EgdFHyfvAdbXpKfbw1vRc3wmPnr0kDY3jNDa2FJVQqDXKSOKj1cW9nryYR9Zvvz+8Wbb6Giyg+8sY7Ng4sCCPgpYy0Ro7dvrt6DAFHq1fILnt2vpwj5HD0BXZ6zGwRuMr5oTSq1e/fBVmH7yOR2YDPyLBAIq3I9j7GmdCEzKU4naRNnjSiDujd5muWASn8eKlaK5uz/2N1Wf/pLgnGcq16P4PRmDcer7ggy5tAUnj0tOUt8CVkUirYB9pII95dMOgDm14J9jfkEopQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nbcuni.com; dmarc=pass action=none header.from=nbcuni.com; dkim=pass header.d=nbcuni.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NBCUNI.onmicrosoft.com; s=selector1-NBCUNI-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tuc0DhrlOKlotLIvvU7z6OiFtHdjq2T74cqeelTRb/Q=; b=N4uplXUjCSi7IOvuMOTTrGqev8QYUccgcHfC4n0XFwwLHhburfXluTGRb3MbyZY2M1LIS3II3S9aOo2j7lFSjoAo73C7MnPTZ1jrbXRGoaukDOi+OUpkplf81rKacF+yleduQmf+Gkw1HFIBUmHopI4c3DI/G8EqNIvatmGZXyo=
Received: from SJ0PR14MB4235.namprd14.prod.outlook.com (2603:10b6:a03:2eb::22) by SJ0PR14MB4524.namprd14.prod.outlook.com (2603:10b6:a03:2e3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Sat, 13 Mar 2021 00:19:51 +0000
Received: from SJ0PR14MB4235.namprd14.prod.outlook.com ([fe80::7088:1c9b:8966:5598]) by SJ0PR14MB4235.namprd14.prod.outlook.com ([fe80::7088:1c9b:8966:5598%3]) with mapi id 15.20.3912.030; Sat, 13 Mar 2021 00:19:51 +0000
From: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Paul Vixie <paul@redbarn.org>
CC: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Thread-Topic: [EXTERNAL] Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
Thread-Index: AQHXF3IVnTuRtC2de0WXV4Eq0f/G6aqAuhqAgABL3wD//4IwAA==
Date: Sat, 13 Mar 2021 00:19:51 +0000
Message-ID: <7759A818-8E63-42D4-B37B-759067AEF64F@nbcuni.com>
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com> <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com> <20210312191835.rhsyikec46uzmnk4@family.redbarn.org> <C778A810-CF36-4893-8AC9-49C1C3A651C8@apple.com>
In-Reply-To: <C778A810-CF36-4893-8AC9-49C1C3A651C8@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=nbcuni.com;
x-originating-ip: [2603:8001:3503:2ff9:3d56:d3ea:63c7:d76c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d21a74c8-8a6d-43c7-ef45-08d8e5b5b82d
x-ms-traffictypediagnostic: SJ0PR14MB4524:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <SJ0PR14MB4524BED22E59E1948FD5AC1CE26E9@SJ0PR14MB4524.namprd14.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3513;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Kc7j1FXIwB1qiVc15eKZZxK9SVBEcxI3DQWXvBc0QLDK8LLfr9USX7MgkuEAwSQdRInGhaJImhQ6dYC2jCnVX+JaaN0jfP5A4Yc2PQeH5tUGQdqRCstFYhmz3bE+OW5oDnH1aVhoscY/W3P8/FItHo4GTmRnBZPsEtbvZwUFzgZr5GcOhq9sjq74+Itjy9vGQc8Rdgb/3t4sfMH03aVe7wNVImp975J4AzmFMDhZsv8LSEt8w2y/whRZMdqQgHB4/evGCIof9gxZVft0vTTcqxkfxjWPdaQq0AT9ERrfG/1RLoNLO33pYBYirVgMajWrHPtf2g1MBg5HfO8oowtCJthaTgO4777mav0J/6hCkVYybEmqPYLAx65xB8+r2uvpas2AmsEpqe424046SQ41N5HVOAKN3OCp3FuTq/ceZAf9Xuf3rAKHq0rDotl0T9COKXgKQ2oWukHNxFRSiBnWchFALD8hLucl5f1ME+feywyzZb/EBT39v40GxXEsEduAnROI6Rq/bW0GY/qJgGF7YfARStPm3Q+mbjEne5h7Zs8xzz5KMgIqzRb6vqE34U5AWq07nHyDg9Cqe/dkyoLmvQ9QMuOHnyQbMdW832OQzHNhI6vVdMUwkhNGrJUxHfsN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR14MB4235.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(366004)(376002)(346002)(39860400002)(83380400001)(33656002)(76116006)(66446008)(66476007)(64756008)(66556008)(66946007)(36756003)(71200400001)(478600001)(5660300002)(316002)(2906002)(15650500001)(53546011)(2616005)(6506007)(45080400002)(86362001)(8676002)(4326008)(107886003)(6486002)(6512007)(8936002)(186003)(110136005)(54906003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 6Ep4Pm0xp4MlMoYWWD3vPc4pOiDQ9qZNv/uOXi467N3tJJVxAISAiIkVnOHvDYO2SGrQJD4piBseCJcKDSdBQt8TSW1kWSI7m5n+y3uWUNgN8DjUIwNO/csBgzL12VOx4qrFtbl1xcw032G88tYzj4mnGtcBC1W9KwGOTiVGwgJ+Q1hqXoobPSD7VD+UEZWXWw2A/ZsEhdvish/izv5R4B930/KsfJsNei1nUdhIwf6ufCdMnGu2Uw/i0sFIShUcEALuHSVDYZM8MLGFM4v9j4vqXqoknrjgl3KLNnkCzt078wLUUhxLF5SSRNu7k6KR2Q1wddqdyMUjJ3E2o0SOFge2y+rXbG54ESFQse1357VdV29iXStqEpnGLXfKj2jd1GbpQBG7OIQoHkyR7IXIt8//PNOXHmgvtbPmGGrry0QCrURGNGNG2eBKhEqWtv/WsNYsM1uFLx9R9nAoHziT4ayPWp/yZiP26BBJTTwsSGSZE7Qq0fS19qEn/vWgByQbBrPC1BA90zK11pMKmiAu2aWYJtXiJ7nQg9KWqKPhJiAi20rbY+DnnpeYth7uSjLypKFQJzCuIjgm5LbpVfSykzPdvtgH66UZYbHADcQIJo/5fKXr4s7RXY2mdeeqpUn4J3q1AWZWK5QYBK4RXKJBFJHVQZLiUqHxgoG7o3Ch4z69IgkcnanXMI1/nzWGLVF3VIijOhow6D89tjdv2CL3to2DNqZdrFZpUuXwNdn4leWIj83eHzq4DRDWKcjxiSiBTVge1ohREdsROFgMBK75AVOgUuOKoq2u/22NAkK9DxK+TapgrtHgojVCDqfqLbs0dKkCBEoFfw7IxoLYbyByQlxf+0qtdGLU4V7NHfgczoY6WGcnLiAwGKFBf1LBMQ63DosFbEF7aD1Nkm5jfZpw81/KD1NeVUhv0dtXhAAwD7h79OemfO45ULp2bUssifGRtAIm6FAdhUAcKnpKphwKavr+3Rysbsagek/rEuNoD0Pd45teyLOlZdrhMd/bQlOmYQv8dRH230X/ROEvi/QfoKD3cVddpdRVlZTTMdai1cuH6vKpHyv6lOYDeWsBkLY/JnH/N+LS1hsv/qy+P2GAj2CUCyrGprTy69FJo2SLFAZr8Cl2O8iEnEq8yzf5TnYyQ+5FId+N0lrSVTNwsT4SyUfWU4UaLbraqZAfJVUid/n14yYnhZ57xNHxZVXo3mK2b3w5ONf8BlGpgyIi5t3BYJjtjqTFegUDJKcrOmXG0+kxdhljR/y7OLLYbZxSB17Wg2ZtJGdzCG3qd+iakuozpBrOfeiwvjUGAi7eBaq+07zXCA3sTO9YQ3rNE05bch8u5G6nR/5GFDUwr8yGuwzSTbpjvjguyXS+4RbCeCUwQNlmLsOW8uF9jBZTS+8pRWU8b053AJNXQzs1aH5/9XEGtg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <FE6A7AB437D2224987898DDAEDADB46A@namprd14.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR14MB4235.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d21a74c8-8a6d-43c7-ef45-08d8e5b5b82d
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2021 00:19:51.3340 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4f3526f9-97d6-412d-933a-4e30a73110f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: n0NhrqEF+fMm+FExjAjDu7/KL0WcvIVKD/Ii/5y6P+K6iFreCwE3S44gyk4L6taR+RtP3/qFMgRI7whJU5PJfw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR14MB4524
X-OriginatorOrg: nbcuni.com
X-EXCLAIMER-MD-CONFIG: 47edc00f-f2d6-45ef-be83-8a353bd47e45
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-12_13:2021-03-12, 2021-03-12 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 suspectscore=0 spamscore=0 clxscore=1015 impostorscore=0 phishscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103130000
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/x52pVZhFvkMndlCaFqoAeWRVKTY>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Mar 2021 00:19:58 -0000

- No hat -

One Q inline.

On 3/12/21, 3:50 PM, "Add on behalf of Tommy Pauly" <add-bounces@ietf.org on behalf of tpauly=40apple.com@dmarc.ietf.org> wrote:



    > On Mar 12, 2021, at 11:18 AM, Paul Vixie <paul@redbarn.org> wrote:
    > 
    > On Fri, Mar 12, 2021 at 11:00:11AM -0800, Tommy Pauly wrote:
    >>> This is clearly a policy prescription, and is out of scope.  ...
    >> 
    >> Agreed. I think the main issue is that this ends up being an "evil bit".
    >> There's no reason for a client to trust or respect this value, unless they
    >> already have a strong MDM-style relationship, in which case this wouldn't
    >> be needed.
    > 
    > i understand why someone working at microsoft or google would confidently
    > assert the above positions, but the rest of the world doesn't work that way.
    > 
    > it's not an evil bit. it's a policy expression. as someone who operates and
    > secures managed private networks, the ability to detect noncompliance is
    > vital to _everything else_. therefore the state of compliance must be easily
    > expressed. there are also some non-security benefits, such as configuration
    > management to tell BYOD (who won't be participating in MDM) how to get reliable
    > service. but it's the work flows leading to anomaly detection which provide
    > the strongest motive for being able to express this policy.

    I think this leans towards a bit that says that the network will try to block DNS to other entities. That might make sense, but it’s different from a bit that says “please voluntarily disable your device security policy”.

[Glenn] Who is setting this bit? And where in the interaction is it set?     What I mean here is there is the VPN client on the device - is it setting this bit or is it the VPN itself that is setting this bit?  If it's the VPN client wouldn’t a on device communication be both better and more trustworthy as it isn't being touched by anything on the wire?

[Glenn]. Perhaps I'm not understanding the split between the VPN client on the device and the perspective of the "network".

-glenn

v2.23.0 | Report a Bug | By Email