Re: [alto] Benjamin Kaduk's and Eric Rescorla's Discusses on draft-ietf-alto-xdom-disc-04

Benjamin Kaduk <kaduk@mit.edu> Thu, 31 January 2019 03:59 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E04AF130E25; Wed, 30 Jan 2019 19:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F11q7Kit1dI1; Wed, 30 Jan 2019 19:59:38 -0800 (PST)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680125.outbound.protection.outlook.com [40.107.68.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB1CB126C7E; Wed, 30 Jan 2019 19:59:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EFI8h/WjI/l3CRyp8DE2dtU5hOi+ukAiJf7PCAvFJh4=; b=cYw1QoMpSEvigfIzmeZBTHEcnjTVfJdR+djz0ZtK//SicT5gFKhJhbmeT2PfLr+/JNrHpMU7Qx3IMrFmjp7Zwu3q15lcZVGhpN48XYwWhmXA5/p8UAn66JXomIYXX5RSDSvFs3zwlJJ17CPcp10wcsx4lHsVceOyRkGBRMocppY=
Received: from MWHPR01CA0043.prod.exchangelabs.com (2603:10b6:300:101::29) by BYAPR01MB4485.prod.exchangelabs.com (2603:10b6:a03:98::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.16; Thu, 31 Jan 2019 03:59:34 +0000
Received: from DM3NAM03FT027.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::208) by MWHPR01CA0043.outlook.office365.com (2603:10b6:300:101::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1558.17 via Frontend Transport; Thu, 31 Jan 2019 03:59:34 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; kuehlewind.net; dkim=none (message not signed) header.d=none;kuehlewind.net; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT027.mail.protection.outlook.com (10.152.82.190) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1580.10 via Frontend Transport; Thu, 31 Jan 2019 03:59:32 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x0V3xSCe002995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Jan 2019 22:59:30 -0500
Date: Wed, 30 Jan 2019 21:59:27 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Sebastian Kiesel <ietf-alto@skiesel.de>
CC: Eric Rescorla <ekr@rtfm.com>, <iesg@ietf.org>, <alto-chairs@ietf.org>, <draft-ietf-alto-xdom-disc@ietf.org>, <alto@ietf.org>, <jan.seedorf@hft-stuttgart.de>, <ietf@kuehlewind.net>
Message-ID: <20190131035927.GL49072@kduck.mit.edu>
References: <20190128212820.mgodgtjallw46b2n@gw01.ehlo.wurstkaes.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190128212820.mgodgtjallw46b2n@gw01.ehlo.wurstkaes.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(136003)(39860400002)(346002)(396003)(376002)(2980300002)(199004)(189003)(14444005)(33656002)(561944003)(8936002)(4326008)(53416004)(8676002)(246002)(6246003)(305945005)(46406003)(104016004)(97756001)(23726003)(86362001)(508600001)(55016002)(229853002)(47776003)(26826003)(7696005)(75432002)(16586007)(54906003)(316002)(786003)(426003)(50466002)(186003)(106002)(58126008)(76176011)(106466001)(336012)(356004)(6916009)(88552002)(2906002)(446003)(956004)(6666004)(486006)(126002)(36906005)(476003)(1076003)(11346002)(26005)(18370500001)(60764002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR01MB4485; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; DM3NAM03FT027; 1:onkttPK6WlcczBALWvqKzoAc7iBrVrl3rgm9EqpRPUIQu+9GTNqvokuM+dUcsQur59mL2KHh/ufvL+EpFXrukFFSx6QiZDhhlNAwbmPbbjkPZpwqyc1B66/XLmQ9A+h6AkdbBPwnmnu9CjWBBiyHjw==
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e0e53475-f481-4754-10c4-08d687308263
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060); SRVR:BYAPR01MB4485;
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB4485; 3:rtPUfzlGZPptqGxKHZTLDrRq+Uw8s+Qj8cDj6spgVf0vL5GQB9u6Q/NPkpOjVN61ZWFzrcHq847/XTr0mZS33U04wrgevNrU7kss4tRFvID+t188SQDvqoCcIG1C+m0AdCTBsnQCkr9BYcV8kH9x5QXg7gqT8ZWC93Cnm74Ml6u3Be+fc0uoAapY7QNCnP2FSy4tb6jwiWAHmkkpoKsvvamFTKizxpkIJ/N+Pf7KnJnxuqKfteRAiykFmQzGxn1v41I0RDrwiYPDyHQZUsK04Wg6UUYEyZ6+TWCxsu42cLJzwVCJughUnqax1N1S0pGLGX9KFFnVm9S4w2U9PYdM3p5sgl8W/uzW+MYW0Hot6N9gyltzYxPivZK0OFf8JI3n; 25:C7nKE/yhqXua6kNdyNDNUFp7OpdeUeRiysX4ZM4zggnQgnILAZfDzG1SOtk4+bI+75nt8IlMraUGdVQY0ZDSwUM147K42BEkSfR7L3JOUT2bAAb+O0z7MD6oOP4AFaz6JPIDbRXSaHf2kBi2Dcr/TzKJrcF5TXtc0ensRTpaOcdAaxgwBryTedYKQ7QxxPbDMiM0zNPsWNcX0Qt8alShEuMg321Cxrcxu1iyZ798JcZa3AsEgR5lDHa5p36W987+BVdKGG8rTI5HA+ixIEsv3eDaziIqYmuyyOuzMFrjDMulbtmADnyBh6KgSb7TzD+s25usfsHAT+sd2mU1Myp23w==
X-MS-TrafficTypeDiagnostic: BYAPR01MB4485:
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB4485; 31:XyJYniwRuW6GuiFHz4p5NiLP+r7En1Daegt53N5TWqGtHKoH5Ihw2j0cqAnCCbS/whURwFkmV3UKkB3HIn1yf3OGp905rL9aiGCoDedxI9EyUL9YERmfChfWuJl4cy4atORO7VpeJwO4UUkulBogpTpboMHk8fBf7mRd0igzfEBfGq7AuIm2zbjgiG2erfhVlBxCc8I59koPaDaDWPM7p/pGfvaTSLRZpv7aLPPQ+gg=; 20:D96kiK1c0C9Sou3qP3PFLBzz5Rj+Qy5JqgDIKwb146Wf4+NsnLeSo6p3GFYrYmMHqBjNqzBzdMV+nBb6rX45ItPGjw6GxFutYlJlsQfSD7tIgJXjoxwZLhh66G/IZ0Uxn4EOlF5DQiF6N84pcaGDvilt4wDP6IevAgJDiDkIUNszZ2JuY76VPg1Yme53CyQ6oR4B7v+P28UYslgNEuKRTcEPDOhTAATcJIi1a2JwkYUtH1/LY3waC0HmFahOhQkmXT1CwJC6uT1HCXSZWcksVG7gU8XmvDqonsZ2qMA92ekJUrq+DDWFIYWhysJhH/hoXcEqD83V4zuxoFPoziXU34i7K1srcRXdJIh9P+FPv7vYLRV1nOSNbm+SBohuwrFSdM3reZO6eBDgpQt5OU5jfnX3yjw50oQRM5vz+EQ18I0y9y1xc3lNcBGq3TtDIOIMDpsLpP4mZ47yG3uZtThDwB0DcX7dzoKTC60eucBGZn3LbfQ1UDeLpdOZdim7IVhUzqWetUqVsOiM75oMxOSN4OxwQQxzynGxHwAbj7VEQ6bVsJdEUd/hu1k4OdPA5MWi+TKCchhBq2/bnTLtPrOXS58QlZHrIjhbqk7JAoabHj8=
X-Microsoft-Antispam-PRVS: <BYAPR01MB44850BD864FDEA9C49820DAEA0910@BYAPR01MB4485.prod.exchangelabs.com>
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB4485; 4:6p2t/DXwIebOQq5aUzs4EAei5Pzo/CseLPlAdbZ9vw6Wf4FN2Pzi7yv970bAaOSDIyBd2xLr7Sfya/Cos0vidWdcox5a5l4Yt72e9dMBkn3Tt1d+X+VFN4oRsGap4O4NM6vYr/YZVbo2/NugXKB8hdcIAHqZOrPFs1H+7W21VbSBZ4U+ZP8bVE3Lk/TmjR6wVaze+JwEqA/uGkd9khjfTDC9QRVzfwGDjPtTk/Ac588UZWuD7wTAdrT9ueMRoNK5S/7jVcS9HZRUHUfxpWWC4IhAA5Y6Gu2I1Twu8VExp+ddR8h1bfFxvfa7opa8ZPDJ
X-Forefront-PRVS: 09347618C4
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BYAPR01MB4485; 23:uteZj9KdF+5Rkybs2/wFQd6mi3YOHsmUwGEoZ01+d?= =?us-ascii?Q?GNX6Trmw4DKEAa2qlsTRikVx9z8DJDnG28OR2ACLIu5ZKXntO9XqPrN8R3vw?= =?us-ascii?Q?Itwg/Bsu+n8cB9lQ0FQSYmAJq11TC3K+L2LZSVzLOYk2TCPTC13Ve3VaasWe?= =?us-ascii?Q?lrJiayZNZxqE3nhO39wsGVRp7HWB5HjVoOM0XhEGosb7FkFUYokCM5TzIr8q?= =?us-ascii?Q?hzmgjwlU+KpSQMVZBNBb+FG2dZGoaDQ0xO0FcUW4rB7nO5nIR9yl7WCIcjVg?= =?us-ascii?Q?xLpiyoN3I9OVl1lYh+z+eZlgPTKoUQhFbDBVZEuGgzExdTftXUHOFMzoovNl?= =?us-ascii?Q?rf/WPHl15aU+BZs8ABT/IeuvzsTO/u0yUA32d/G2rvOrsTV6ZkYQDvXLMlBF?= =?us-ascii?Q?ny+VYTo3uL3lEioTxqS/3FWCkcfiRJawcoBPLaJjOzI7eIHox7hePbczWuE7?= =?us-ascii?Q?4uyL448Q+qKPNlZMRv55CiqJu69IfLwUpZcn53Vv6MluBAhCeAodf6xmfzXX?= =?us-ascii?Q?4BFaWNRUX6dA9JyeTnq/6DyhPoNT9aqgdBgCNgbnKhA99GgLOOoFi9lVcM0U?= =?us-ascii?Q?0KMLnmWOfm1hwVxT1/Ja6ZjRsn/Ps4Ko58T1FTrgMK0qfjxTicy2uFQNDH/R?= =?us-ascii?Q?2SE9tnq1xdZiLFphHU7tVWPyXapJ5lrdi4+mCg8au5PU/q7VCq4zJ8KA9+7Y?= =?us-ascii?Q?IzhLfI/4JPR9XVWmaR1ApXBS2VR+cEs4SUapyTnz12O7evWwBq07uwsFlPLC?= =?us-ascii?Q?H09nx5N2EI5hCbXoiS7KWaXkcaxLMwVMdvjk3IVwag8WcqY9pVPQJS9MY3Mq?= =?us-ascii?Q?SbSa9t0ZjqNMF+fPmAwQ7TyjwgKOp8lXO4voqQZa6datoSBjc3qGYaSjFDLR?= =?us-ascii?Q?V5fb9JKlyZbmGvU8MXp6vC711jCrEnOXs2rFIbl3kQF9H61iGUMpL2TlS74W?= =?us-ascii?Q?z9VwBVBsOY86vtiKDlcP0NLHdlu3RgGdPwMUh50fbouroPqa3bRoQ4fV9vf+?= =?us-ascii?Q?oXBku9S8jbIef54yR5SxdrH8DLuR+ePkY6EIgRWsPPibSYr87+ojLX3fD75g?= =?us-ascii?Q?o5tfs6MAJQyNDEJv1vvAr7kYk5JZJt1MPZUl+3HEgJIpCwjLgCCFdIwuh+qB?= =?us-ascii?Q?sdk0cOMGYkMAZXmyXOphD32UZqtS2FzO9my2ebEsfJQeStIzP17JbdLosp2v?= =?us-ascii?Q?9YMjtrLUpcfT6CuCLeTbOUtGlEY2fsx63G0exHWfQ1lpLcKYGol8GvbvGxjV?= =?us-ascii?Q?UTuIupiQy2Z7xo159fchqBv8z8uLMIVFRIsBHHr?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: P0yxv4lvuZVeqkjtdybud9MPdSwDUOq/Ogg6sAbavkYu2VA5E/e9/NgjCLjGgiF65sBbMCCPHb60uEEE1VNR8fBJhx0dUWkpLP+0jzQ3gOmVWSLgNZfbw3nF3gxpU76agjZ4WmjxtvppaTIz64GMF7tTZ9lQlbol/qzhTQdzsCGxSVdNXP1BiSP7dksgyHEvfXvgGGrH/jUhgUukvAwh9EqnTo084Lf/5xN7UVTmAwJN7nxKvRZqj+TvMQvtBF03Ps17ulxILwDIL0QPvHW/tp2wDSuvAow+MnZ0mNd1jhO/uLYtIz3zIYL2kw5wTTrC3THrs2OpgRGnT3V9DcV45QtkF81LW6MzM5iheRo7K/FFP983k5PXTaz1LzAv0XxI4YA6Ya/f1Psim1Pzu6F6mUXt4MviL2qQpszS49PILSw=
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB4485; 6:eprtD4Bfu34MyGUbl+2/KVD6Y7E/wFandm52jOD/FmRv2nial1bMGzG700BkkOxY3Zyhnf5wJLH1i+yIWERIKJbHl1R0/269jWwKvd9cAgVUT7K3HL2GZVThKS6skkYeLGLk7zxP7XR4iE3rFuBuo9u2ki7wDtWHzhBp1kK4aEh+yDQ/Rr0ra2T9ul7Y/EsxzyFiU6sJ3vbMY7cSIFA0toXiH6o6Mli1tGAuggIF0e7TFfmP5FXyYhB0gTr0AWq9MOz5Ik6GC92aVnx2VA5DXZHR0Ud0Eg6S7cEJxtslNrW/M+C8YQNQkHKTg+wM+w4U/errn+chLtvNxOMPTCMG1cAhTTvAKez5M3LGSurdA67h7QR7zKIS3f1xrU+EYTbvdRyI4YW/qQ/w9XqrYE0N6Pc/BPjU1102s0wWgzASAQCoqMyFO1LiEneLZPNlQkxRTmjOXZA+ww+Dje9KBrsiWw==; 5:4ji4WP59TbIt28fOHaqeGqOAr+ysIhPe/78sHyCfg9P2x3EbRX+QAmmadMBbh5RkToY5hvhG2aPnkrt/NJYu2Q+MhzqVuCIalyMOHeM8xGSCl7OnvyNXpZzwViAib5gAuotUWJ7kD1oV2CjgHyCszIr1jYgW43ohj677dVyW2jTwz07jSZhMCCoxKMcRhGvZRi5SLHSLUids+FIhU4Tn1w==; 7:bHi2tmvIG+5o8VxYZA9ToLZYEMOBxfk323MkrHPJhZ2MKkL/AzmYbduWwMBQRqyAzHd1YAU6+VRPJcnEzrqz78EP+uksAsPGevip73TSYLA72Ha2iGwmWabXd2z/J0TuMV8LfT5Q4nTYxeYsa0HmWQ==
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jan 2019 03:59:32.9249 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e0e53475-f481-4754-10c4-08d687308263
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB4485
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/9pyX46WqneY-IKiqdatks5RDXDM>
Subject: Re: [alto] Benjamin Kaduk's and Eric Rescorla's Discusses on draft-ietf-alto-xdom-disc-04
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 03:59:41 -0000

Hi Sebastian,

On Mon, Jan 28, 2019 at 10:28:20PM +0100, Sebastian Kiesel wrote:
> Hi Benjamin and Eric,
> 
> both of you have entered a Discuss on draft-ietf-alto-xdom-disc-04,
> because the current version of the document does not make usage of
> DNSSEC mandatory (and because of further issues, which we will address
> in separate mails, respectively).  However, we (the authors) believe
> that the two positions are not completely aligned.  After internal
> discussion and consultations with our AD we propose the following change
> regarding the use of DNSSEC (for a complete new version of sec. 6.1
> please see at the end of this mail):
> 
> 
>     All implementations of the cross-
>     domain ALTO server discovery procedure MUST support DNSSEC or be
>     able to use of such functionality in the underlying operating
>     system.  Network operators that publish U-NAPTR resource records
>     to be used for the cross-domain ALTO server discovery procedure
>     SHOULD use DNSSEC to protect their subdomains of in-addr.arpa.
>     and/or ip6.arpa., respectively.

While that is sound advice, and we cannot realistically make stronger
mandates to use DNSSEC, I don't think it fully captures the extent of at
least my DISCUSS.  (Perhaps this falls into the "further issues" that will
be addressed separately?  Let me know if that's the case.)

In particular, I want to be sure that DNSSEC is available as a realistic
option in all possible ALTO deployments.  There are two prongs to this --
availability of DNSSEC in the reverse zone for private-use addresses (my
final DISCUSS point), and reliance on third parties for DNSSEC in the
reverse zone (my penultimate point).

To illustrate the latter with an example, at home, my residential ISP gives
me an IP address via DHCP.  My ISP does not give me an interface to adjust
the entries for my address in its reverse zone, and while my particular ISP
does appear to sign the reverse zone, can we guarantee that all such ISPs
will do so?  I do not have leverage against my ISP to make them offer me a
way to create NAPTR records for my assigned IP address (e.g., since I have
to use DHCP and am not contracted for a fixed IP allocation), so ALTO
cross-domain discovery would not be usable for me at home if I was running
a service that would merit it (which would, of course, be forbidden by my
terms of service anyway).  By publishing this document, we are in effect
making a claim that the availability both of DNSSEC for the reverse zone by
transit providers, and the availability of interfaces to allow insertion of
(NAPTR) records into the reverse zone by those same transit providers, is
sufficently well advanced that it will be usable for a large fraction of
the ALTO target audience.  It's not clear to me what grounds we have to
support such a claim, and that's what I'm trying to get at with my
penultimate DISCUSS point.  Part of this will depend on what exactly the
ALTO target audience is, of course, and consequently the ISPs they are
likely to be using.

Does that help clarify my thinking?

Thanks,

Benjamin

> 
> Would that proposal address your concerns adequately?
> 
> Thanks
> Sebastian
> 
> 
> 
> ----- Begin proposal for new section 6.1 -----
> 
> 6.1.  Integrity of the ALTO Server's URI
> 
>    Scenario Description
>       An attacker could compromise the ALTO server discovery procedure
>       or the underlying infrastructure in a way that ALTO clients would
>       discover a "wrong" ALTO server URI.
> 
>    Threat Discussion
>       The cross-domain ALTO server discovery procedure relies on a
>       series of DNS lookups, in order to produce one or more URI(s).  If
>       an attacker was able to modify or spoof any of the DNS records,
>       the resulting URI(s) could be replaced by forged URI(s).  This is
>       probably the most serious security concern related to ALTO server
>       discovery.  The discovered "wrong" ALTO server might not be able
>       to give guidance to a given ALTO client at all, or it might give
>       suboptimal or forged information.  In the latter case, an attacker
>       could try to use ALTO to affect the traffic distribution in the
>       network or the performance of applications (see also Section 15.1.
>       of [RFC7285]).  Furthermore, a hostile ALTO server could threaten
>       user privacy (see also Section 5.2.1, case (5a) in [RFC6708]).
> 
>    Protection Strategies and Mechanisms
>       The application of DNS security (DNSSEC) [RFC4033] provides a
>       means to detect and avert attacks that rely on modification of the
>       DNS records while in transit.  All implementations of the cross-
>       domain ALTO server discovery procedure MUST support DNSSEC or be
>       able to use of such functionality in the underlying operating
>       system.  Network operators that publish U-NAPTR resource records
>       to be used for the cross-domain ALTO server discovery procedure
>       SHOULD use DNSSEC to protect their subdomains of in-addr.arpa.
>       and/or ip6.arpa., respectively.  Additional operational
>       precautions for safely operating the DNS infrastructure are
>       required in order to ensure that name servers do not sign forged
>       (or otherwise "wrong") resource records.  Security considerations
>       specific to U-NAPTR are described in more detail in [RFC4848].
> 
>       In addition to active protection mechanisms, users and network
>       operators can monitor application performance and network traffic
>       patterns for poor performance or abnormalities.  If it turns out
>       that relying on the guidance of a specific ALTO server does not
>       result in better-than-random results, the usage of the ALTO server
>       may be discontinued (see also Section 15.2 of [RFC7285]).
> 
>    Note
>       The cross-domain ALTO server discovery procedure finishes
>       successfully when it has discovered one or more URI(s).  Once an
>       ALTO server's URI has been discovered and the communication
>       between the ALTO client and the ALTO server starts, the security
>       threats and protection mechanisms discussed in the ALTO protocol
>       specification [RFC7285] apply.
> 
>       A threat related to the one considered above is the impersonation
>       of an ALTO server after its correct URI has been discovered.  This
>       threat and protection strategies are discussed in Section 15.1 of
>       [RFC7285].  The ALTO protocol's primary mechanism for protecting
>       integrity (and confidentiality) is the use of HTTPS-based
>       transport, i.e., HTTP over TLS [RFC2818].  Typically, when the
>       URI's host component is a host name, a further DNS lookup is
>       needed to map it to an IP address, before the communication with
>       the server can begin.  This last DNS lookup (for A or AAAA
>       resource records) does not necessarily have to be protected by
>       DNSSEC, as the server identity checks specified in [RFC2818] are
>       able to detect DNS spoofing or similar attacks, after the
>       connection to the (possibly wrong) host has been established.
>       However, this validation based on the server certificate can only
>       protect the steps that occur after the server URI has been
>       discovered.  It cannot detect attacks against the authenticity of
>       the U-NAPTR lookups needed for the cross-domain ALTO server
>       discovery procedure, and therefore, these resource records have to
>       be secured using DNSSEC.
> 
> ----- End proposal for new section 6.1 -----