IETF Logo Mail Archive

Re: [Add] Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)

"Deen, Glenn" <Glenn_Deen@comcast.com> Tue, 15 September 2020 04:02 UTC

Return-Path: <Glenn_Deen@comcast.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 449A93A0B86 for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 21:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.018
X-Spam-Level:
X-Spam-Status: No, score=-2.018 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=icCrmnen; dkim=pass (2048-bit key) header.d=comcast.com header.b=rcip139s; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=comcastcorp.onmicrosoft.com header.b=BGfzdiDO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9q0dZz1ICRRY for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 21:02:53 -0700 (PDT)
Received: from mx0b-00143702.pphosted.com (mx0b-00143702.pphosted.com [148.163.141.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A2523A0B8A for <add@ietf.org>; Mon, 14 Sep 2020 21:02:49 -0700 (PDT)
Received: from pps.filterd (m0156894.ppops.net [127.0.0.1]) by mx0b-00143702.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 08F40D2u016779 for <add@ietf.org>; Tue, 15 Sep 2020 00:02:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=20190412; bh=QBNyb1guqahcBC+Pz3E7oVcuZ4Cq/GsH9bIL/24Ey40=; b=icCrmnenE3yZ8UVEUrNJ4yPm2ElXSAGi5j1CPSCcgKUj4FWfDL4zJL3DyfXPbvNUAKlC t0KMkQM7Y3BWNv0CqECDhUPzj4qcebBTpFJMSyTylHqNU2BzcKBqeD/r9d2aSsSBdUq+ r5078Y3tA7UWZh5JS6U/RCp9lJ5slAzSyZc1R7VKBnCR+JpfqLsE9zkhyDReHd98BPhw IYds4/7gQ+ND3VAK58OHLC8pFn2jGyNZWT3ofcDgtUCj0PI1PlcmjveRIu4RN5ixxoGH ICLbmf96rPOdktd5PYAbcU862ZQ4Ffz7eJerjZ40pvnqqlPFcV8q8eTjc8P7yZDfHUIw Qw==
Received: from pacdcmhout02.cable.comcast.com (pacdcmhout02.cable.comcast.com [68.87.96.15]) by mx0b-00143702.pphosted.com with ESMTP id 33gu6t4yk9-76 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <add@ietf.org>; Tue, 15 Sep 2020 00:02:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1600142567; x=2464056167; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=QBNyb1guqahcBC+Pz3E7oVcuZ4Cq/GsH9bIL/24Ey40=; b=rcip139sZnLAVW97lEPdTAaLufVjAnP/Z1zW87+N3F3BwDuU3w+2Ecjnz+rLeLh8 TYL/MocNnf+wiwJ76dMJKCWkiQU4QZHokA8emOjcmXHB1obpdYDdUROdberEsil0 dIxLt+OoZCQez/M5PrTZ8syB2HXfT61pirzVXNLsz4qJncRHyXiAMnhOirJjkYsf s5FDvxGreGmyxrfqB+nIdkhyn/RtxWyTw7YXp+f/PF9dAjcsMzNf03woH5HyctCv u9553FlQrhz5MSqFgrmSZMbk/dFDFQPMZLNraFP9St7Kpr3v287o+Lc9Ocno4OTJ WNS+fIUkyzemlu0ML41ZCQ==;
X-AuditID: 4457600f-f27ff70000005543-94-5f603ce741bf
Received: from PACDCEX14.cable.comcast.com (cas-umc02.ndceast.pa.bo.comcast.net [68.87.34.28]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by pacdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 7F.05.21827.7EC306F5; Tue, 15 Sep 2020 00:02:47 -0400 (EDT)
Received: from PACDCEX41.cable.comcast.com (24.40.2.140) by PACDCEX14.cable.comcast.com (24.40.1.137) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 15 Sep 2020 00:02:46 -0400
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX41.cable.comcast.com (24.40.2.140) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 15 Sep 2020 00:02:46 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.101) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 15 Sep 2020 00:02:04 -0400
Received: from BYAPR11MB3111.namprd11.prod.outlook.com (2603:10b6:a03:90::25) by BY5PR11MB4243.namprd11.prod.outlook.com (2603:10b6:a03:1c8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Tue, 15 Sep 2020 04:02:03 +0000
Received: from BYAPR11MB3111.namprd11.prod.outlook.com ([fe80::8d9c:967e:e40:2000]) by BYAPR11MB3111.namprd11.prod.outlook.com ([fe80::8d9c:967e:e40:2000%6]) with mapi id 15.20.3370.019; Tue, 15 Sep 2020 04:02:03 +0000
From: "Deen, Glenn" <Glenn_Deen@comcast.com>
To: Tommy Pauly <tpauly@apple.com>, Eric Rescorla <ekr@rtfm.com>
CC: ADD Mailing list <add@ietf.org>, "Deen, Glenn" <Glenn_Deen@comcast.com>
Thread-Topic: [Add] Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)
Thread-Index: AQHWixT3l9UPipr2uUSURL7qaplxFQ==
Date: Tue, 15 Sep 2020 04:02:02 +0000
Message-ID: <19632722-0FF7-497B-B836-ACFEF3D998C8@comcast.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: apple.com; dkim=none (message not signed) header.d=none;apple.com; dmarc=none action=none header.from=comcast.com;
x-originating-ip: [2605:e000:141b:121:ec20:4909:1ef:3b32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d8528b12-89b6-4536-ab7f-08d8592c1a9f
x-ms-traffictypediagnostic: BY5PR11MB4243:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB42436A6F328359FC25032CB6EA200@BY5PR11MB4243.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mOGdQ7MlA25O6ioCCICzTXoeanumpEhdK633b2me4ia712wWf0dJGkZ2TiCquKuraNq5uuyQk3K7BglnC7ckf+6uOk//CDGp9d7ofG34I9AZVWgDwwRC7LnQn8HT8ThDNDhXoaWMgaQuMH4KE69XMXshSN/Z2OglAc9d5jQHfZxuxtQI9HRXxtg2YwaZ3GB9YVWv8vEt8pXGuO6I2dLpOevJQfMDtBK21ae3F5/ArYgyXbvSEmMCJQ53xfsH0eJ9Ek2TpTypGfoF+rbEvRx7X2toBHbnZpWMtODjN1kGyujaQoosjTPTDWT0LwqhTHCWtnWfgiuh9LM2XCODoye+BA+AJ59H972lTcXqfdgfYMxj2UJaUkC+M2Vrl0NQGJGNhj4Dypv+stc8ewc249xPyg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3111.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(39860400002)(366004)(346002)(316002)(2906002)(86362001)(66476007)(76116006)(66574015)(71200400001)(66556008)(64756008)(66446008)(66946007)(53546011)(6506007)(966005)(166002)(83380400001)(186003)(110136005)(54906003)(36756003)(4326008)(8936002)(478600001)(33656002)(2616005)(107886003)(8676002)(6486002)(5660300002)(6512007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: QBolWd8vlo988uIfMN5EqYaet/EwGlcp5r1gCWuuJTgArAFsosgfW3H/lxTKv3xt8Maaj6wLlL3a3iJh99LNYkFO71FgtwDWX6deYaulCLrRYS1IaK0m9XWB+HELAEYqgYSBLvhsBdmjh5JPo0Q9bb0h7d630Q6neOMjCi73hWk4iwJZUsi0Cm5eYXJ1Xw13N8bYGbobWjBLCVdegcAqBbBvYYQ1pDgRxeluFQqJt2SJnpE6bZ8OiBOEu725aR4M6tYe9Q4Nnomclq8A4kdHcnOTIgg0OF+K9L+0hbOS/t9byrZcI/3o8s90ofxrrmkGomawUIQKfRdNKLtl5CEzZcTgFdI4RGo9nD+l7jjuQLIfSeqrRXpYWVPG5bGl1GWgHPyT8ertWFsxbEZVlcOQU0LWfjM7td0ujD7fWvkzdAg4d33zRaParJejdB1cTiwRBk6wcHAgHH1u3FCwMzLi1T1S3GaE2y+TCJOdCjXL+75vjylb5viWHg+3M3YFAtuT58wm8M18Cb9F9BAPqOMKCyUtvtjQ/9c5tcJmlIB3nivsy7dTpw1TBH2MXtsSXWftKIjJJFnMiBzo9SmVafMnaZqzXSNmZOtr9whNl/ROph5qTM1f3rWuJ8RMx9xrFR9OxPoWn9FnBxTGlAGKNpfbzPDruuh91ipQhEPUtXsxtSmqsxql+dBK+ls9FHsuJyfsKqtoJKPJpZkfB2EqN0X3VA==
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FqlL9YRKzuHaZglYYe7yazKafF93HWYPVZUj8BGXOZ9T0q0Q5fNRE9HZl5SURlQn2tmRyvMaf1JRYDpcFp0rXgDxTYwxzQlSaeL9bucda3e+K6Il2SN1Ca3zVy6LCrsdgxkuC/r0okXDwCbtjPxHqd0mKnxRLKG4MyElg0SMyqHUhJI+ulG45EISX/GfIRwcuGzBV6luKU/Oyg83pSr2jl4O97HmtpfrYqkYeplvHSemxa5EPWxuJDt6gYqskOZs7oeh15hvEAEBjmaJQB1mzwjSlVuw+InjIGYR2pxuqGGAcTIjhCBixgx+nd3spaq32+j8W6mOULwh0ecPAtgPyQ==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/HAUJYTNWWQgcdDCOrK28VcRRLOaoeCHmMhC0Amvdv0=; b=e2YC8NGRbDKRoBSF52q8JaCer5Ouc5FfDSVvoTsxRm7SSD5JMSlQHo7wYaE7RlMHIP850gMfRAdbtMLUYJcAGgzBKI03++cKkvgn/QaRywhs6vxk8KHTyNwU95cO/Cp6B3h/rizp/OJpQ8lvayYc66xbRdDao+VbLlqBwZwm6elE3eeDMdtuJd2gvFeCuDhw2MUyKH9q5Xa+ks9NamcHKQj9EwBfuiMJ66LeHEIyyOYkq0KQiRJdsW5p3eNLZ1E3e/bEl84Ft+Nd/ShGSKKJXj8Mr5FgOoJIBuCIF4vLIjmAmYNZfaFKrKUk1hTYIjX3w6dG1SzRdxtZ7cPO75Fscg==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/HAUJYTNWWQgcdDCOrK28VcRRLOaoeCHmMhC0Amvdv0=; b=BGfzdiDOUgtUiARcUYBfEG1fXozRWNEFC+g0tvABzTWqOlovCre1PpECphInlT7dLKiNbyYxIiohNK46nwxjwcbuoapKrzGEAx+zAzqkRvAnnbqf5Cp/6jWh8O/0yUmICNuJhQhe5N8f0BKwIyqGSRhTjT8PjpjNJTj4f2lA8V4=
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: BYAPR11MB3111.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: d8528b12-89b6-4536-ab7f-08d8592c1a9f
x-ms-exchange-crosstenant-originalarrivaltime: 15 Sep 2020 04:02:02.6042 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: D7OgvHGUFTPl3rhMrXmWSmgMVy4BPeNP/7Ffim7Ix/G+gJqi0LQZV56fTIhXSovCf93HzXEjzxw+7bqUhWhcbg4eD7Anrqqm1P9yh12+10E=
x-ms-exchange-transport-crosstenantheadersstamped: BY5PR11MB4243
x-originatororg: comcast.com
Content-Type: multipart/alternative; boundary="_000_196327220FF7497BB836ACFEF3D998C8comcastcom_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTcRTH+e3ezWs5+rVST2pilx4mTt3wsZWv0GgVo0TIEGLe9JaibjYf aSRMUxPN1Aya2ksQU9EUxQcaaVbiI4pMRUtKUXyGEGrNQmvzLvC/z/fwPef8zvkdihDlCuyo GHUSq1UzcbRgBxkcRjuI53wjVB4Gvavs7+Bzgax66b2FrLjvFT+QULT0GwSKysp1nqJkOoc4 T4QH+UazTBSrdWLVkZqoGPVVP/p06DmxTOYlF0toJzUTz/rRF8WhylPik+orGm0kSzulMHHJ xqhGnaBl42l3/4ig6NaBMTJhJIuX+r2+hq9D8xsoD1lSgD3h8WofmYd2UCL8hgfds22IEx0I 6n7fIzgxgmCxOsssehHcWmoxi0oeTC9XCzgxiaCpZswoKEqAXaG1OcDUZC8OhPHxbJ6JCXwW DIWZW7wHR0L76BrBeaJg8WUrn2M36KowWJiYxIdgNKeRbyopxP7Q/ZI0hRG2gV8DdeaStvB5 5gmPmwdD5YsPBMfWsDC9uZVqjd1h8Wuw6ZUI30HwpaRZwHnk0KjPMe9iPww9yTezEgpWhi04 doHVgVLCVAfwQdjsSePCsdBbXmi2H4GsH4/5HDtCbcEUybEDTI61bW0HcCcB7/QLPE7cJeHn 2wmyCEnLts3A8WUYXK4QmFiId0N/6QxZZuxN4KPQ0OHOWQ7A/fwpC46dIfvhIzMroLhoFm33 PEVULdrpLXOT+bjJvd0kXk1o6wojdrWjtw8UPQhTiLYSjvtEqER8JiUxLb4HAUXQe4XdGSqV SBjFpN1gtRqVNjmOTexBXsYvKSbsrCM1xptWJ6kkXnK5j6dMLpFKfDxoW+HBE+EqEb7KJLGx LJvAav/n8ShLOx06nrmvXqmsDpydmaeY1GKYbBtfP0S2rF37Y7/7tJXDpr3N0/mQVsehquHC /NfSb3NZZ/w/+uV26ZRTndePvRJfuNxQV1djZzmZoZtvd+3TVXVKywMSsqMvfUqfmB5K9Qt7 TXYPhMvT8TPysKGXvq3vFOJ6pwMPDRsSqfPNENcVmkyMZiQuhDaR+QcvxW5GmwMAAA==
X-SMG-Enforce: onprem
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-15_03:2020-09-14, 2020-09-15 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/xsMSXTzY8hpQoiva9E3Hlf0fT6A>
Subject: Re: [Add] Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 04:03:01 -0000

Tommy,

There’s a number of interesting points you raise here,

As they say on the Jeopardy gameshow on TV,  Can you please phase these each in the form a question  - or at least a requirement that solutions can be evaluated against?


Regards
Glenn

On 9/14/20, 7:48 PM, "Tommy Pauly" <tpauly@apple.com<mailto:tpauly@apple.com>> wrote:

Hi Ekr,

Some thoughts in response, prior to the meeting (so I don’t forget due to the early hour):

My sense is that we need to look at attackers that are limited to not being able to act as the network provider or router themselves—specifically, assume the attacker is not the one providing DHCP or sending RAs. If we consider such an attacker who can spoof or inject packets to a client, I think there are some security benefits that a discovery can provide.

If what I want to discover is a DoH resolver that is equivalent to the Do53 address I already know (maybe by DHCP, maybe something else), I’d want a mechanism to guarantee that:
a) I’m no worse off sending my queries to the DoH server (I trust it just as much as I did the Do53 resolver, however much that was based on my provisioning mechanism)
b) My queries cannot now be modified or observed by other entities on my network or path

I think this much is doable in some deployment models. For example, using a model like Comcast’s DoH deployment, if the DoH server’s TLS cert includes in its SAN list the address of the Do53 resolver provisioned by the network, I think we’d get the two benefits listed above. (This is what Tommy Jensen proposed in https://www.ietf.org/id/draft-pauly-add-resolver-discovery-01.html#name-discovery-of-doh-capabiliti<https://urldefense.com/v3/__https:/www.ietf.org/id/draft-pauly-add-resolver-discovery-01.html*name-discovery-of-doh-capabiliti__;Iw!!CQl3mcHX2A!Xmr8G5GK6rB29BarFUTf01NwhCe0ncVvDbZruCRLN1yJ5WtI_W7tyyXzLcZqohWf1A$>)

The set of resolvers that are accepted in this manner could also be restricted to a known list or a publicly available list if we want the additional guarantee that a given resolver is “official” and not just some server that managed to get a cert that covered a particular address.

What might not be possible, on the other hand, is to usefully authenticate a deployment model where the resolver or forwarder is some private/local address that’s running on a router itself–unless this is a managed network or managed device that has some out of band mechanism to trust or configure resolvers (at which point we don’t need discovery mechanisms). I think the case of trying to find an equivalent and trusted resolver to the one running on 10.0.0.1 on my router ends up being indistinguishable from an attack scenario. But these scenarios likely aren’t worth solving this way anyhow—if the DoH server isn’t on my router itself, but hosted in the ISP network, the network would do better to provision the address of that ISP server instead of a local address; and if I really have a DoH server running locally, the router would presumably be able to upgrade to be able to provision the DoH information directly in DHCP/RA/PvD.

Best,
Tommy


On Sep 13, 2020, at 4:21 PM, Eric Rescorla <ekr@rtfm.com> wrote:
(1) What capabilities are we going to assume an attacker has in the local discovery model? Do we have *any* candidate design which does anything useful in those circumstances? If so, what does that design do?
(2) Do we have any secure way to tell clients which resolver the network wants them to use?
(3) Assuming that we had a secure way to tell clients which resolver the network wanted them to use, what would we want to say there?

Spoiler alert: I have opinions on the answers to these questions, but that seems like a topic for the interim.

-Ekr



On Fri, Sep 11, 2020 at 11:51 AM Deen, Glenn <Glenn_Deen@comcast.com<mailto:Glenn_Deen@comcast.com>> wrote:
Hi ADD,

Authentication clearly has emerged as a topic important to the group.   It showed up during the ADD Interim on Sept 10th in both comments and in jabber. Prior to that It has shown up in  drafts, list traffic and GitHub issues.      Coming out of the Interim yesterday it was proposed as the starting topic for the next interim on Tuesday Sept 15.

To help focus and facilitate productive conversation the chairs would like to ask for the group’s help in breaking down the topic of authentication into sub-topics for Tuesday’s interim session.

Here’s a small homework assignment for the next couple of days to help set the Interim agenda:  We ask that ADD participants please take a few minutes and post to this list thread authentication sub-topics you’d like to cover.

To get you thinking on the question,  consider that authentication has come up in a variety of ADD discussions:

      (1) Topic:  the question of can DHCP play a role in discovery which has resulted in many saying “No” since it isn’t authenticated;
      (2) Topic:  the question of authentication’s role in resolver discovery and validation;
      (3) Topic:  the question of authentication to enable identification of resolvers that are associated or affiliated with one another or an organization
      ….


This list is by no means complete and is meant to illustrate a few of the places and contexts the topic of “Authentication” has popped up recently.

Please share what authentication topic, scenario, role, need you believe the ADD group should spend time discussing on the Tuesday agenda.

Please limit discussion on this particular thread to only sharing what authentication sub-topic aspect you’d like to see discussed and not expand into a discussion of the sub-topics themselves.   Yes this all interesting stuff, but the thread can quickly become overwhelming for readers to follow.

So limit, for now, responses to what you’d like to discuss – not the actual technical discussion.

Also, this may prompt some responders to feel like now it is a good time to stray into policy discussions.   Please try to self-regulate and not go there.    ADD is limited to technical mechanisms to do discovery and a means to convey information about the discovered resolvers – and the discussion needs to stay withing those boundaries.

Regards
Glenn Deen & David Lawrence – ADD Chairs
--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/add__;!!CQl3mcHX2A!Xmr8G5GK6rB29BarFUTf01NwhCe0ncVvDbZruCRLN1yJ5WtI_W7tyyXzLcan2Y3raA$>
--
Add mailing list
Add@ietf.org
https://www.ietf.org/mailman/listinfo/add<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/add__;!!CQl3mcHX2A!Xmr8G5GK6rB29BarFUTf01NwhCe0ncVvDbZruCRLN1yJ5WtI_W7tyyXzLcan2Y3raA$>

v2.23.0 | Report a Bug | By Email