Re: [dane] IPSECA
"Osterweil, Eric" <eosterweil@verisign.com> Wed, 25 March 2015 15:56 UTC
Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08D651A87B1 for <dane@ietfa.amsl.com>; Wed, 25 Mar 2015 08:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DG9F3yQUL1xH for <dane@ietfa.amsl.com>; Wed, 25 Mar 2015 08:55:58 -0700 (PDT)
Received: from mail-qg0-f99.google.com (mail-qg0-f99.google.com [209.85.192.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5B21A87E3 for <dane@ietf.org>; Wed, 25 Mar 2015 08:55:57 -0700 (PDT)
Received: by qgea108 with SMTP id a108so722315qge.3 for <dane@ietf.org>; Wed, 25 Mar 2015 08:55:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-type:mime-version; bh=XSTB0+FEVwq9AzzwVqdGsjM8NTiFHufSvMWzRtU3x/c=; b=K585PeZbNiJ8iOWeO+id53zdsS0ST9NIlZ6kaYK9EqpabM4RFIPNj0LnjkVlxu0ZzQ y/2udz68boLzKD6DD5X7u4B+Ocl7XlK29YgiYTC9Dj6IO8vimMEr6v58JI5o1gdQdZfj CMoTiFg10ozZDM9zW87gWIgahagQe8rXnrZLaTi2iGedCInBk5g2E4IA7qKTpPCt/lQf kOcYWQ/mBpVGtI63n6rlYSg6JNEsw2CoxqxGu6kjTlBySDw6xlYLp+Zw5bZrS4YOiUi3 w7zaA1Fyx4BU6W9Yqo8JLukBoQITRaM+q0R366EsA/HHvLHQGbkn4OjW7bZDHU98T5vT E0Yg==
X-Gm-Message-State: ALoCoQlOMhbhr/XRZ5DcJ8lpvuXOYfoINsA95cW+Mhar99mkML9jFRk46Asl26fbHO9XVSL3GQzTs6jwlgouxQG/JD7ft96hWQ==
X-Received: by 10.55.26.209 with SMTP id l78mr19922540qkh.60.1427298956947; Wed, 25 Mar 2015 08:55:56 -0700 (PDT)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by mx.google.com with ESMTPS id gt4sm602714qcb.3.2015.03.25.08.55.56 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 25 Mar 2015 08:55:56 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id t2PFtupE005462 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 25 Mar 2015 11:55:56 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 25 Mar 2015 11:55:56 -0400
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: James Cloos <cloos@jhcloos.com>
Thread-Topic: [dane] IPSECA
Thread-Index: AQHQZoTinYEJkFr5c0a1jug9i2S9w50tV/iHgABGVwA=
Date: Wed, 25 Mar 2015 15:55:56 +0000
Message-ID: <467C27BF-19FD-4409-A44E-C9A9652B024C@verisign.com>
References: <9735F7C2-D87A-4A33-9302-49C54A644EDA@verisign.com> <m3pp7xf5lu.fsf@carbon.jhcloos.org>
In-Reply-To: <m3pp7xf5lu.fsf@carbon.jhcloos.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: multipart/signed; boundary="Apple-Mail=_44C5B2BF-1D67-422A-8B7C-620BDE0C21ED"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/P57uE2Q4VJw3h-1AjNXXzVC4esY>
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] IPSECA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 15:56:00 -0000
On Mar 25, 2015, at 10:40 AM, James Cloos <cloos@jhcloos.com> wrote: > I support the wg adopting this draft. > > It needs a bit of work and discussion; such work is relevant here and > worth doing. > > In §2.1.2 it has what looks like a copy-paste error, where it labels > Selector 2 as DANE-TA, whereas in both rfc 6698 and the acronyms draft > that is unassigned. Oops. . . Fixing it. > The IPSECA record here is identical to a TLSA except only in name. > If it does not need anything more than TLSA offers, why not just use > TLSA? (Even if the answer is that that is the only way to signal ipsec > vs tls, it needs discussion.) My 0.02 is that having different record types for different protocols gives us very useful flexibility (both if the RRs may need to evolve, and during DNS resolution). It is, on the other hand, interesting that the IPSECA looks this way. It was from wg feedback that we pulled the gateway information out (which the IPSECKEY RR has). There seemed to be a potential MitM attack vector in there. Regardless, I think we want to follow the wg’s direction on these issues. Thanks for the feedback! Eric
- [dane] IPSECA Osterweil, Eric
- Re: [dane] IPSECA James Cloos
- Re: [dane] IPSECA Osterweil, Eric
- Re: [dane] IPSECA Viktor Dukhovni
- Re: [dane] IPSECA Nico Williams
- Re: [dane] IPSECA Nico Williams
- Re: [dane] IPSECA Paul Wouters
- Re: [dane] IPSECA Paul Wouters
- Re: [dane] IPSECA Osterweil, Eric
- Re: [dane] IPSECA Nico Williams
- Re: [dane] IPSECA Paul Wouters