IETF Logo Mail Archive

Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07

"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 09 February 2023 10:04 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 9F96BC14EB18; Thu, 9 Feb 2023 02:04:35 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8C2C1575CB; Thu, 9 Feb 2023 02:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.898
X-Spam-Level:
X-Spam-Status: No, score=-11.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="AEwXz2HU"; dkim=pass (1024-bit key) header.d=cisco.com header.b="P/2ni70K"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwtW5ArBOkBi; Thu, 9 Feb 2023 02:04:31 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D71EAC14EB18; Thu, 9 Feb 2023 02:04:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10063; q=dns/txt; s=iport; t=1675937070; x=1677146670; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nOvjDcEB9uiOGz7ny12mXnnGOPa6cztnFyvAibWPUsY=; b=AEwXz2HULi8fpjxuy0f8OTj3+z+UrA3BGnsieinirL+8lt7Qd43zQDFY VOcRIbwrSu5SUblRh/HcB/iC0yVt0ByRqVlujDT2wbf5+X5yQi0uMtyJ8 5OX6uho5ZF2CI/kagqErX/zfvfa2PwI2Rg5m2RevQINjPSf4k4H56gvcH Q=;
X-IPAS-Result: A0ADAAAAxORjmIkNJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYFaUoEHWzpGiB4DhFBfiCEDnBWBLIEcAwYDVg8BAQENAQFEBAEBgVoBgzIChScCJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4U7AQUnDYZVAQEBAQMSLgEBJRIBCwQCAQgRBAEBAS4yHQgBAQQBDQUIGoJcgyMDAaBtAYE/AoofeIE0gQGCCAEBBgQEnx8JgUABhDuIJIRHCB8cgUlEgRVDgmc+gmICAoE1ARAahA+CLpVICoE2doEkDoFEgQsCCQIRc4EZCGyBBDcDRB1AAws7Oj8UIQYFCyUFBD8BBQIPHzYGAwkDAiFKdyUkBQMLFSpHBAg2BQYcNBECCA8SDwYmQw5CNzQTBlwBKQsOEQNPgUkEL0SBHAIEASkmmTABPSYEQzIrAQEkCB1TGw0gBwMLklBTj1iMK5QJCoN1oQ4Wg3mMYpd2XpdSIKINhUECBAIEBQIOAQEGgWI6gVtwFTuCZ1IZD4M8hhyESAkQCYNQkk51AjkCBwEKAQEDCYlSASeCMQEB
IronPort-PHdr: A9a23:Ig+oMxZN0fo8QtxkoyrzYu//LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:6oF0QayRXQ8gPCMlXKd6t+fXxirEfRIJ4+MujC+fZmUNrF6WrkUPy zMXUGmHPPnYM2egLY1+YN619UIHvZXSytI2HFM9pVhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJloCCea/H9BC5C5xZVG/fngqoHUVaiVZUideSc+EH160Ug7yrZg6mJVqYHR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyV94KYkGE2EByCQrr+4sQKNb 72rILmRpgs19vq2Yz+vuu6TnkYiGtY+MeUS45Zbc/DKv/RMmsA9+qd8CvsCc3VssS+ikvJzz vBd6YOqRxh8a8UgmMxFO/VZOyh6OasD87jdLD3j98eS1EbBNXDrxp2CDmlvYtZeobgxWDoIr KdHQNwORkjra+ae2q26TvVrgOwoLdLgO8UUvXQIITTxUKh9G8maGP2iCdlw1wVsuucRGPDlN ukrNgQ0Ywr4JDpONQJCYH45tL742iagG9FCk3qSvbE+/Gf7zQFt3v7qKtW9UtCQTMtJ20eVu myD+HziCw4VcdWTxX+I9Hm2l/fTkC++VIQJUrS88tZrjUGdgGsJB3U+XF+yp/WRhkOmX9VOK kob4CMirLUpskesS7HVWhq4qXuJslgWXMdbGuEz6RulzbDd5QmUQGMDS1Z8hMcOvcsyQ3kh0 UWE2o+vDj10u7rTQnWYnluJkd+sESlSE24cfx0/dxEu7vvhpqQj0g3VQMk2RcZZkebJMT33x jmLqg03iLMSkdMH2s2HEbbv3m7ESn/hE1Jd2+nHYo62xlgjOtD9NuRE/XCevKkYd9rDJrWUl CVcw6CjAPYy4YZhfcBnaMoXFbelr86fOTzGgFMH83IJqGn1piTLkWy9HFhDyKpBO8IAf3riZ 1Xe/F8X755IN3zsZqhyC25QNyjI5fW4fTgGfqmLBjarXnSXXFTclM2JTRXMt10BaGB2zckC1 W6zKK5A90oyB6V91yaRTOwAy7ItzS1W7TqNGs2rn03/jePDOy79pVI53L2mM75RAESs/Vu9z jqjH5DiJ+h3CbenOXCHreb/03hbdiFT6W/KRzx/L77ffVUO9JAJAP7KyrRpYJ1+g6lQjY/1E oKVBCdlJK7ErSSfc22iMyk7AJu2BMoXhSxgZ0QEYw33s0XPlK7yts/zgbNtI+l+nAGipNYpJ 8Q4lzKoW6QeFmWYq2tBMfEQbuVKLXyWuO5HBAL9CBBXQnKqb1WhFgPMFuc3yBQzMw==
IronPort-HdrOrdr: A9a23:/WvSL699lM97oiQojuhuk+Fzdb1zdoMgy1knxilNoENuHPBwxv rAoB1E73PJYW4qKQ0dcdDpAtjlfZquz+8L3WB3B8bsYOCGghrlEGgG1+rfKlLbalXDH4JmpM Vdmu1FeaDN5DtB/IjHCWuDYq0dKbC8mcjC74q/vhRQpENRGttdBmxCe2Gm+zhNNXB77O0CZf yhD6R81l+dUEVSSv7+KmgOXuDFqdGOvonhewQ6Cxku7xTLpS+06ZbheiLonys2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh8N1eH8aB4/JlagkEyzzYJ7iJaYfy+Qzdk9vfrGrCV+ O85CvICv4DqU85uFvF5ycFlTOQiQrGoEWSt2NwyUGT0PARAghKU/aoQeliA0HkA41KhqAm7E sD5RPri3JaYCmw7BjV9pzGUQpnmVGzpmdnmekPj2ZHWY9bc7NJq5cDlXklW6voMRiKobzPKt MeRP309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv00so5dY4Ud1J9u 7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHqokd9aWvYtgF3ZEykJ POXBdRsnMzYVvnDYmU0JhC4nn2MROAtPTWu7ZjDrRCy8nBreDQQF++oXgV4r6dn8k=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.97,283,1669075200"; d="scan'208";a="56321130"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Feb 2023 10:04:29 +0000
Received: from mail.cisco.com (xfe-rtp-004.cisco.com [64.101.210.234]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 319A4TtZ025743 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 9 Feb 2023 10:04:29 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Thu, 9 Feb 2023 05:04:28 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Thu, 9 Feb 2023 04:04:28 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OTiQ1y9F1O+HPEKe39MjVK+TcKgqqUc6a/mMCOn4BYdg2rmM/rdxwObwy6JdUqprZ0vajY885ooGq/xOZmHEAkFXzGiLh7kxB58PuJEEgD8b9Y8PCC5w4PuhaPNoeC8VglU/aJtGOW4h1fbMeiQ2l1CCFkaL63A2C5Ugeqwy7XG3ogoWFv3ZaWIZb9S3sz3s0ZLsc5+RcQ75ZbaNH97pYumItAmtLafyfYxAPSst/tftLvrKUm2v1RhcLQl80YKcow5e+L34DyRxCOyqD/3L8/uZKihpureQbS+P2CNZaRhkY5rHgjHt1gwupLCEm13vUYCgIuHverSy/4nZO/Jkuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+VgoCthRRrehP04IHWvAKgzInFB8OJ/xVEwUyFlM8kw=; b=FD30P9qFvAJ/2Fahi1WZVo4xK8NI7SprlSWSzHrjwh/2QkTz5vWJVQsUoEHkNjPGiqtw1rkgtbIKxbuIA60HLlbDD97AnhZOpPFIzodhnEEranfLEfJ72sCEGZc8Kd7tXIaJh4ret4lgm5RfcRxUJ3tRoBmQF7xLesUUw0K7RKJF7ppOBiCADdyY3RZqbxfTTi9Fq8U/LwnngJ9GcqgUPzGo9lCtNetQbv0Toyf9/NTIsZoJYubkmxkwsPMZTeGcZp8BnwsK5X8PaXiNgZNFQl5fOImcflB+ZmjP4kFuNAY2OouGXpcIJsOSFDX/McM3G+Skq1jLOaFUBmyNefHPcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+VgoCthRRrehP04IHWvAKgzInFB8OJ/xVEwUyFlM8kw=; b=P/2ni70K5k3AVjpseV11LVZWduhkbr7/228kLZjbag9uvdZe2QSZaU7oC0gqbnM8wxcKS8QNpzEWqbVn4JPwN4st3djsx8xcC9eOeii+fTUrY/ihjBM3+yq/iajbKGsRedyfTxestuHUV+BJC2GXy6e8b8tYzeclujgtfPGuzTE=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by SN7PR11MB7440.namprd11.prod.outlook.com (2603:10b6:806:340::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.17; Thu, 9 Feb 2023 10:04:21 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946%7]) with mapi id 15.20.6086.017; Thu, 9 Feb 2023 10:04:21 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Alan DeKok <aland@deployingradius.com>
CC: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
Thread-Index: AdkTyYf4WW79bmtwQoGOi227i49tLgAA5RyACgBS4TAAJNutAAABISNg
Date: Thu, 09 Feb 2023 10:04:20 +0000
Message-ID: <BY5PR11MB4196E25F3A53AC4B4BE7E3E2B5D99@BY5PR11MB4196.namprd11.prod.outlook.com>
References: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com> <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com> <BY5PR11MB4196BB5D2805639398D344B5B5D89@BY5PR11MB4196.namprd11.prod.outlook.com> <9291_1675933339_63E4B69B_9291_403_1_66463ab113c04cc88d3446194c92971c@orange.com>
In-Reply-To: <9291_1675933339_63E4B69B_9291_403_1_66463ab113c04cc88d3446194c92971c@orange.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-02-09T08:38:15Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=6ef5d0c6-0fe1-42ca-8bc0-6da73f4eb1ea; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|SN7PR11MB7440:EE_
x-ms-office365-filtering-correlation-id: bd015bd0-2efd-4413-925e-08db0a85033f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hZlUeUBER7naTL7PAty/0p8dG9Soan70egqENNyguWw/Kknj2JdWBsNCJCPjnF6GCvvt2DTymZiiwLrd3BCoq2uDaJfBvI7trtXgTE7toU/PmHixwt2f7GqBRUccdVJ+o+NcklXfFwjLrQWxHohKH9W+o34QJjPHQB79W4IT/3h86A9hvQS50GOok/MAQqs9E2RBluAdLQ+ri4S/GyBXPvbpWLsUlthxkgiSoCVp1vRH70VJpJgnFyDuqGlsZVjtEfaVVLUEHMu9+x+esIGSXT6sjTn4aDvWS6fnk5MNcAqanhdGvUMH2POibIWcUDkwFY4gYm5kM2gEJPHWj9STjQbO/+rxYZXJeQesCPJAFSOhYOo4U+gIXEKBHy8an/c7TYZKZTYONMzDxsxLf0ZDKCuD7dqZjmclVmVl+e/ZkwLYFTp1qn1zKW3ojATKrSZXha8GUAinm6jpwxMgu99t7PVzRAM0YO1tg/1aZyw94bLQwJoBhgMI2lyiXyiTNS4DcUgQi7PA7wAPM6wBnq7sLQCMhnIMHLu00E39CpH5jw0sMeo9zX0M3runR9aIzpcQKOK4OO98/Y8Uz/vt6wuGkLWLqTSL5l7DwZn8P1mHS4bXzsFON9LxgVcY3nIule4MERwTGVlwvATfwc2hrZM2qXJDSfK4iHvw7vND+img1dKgtTh6mC4p4ghYGh95z19n6c0qj63eh8qWFxy3jfy3JA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(346002)(396003)(39860400002)(366004)(136003)(376002)(451199018)(2906002)(86362001)(38100700002)(122000001)(71200400001)(66574015)(7696005)(186003)(26005)(76116006)(6506007)(53546011)(110136005)(9686003)(33656002)(38070700005)(55016003)(64756008)(54906003)(83380400001)(66476007)(316002)(66446008)(66946007)(66556008)(4326008)(478600001)(41300700001)(52536014)(8676002)(5660300002)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tOEZGHT5iDk6W+3EClO6faJzecmasoFj5jUwiSFvA02rfWWah27tX9+dZb/Fbu38tktq1m7VdQ+CQ9nFz0ZsUtq0/Z00+Io5tUG4BeZEQeHWE/LFbaPCt1SoxQSK9QfXUx8uWvimQzIJRS/s81F3SwA4Tfp6oQMrCpzmz2a0bGAmAg+ctR8c1TRrw9iYptf5dExi7rcqg6DbHQc49usE/IqLxPzPMGjiA0JO+j2JAl8Wnb88SARMQhr+0mr6Oqvnq9nN1kNjBlIEqPC+qtLJ4U1feXnyx/6dzI6Fxh32jiZfkbYrj8kz+oiwlzpAPu61CEJhFr0uM+NkC82HlpBlXcU7lkJuFHRLpLiJKNC/EU0RXRJrdccfscRr6p58xNPd1R5G3a+f+f4+hiubUBBox6GLnBIDOTNnTRfAWC+atze+/O2II3orq6vrGcUFZvuNuY37kfL4RFPwT96E/yHu4ffL6CWbewVKc8q/O6E0931wMIYxXq4bTAUyhQD4rnZWK8f3FFIlNj3u47h7TOPpCRdBKNDEfi6xsCK/dDLw91H1mdX9Yj9+RrXLX4b5GP/jb36R7nCFJ9BhIsMfkRbkZ3h14+BnbumlTUxaI/nXBrXXFx4XjjoMsEChrPYp5rEiCBKftp5PaezUEgDRpr41whbs0A3B6r4DBi1bjMvgKh+GamvRLX5aE1aPc5gL3NqvW6pheU9EEuWAykEnz9WxxhiNGS13FzIRbhOGdlh6n81das0PQhBYwtMBCSfGgDylGT7cD/wNTecK6IuDYwxP+0dE5R0nxvN8/aW7iT2jq4o+55vy0iraullSZ5Cfa3rvWR9YXe0vdQFM5RtGZYiBHXEeA8i3pSduBffG9oSoSqCAzgtSerM8QntAUTVKpcYOSzGXaXqK8RWL+1TRgmiN50DkLWyVTxfBByGodR9n7zBgQPB2Rfb9pwb/+gPfr02h60G6j4S2hPwov44vx4ibP5r1eKygd/8gZYTGmUGm0tDerDNJmvBR3/92doDBCxuTdcVo/8t/5InBzDlrcuX2bLwGLnDAAhih/3zpFoJGFRFLrOyeWuSiPe2tMuvMNxkkBG/hIfC0PpemHzd7Oop9lKdR1TdiarJWJWq5xvN22wW/d4DQ8iQZVpMcLE+Iq/lmhgWTnb7ft4EcZWi6CRlX2ykLfweliuKeZ2nRgYO4N28+ZkhFuYP5kV9igIbx4eaUHaNKEX0E04N/hDFbMtXh5UMTqmfMJ/n/Lae89/Uc4zA0ph7xw5ffXY2nedZoaBfGEoHGBNLVqv8c0Xj67jbF6B9Mb/bckZDxOD0fdeaqv0L80Mrq11J8+FoJHEs3wZLxab5jHUn0A31oRGQhoSsSVByENBnWRnj1CvrAWBQRJME0RaHd/ZZf3vost2Hpo4RYdef6TBiPSwDaTP8SmFz1De+RiSVQfvMBurQB52tj0EkfQgsI5di3vI8k7GEYX5WXJzZRRTAh9YfnoiJDD2ttqoh5C7wA4wUyACwLmkL56xrRjFm3IPj5IMBGv1H0utu2ACF3Cni4a84acMz8iXCkgLGmJli1JC579jVhuUYmCr/DYaeLclsrpU8fF6Tq0k+I
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd015bd0-2efd-4413-925e-08db0a85033f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2023 10:04:20.3858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vajM5JlkrS2i6CiPulMh75Jpg2y0oCbdYhiaAdjX39JqTTjV0gVyG8fUfCDDMBDodOFjB61PWjQQbKZx5CFHPg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7440
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.234, xfe-rtp-004.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Resent-From: alias-bounces@ietf.org
Resent-To: jclarke@cisco.com, henk.birkholz@sit.fraunhofer.de, zhoutianran@huawei.com, rwilton@cisco.com, warren@kumari.net, mohamed.boucadair@orange.com, kondtir@gmail.com, aland@freeradius.org, bevolz@gmail.com, dhcwg@ietf.org
Resent-Message-Id: <20230209100435.9F96BC14EB18@ietfa.amsl.com>
Resent-Date: Thu, 09 Feb 2023 02:04:35 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/CemMXpksyBaxFS-1CF2NmUo5qT0>
Subject: Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 10:04:35 -0000

Hi Med, Alan,

> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> Sent: 09 February 2023 09:02
> To: Rob Wilton (rwilton) <rwilton@cisco.com>; Alan DeKok
> <aland@deployingradius.com>
> Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org; opsawg@ietf.org
> Subject: RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
> 
> Hi Rob, all,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Rob Wilton (rwilton) <rwilton@cisco.com>
> > Envoyé : mercredi 8 février 2023 20:39
> > À : Alan DeKok <aland@deployingradius.com>
> > Cc : draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > opsawg@ietf.org
> > Objet : RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-
> > dns-07
> >
> > Hi Alan,
> >
> > Sorry for the delay.  Please see inline ...
> >
> > > -----Original Message-----
> > > From: Alan DeKok <aland@deployingradius.com>
> > > Sent: 19 December 2022 17:13
> > > To: Rob Wilton (rwilton) <rwilton@cisco.com>
> > > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > opsawg@ietf.org
> > > Subject: Re: [OPSAWG] AD review of
> > > draft-ietf-opsawg-add-encrypted-dns-07
> > >
> > > On Dec 19, 2022, at 11:53 AM, Rob Wilton (rwilton)
> > > <rwilton=40cisco.com@dmarc.ietf.org> wrote:
> > > > It isn't really clear to me why some of the registries are
> > needed,
> > > > specifically
> > > the ones in 8.4.1 and 8.4.2.  Why not allow any v4 or v6 DHCP
> > > attribute to be carried within the DHCPv6-Options or DHCPv4-
> > Options field?
> > >
> > >   The original intent of the document was to define a limited
> > set of
> > > DHCP options which could be carried in RADIUS.  i.e. option X
> > would
> > > map to RADIUS attribute Y.  After some discussion, this was
> > deemed to
> > > be unworkable, and changed to the current method.
> > >
> > >   The previous limitations were still kept, however.
> > >
> > >   While it is useful, I could see issues with allowing any DHCP
> > option
> > > to be transported in RADIUS.  I'll have to dig deeper to get
> > into details.
> > [Rob Wilton (rwilton)]
> >
> > Okay.
> >
> > >
> > > >
> > > > (2) p 4, sec 3.  DHCP Options RADIUS Attributes
> > > >
> > > >   Absent any explicit configuration on the DHCP server, RADIUS
> > supplied
> > > >   data by means of DHCP*-Options Attributes take precedence
> > over any
> > > >   local configuration.
> > > >
> > > > This point may be worth discussing.  Naturally, I would
> > explicit
> > > > configuration
> > > to a network device to generally take precedent over implicitly
> > > learned configuration from the network.
> > >
> > >  I'm not sure which options are "implicitly learned" from the
> > network.
> > > One set is configured in the device, and another is configured
> > on a
> > > per-user / per- session basis.  This allows for sane defaults,
> > with
> > > specific over-rides where those are needed.
> > >
> > >   If the options configured on the device always take precedence
> > over
> > > the per- session options (via RADIUS), then there isn't much
> > point in
> > > sending per-session options.
> > [Rob Wilton (rwilton)]
> > To give a regular configuration example, if you were to enable the
> > Ethernet auto-negotiation protocol but also explicitly configure
> > an 10/100/1000 Ethernet interface to run at 100 Mb/s then I would
> > expect the explicit client provided configuration to take
> > precedence over negotiating the speed value.
> >
> > It sounds like, in what you describe, the configuration is
> > effectively hierarchical.  I.e., it is really because the RADIUS
> > supplied configuration is more-specific that it takes precedence
> > over the local configuration.  If so, that is expected, but I
> > think that it would be helpful to clarify the description to make
> > that clear.
> >
> 
> [Med] OK. We can make this change:
> 
> OLD:
>    Absent any explicit configuration on the DHCP server, RADIUS
>    supplied data by means of DHCP*-Options Attributes take precedence
>    over any local configuration.
> 
> NEW:
>    RADIUS supplied data is specific configuration data that is
>    returned as a function of authentication and authorization checks.
>    As such, absent any explicit configuration on the DHCP server, RADIUS
>    supplied data by means of DHCP*-Options Attributes take precedence
>    over any local configuration.
[Rob Wilton (rwilton)] 

This is okay, but would probably prefer a slight tweak to the last sentence to:

   RADIUS supplied data is specific configuration data that is
   returned as a function of authentication and authorization checks.
   As such, absent any explicit configuration on the DHCP server, RADIUS
   supplied data by means of DHCP*-Options Attributes take precedence
   over any less specific or default local configuration.

But I'll leave this to the authors to decide.


> 
> >
> > >
> > > > (3) p 6, sec 3.2.  DHCPv4-Options Attribute
> > > >
> > > >      Permitted DHCPv4 options in the DHCPv4-Options Attribute
> > are
> > > >      maintained by IANA in the registry created in Section
> > 8.4.2.
> > > >
> > > > Comparing this text to the description for v6, this
> > description is
> > > > silent on
> > > whether multiple instances of the same DHCPv4 option MAY be
> > included.
> > > Should that be specified here?
> > >
> > >   Likely, yes.  The RADIUS attributes are simply carrying DHCP
> > > options, as if they were in a DHCP packet.  So all of the DHCP
> > rules
> > > about option handling should apply here.
> > [Rob Wilton (rwilton)]
> > Okay.
> >
> > >
> > > >
> > > > (4) p 10, sec 7.  Table of Attributes
> > > >
> > > >   The following table provides a guide as what type of RADIUS
> > packets
> > > >   that may contain these attributes, and in what quantity.
> > > >
> > > > Am I right that this is just a duplication of what is
> > described in
> > > > section 3?  If
> > > so, perhaps change "guide" to "informative guide" and include
> > text to
> > > refer back to the  canonical definition in section 3.
> > >
> > >   Sure.  This table is traditional in RADIUS RFCs, so the text
> > here
> > > mirrors previous RADIUS RFCs.
> > [Rob Wilton (rwilton)]
> > Okay.
> >
> >
> > >
> > > > (8) p 3, sec 3.  DHCP Options RADIUS Attributes
> > > >
> > > >   These attributes use the "Long Extended Type" format in
> > order to
> > > >   permit the transport of attributes encapsulating more than
> > 253 octets
> > > >   of data.  DHCP options that can be included in the DHCP*-
> > Options
> > > >   RADIUS attributes are limited by the maximum packet size of
> > 4096
> > > >   bytes.  In order to accommodate deployments with large
> > options,
> > > >   implementations are RECOMMENDED to support a packet size up
> > to 65535
> > > >   bytes.
> > > >
> > > > I didn't find this text clear.  E.g., limit is 4k but should
> > support up to 64K.
> > > Which implementations should support larger packet sizes?  Is
> > this RADIUS
> > > implementations?
> > >
> > >   It's a limitation of RADIUS.  Everything RADIUS has to support
> > 4K packets.
> > > Later RFCs allow for 64K packets.
> > [Rob Wilton (rwilton)]
> >
> > Okay.  If this will be obvious to everyone implementing/deploying
> > RADIUS then fine, otherwise it might be worth including an
> > informative reference to the RFC that increases the limit to 64K.
> >
> >
> 
> [Med] We do already have the following:
> 
>    Note:  The 4096 bytes size limit was relaxed by other RFCs, e.g.,
>       [RFC7499] and [RFC7930].
> 
> Do we need to say more? Thanks.
[Rob Wilton (rwilton)] 

Nope.  I missed that you already state that.

> 
> >
> > >
> > > >
> > > > (9) p 5, sec 3.1.  DHCPv6-Options Attribute
> > > >
> > > >      This field contains a list of DHCPv6 options.  Multiple
> > instances
> > > >      of the same DHCPv6 option MAY be included.  Consistent
> > with
> > > >      Section 17 of [RFC7227], this document does not impose
> > any option
> > > >      order when multiple options are present.
> > > >
> > > > Is there any requirement to merge multiple instances of
> > options together,
> > > presumably they are logically just concatenated today.
> > >
> > >   The rules for DHCP options processing should apply.
> > [Rob Wilton (rwilton)]
> >
> > Okay.  Should that be stated here, or at least made consistent
> > with the v4 description that has been updated to:
> >
> > |      This field contains a list of DHCPv4 options.  Multiple
> > instances
> > |      of the same DHCPv4 option MAY be included, especially for
> > |      concatenation-requiring options that exceed the maximum
> > DHCPv4
> > |      option size of 255 octets.  The mechanism specified in
> > [RFC3396]
> > |      MUST be used for splitting and concatenating the instances
> > of a
> > |      concatenation-requiring option.
> >
> 
> [Med] We can echo the relevant part from 8415 here:
> 
> OLD:
>       This field contains a list of DHCPv6 options.  Multiple instances
>       of the same DHCPv6 option MAY be included.  Consistent with
>       Section 17 of [RFC7227], this document does not impose any option
>       order when multiple options are present.
> 
> NEW:
>       This field contains a list of DHCPv6 options (Section 21 of
>       [RFC8415]).  Multiple instances of the same DHCPv6 option MAY be
>       included.  If an option appears multiple times, each instance is
>       considered separate and the data areas of the options MUST NOT be
>       concatenated or otherwise combined.  Consistent with Section 17 of
>       [RFC7227], this document does not impose any option order when
>       multiple options are present.
[Rob Wilton (rwilton)] 

Looks good.

Let me know when you have posted an updated draft.

Thanks,
Rob

v2.23.0 | Report a Bug | By Email