Re: [Add] draft-pauly-dprive-oblivious-doh
Tommy Pauly <tpauly@apple.com> Mon, 01 November 2021 14:37 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1C23A1386 for <add@ietfa.amsl.com>; Mon, 1 Nov 2021 07:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgAqYKj9N32X for <add@ietfa.amsl.com>; Mon, 1 Nov 2021 07:37:52 -0700 (PDT)
Received: from rn-mailsvcp-ppex-lapp44.apple.com (rn-mailsvcp-ppex-lapp44.rno.apple.com [17.179.253.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBAA93A1385 for <add@ietf.org>; Mon, 1 Nov 2021 07:37:52 -0700 (PDT)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp44.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp44.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 1A1Ebncw030644; Mon, 1 Nov 2021 07:37:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=cYMnD968wKAEs8kuRd2hus2zvPG7waenxf/egFA/zXI=; b=WsoXmL8a6WOfZ919CcwM5hiCf3JJzmiqaBB6J+tHC17zRB5t5k9JDBHOXEkNr3RoNdFO Q81SDsZ46nrqtYKejNi9y1NA+Rll8lZycwaVUXLa7eb7TjU+3XrVxvIGajDR9QnFUBlK FmyHcL0IPhTPRXholxHOngunn6ANpR2q7XPvcZ4JGHUwD5yeWg90SIT9n3vIyxKcuLYu Lgq+CbdcyJoC7/BiDw1ONAsOoPGvGxIMQPgVZc0CN4QB77g3QpJGWs8OYc1FZh12DZRu cQSDgD+iTuI2IN5R1PuO9PUW/zGAFtcHBNV5xn0s05TQZ8NcpZ+aS/FieEqA3rHB8Qxz Aw==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by rn-mailsvcp-ppex-lapp44.rno.apple.com with ESMTP id 3c11ja1y8c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 01 Nov 2021 07:37:50 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPS id <0R1W00MKSDYYA9G0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Mon, 01 Nov 2021 07:37:46 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) id <0R1W00D00DL5X500@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Mon, 01 Nov 2021 07:37:46 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-Va-E-CD: a1cce3e687ebaf4d2eec041c5bc1e0a4
X-Va-R-CD: 4d7ed436fd115323081c63029d0601dd
X-Va-CD: 0
X-Va-ID: fcd9a981-deae-469c-9b61-635433e7f3b2
X-V-A:
X-V-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-V-E-CD: a1cce3e687ebaf4d2eec041c5bc1e0a4
X-V-R-CD: 4d7ed436fd115323081c63029d0601dd
X-V-CD: 0
X-V-ID: f8424cf4-4e68-4ecd-85dd-76873a2edcc3
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-01_04:2021-11-01, 2021-11-01 signatures=0
Received: from smtpclient.apple (unknown [17.11.97.161]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPSA id <0R1W001KKDYYH600@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Mon, 01 Nov 2021 07:37:46 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <24EA4749-D495-4ED2-8D62-39EE0999DA20@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_28B7CCBF-CD26-4AA7-8752-3D165FC480B8"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3691.0.3\))
Date: Mon, 01 Nov 2021 07:37:45 -0700
In-reply-to: <CABcZeBNGB05BWJCKCc3C5ta4nvvSvQJSQPBFvBv_yrmo4XVo4Q@mail.gmail.com>
Cc: Eliot Lear <lear@lear.ch>, ADD Mailing list <add@ietf.org>, ISE <rfc-ise@rfc-editor.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <a6de579a-de54-b80d-cff9-a545e37cf9f0@lear.ch> <CABcZeBNGB05BWJCKCc3C5ta4nvvSvQJSQPBFvBv_yrmo4XVo4Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3691.0.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-01_06:2021-11-01, 2021-11-01 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/xSAZuljM4ccPB5dgI1NiTikCbW4>
Subject: Re: [Add] draft-pauly-dprive-oblivious-doh
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2021 14:37:58 -0000
As Ekr says, Oblivious DoH is about a DoH server choosing to be accessible through a proxied setup so that the DoH server is not exposed to direct client IP addresses. This limits the ability of a public DNS server to collect information about clients, and makes it harder to provide targeted responses that can be used for fingerprinting. ODoH doesn’t in any way affect the connections that a client will make to a web site, in either how the server or the network views the end to end IP connection traffic. Tommy > On Nov 1, 2021, at 6:11 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > On Mon, Nov 1, 2021 at 12:53 AM Eliot Lear <lear@lear.ch <mailto:lear@lear.ch>> wrote: > Just for the record, I think this draft leads to a situation where > miscreants can hide their tracks. Section 10.1 of that document is... > weak. This has the potential to leave web sites unable to determine who > is attacking them, and also prevents service providers from backtracing > such attacks. > > Huh? If someone is attacking the Web site, they will need to actually send packets > to the site, which will either (1) contain their IP or (2) will be proxied. In the former > ase, they can determine who is attacking them and in the latter case, they can > proxy the DNS requests through the proxy and don't need ODoH, which is primarily > a performance improvement over generic proxying. > > -Ekr > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add
- [Add] draft-pauly-dprive-oblivious-doh Eliot Lear
- Re: [Add] draft-pauly-dprive-oblivious-doh Eric Rescorla
- Re: [Add] draft-pauly-dprive-oblivious-doh Tommy Pauly