Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 09 February 2023 10:04 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 9F96BC14EB18; Thu, 9 Feb 2023 02:04:35 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8C2C1575CB; Thu, 9 Feb 2023 02:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.898
X-Spam-Level:
X-Spam-Status: No, score=-11.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="AEwXz2HU"; dkim=pass (1024-bit key) header.d=cisco.com header.b="P/2ni70K"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwtW5ArBOkBi; Thu, 9 Feb 2023 02:04:31 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D71EAC14EB18; Thu, 9 Feb 2023 02:04:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10063; q=dns/txt; s=iport; t=1675937070; x=1677146670; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nOvjDcEB9uiOGz7ny12mXnnGOPa6cztnFyvAibWPUsY=; b=AEwXz2HULi8fpjxuy0f8OTj3+z+UrA3BGnsieinirL+8lt7Qd43zQDFY VOcRIbwrSu5SUblRh/HcB/iC0yVt0ByRqVlujDT2wbf5+X5yQi0uMtyJ8 5OX6uho5ZF2CI/kagqErX/zfvfa2PwI2Rg5m2RevQINjPSf4k4H56gvcH Q=;
X-IPAS-Result: A0ADAAAAxORjmIkNJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYFaUoEHWzpGiB4DhFBfiCEDnBWBLIEcAwYDVg8BAQENAQFEBAEBgVoBgzIChScCJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4U7AQUnDYZVAQEBAQMSLgEBJRIBCwQCAQgRBAEBAS4yHQgBAQQBDQUIGoJcgyMDAaBtAYE/AoofeIE0gQGCCAEBBgQEnx8JgUABhDuIJIRHCB8cgUlEgRVDgmc+gmICAoE1ARAahA+CLpVICoE2doEkDoFEgQsCCQIRc4EZCGyBBDcDRB1AAws7Oj8UIQYFCyUFBD8BBQIPHzYGAwkDAiFKdyUkBQMLFSpHBAg2BQYcNBECCA8SDwYmQw5CNzQTBlwBKQsOEQNPgUkEL0SBHAIEASkmmTABPSYEQzIrAQEkCB1TGw0gBwMLklBTj1iMK5QJCoN1oQ4Wg3mMYpd2XpdSIKINhUECBAIEBQIOAQEGgWI6gVtwFTuCZ1IZD4M8hhyESAkQCYNQkk51AjkCBwEKAQEDCYlSASeCMQEB
IronPort-PHdr: A9a23:Ig+oMxZN0fo8QtxkoyrzYu//LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:6oF0QayRXQ8gPCMlXKd6t+fXxirEfRIJ4+MujC+fZmUNrF6WrkUPy zMXUGmHPPnYM2egLY1+YN619UIHvZXSytI2HFM9pVhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJloCCea/H9BC5C5xZVG/fngqoHUVaiVZUideSc+EH160Ug7yrZg6mJVqYHR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyV94KYkGE2EByCQrr+4sQKNb 72rILmRpgs19vq2Yz+vuu6TnkYiGtY+MeUS45Zbc/DKv/RMmsA9+qd8CvsCc3VssS+ikvJzz vBd6YOqRxh8a8UgmMxFO/VZOyh6OasD87jdLD3j98eS1EbBNXDrxp2CDmlvYtZeobgxWDoIr KdHQNwORkjra+ae2q26TvVrgOwoLdLgO8UUvXQIITTxUKh9G8maGP2iCdlw1wVsuucRGPDlN ukrNgQ0Ywr4JDpONQJCYH45tL742iagG9FCk3qSvbE+/Gf7zQFt3v7qKtW9UtCQTMtJ20eVu myD+HziCw4VcdWTxX+I9Hm2l/fTkC++VIQJUrS88tZrjUGdgGsJB3U+XF+yp/WRhkOmX9VOK kob4CMirLUpskesS7HVWhq4qXuJslgWXMdbGuEz6RulzbDd5QmUQGMDS1Z8hMcOvcsyQ3kh0 UWE2o+vDj10u7rTQnWYnluJkd+sESlSE24cfx0/dxEu7vvhpqQj0g3VQMk2RcZZkebJMT33x jmLqg03iLMSkdMH2s2HEbbv3m7ESn/hE1Jd2+nHYo62xlgjOtD9NuRE/XCevKkYd9rDJrWUl CVcw6CjAPYy4YZhfcBnaMoXFbelr86fOTzGgFMH83IJqGn1piTLkWy9HFhDyKpBO8IAf3riZ 1Xe/F8X755IN3zsZqhyC25QNyjI5fW4fTgGfqmLBjarXnSXXFTclM2JTRXMt10BaGB2zckC1 W6zKK5A90oyB6V91yaRTOwAy7ItzS1W7TqNGs2rn03/jePDOy79pVI53L2mM75RAESs/Vu9z jqjH5DiJ+h3CbenOXCHreb/03hbdiFT6W/KRzx/L77ffVUO9JAJAP7KyrRpYJ1+g6lQjY/1E oKVBCdlJK7ErSSfc22iMyk7AJu2BMoXhSxgZ0QEYw33s0XPlK7yts/zgbNtI+l+nAGipNYpJ 8Q4lzKoW6QeFmWYq2tBMfEQbuVKLXyWuO5HBAL9CBBXQnKqb1WhFgPMFuc3yBQzMw==
IronPort-HdrOrdr: A9a23:/WvSL699lM97oiQojuhuk+Fzdb1zdoMgy1knxilNoENuHPBwxv rAoB1E73PJYW4qKQ0dcdDpAtjlfZquz+8L3WB3B8bsYOCGghrlEGgG1+rfKlLbalXDH4JmpM Vdmu1FeaDN5DtB/IjHCWuDYq0dKbC8mcjC74q/vhRQpENRGttdBmxCe2Gm+zhNNXB77O0CZf yhD6R81l+dUEVSSv7+KmgOXuDFqdGOvonhewQ6Cxku7xTLpS+06ZbheiLonys2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh8N1eH8aB4/JlagkEyzzYJ7iJaYfy+Qzdk9vfrGrCV+ O85CvICv4DqU85uFvF5ycFlTOQiQrGoEWSt2NwyUGT0PARAghKU/aoQeliA0HkA41KhqAm7E sD5RPri3JaYCmw7BjV9pzGUQpnmVGzpmdnmekPj2ZHWY9bc7NJq5cDlXklW6voMRiKobzPKt MeRP309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv00so5dY4Ud1J9u 7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHqokd9aWvYtgF3ZEykJ POXBdRsnMzYVvnDYmU0JhC4nn2MROAtPTWu7ZjDrRCy8nBreDQQF++oXgV4r6dn8k=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.97,283,1669075200"; d="scan'208";a="56321130"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Feb 2023 10:04:29 +0000
Received: from mail.cisco.com (xfe-rtp-004.cisco.com [64.101.210.234]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 319A4TtZ025743 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 9 Feb 2023 10:04:29 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Thu, 9 Feb 2023 05:04:28 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Thu, 9 Feb 2023 04:04:28 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OTiQ1y9F1O+HPEKe39MjVK+TcKgqqUc6a/mMCOn4BYdg2rmM/rdxwObwy6JdUqprZ0vajY885ooGq/xOZmHEAkFXzGiLh7kxB58PuJEEgD8b9Y8PCC5w4PuhaPNoeC8VglU/aJtGOW4h1fbMeiQ2l1CCFkaL63A2C5Ugeqwy7XG3ogoWFv3ZaWIZb9S3sz3s0ZLsc5+RcQ75ZbaNH97pYumItAmtLafyfYxAPSst/tftLvrKUm2v1RhcLQl80YKcow5e+L34DyRxCOyqD/3L8/uZKihpureQbS+P2CNZaRhkY5rHgjHt1gwupLCEm13vUYCgIuHverSy/4nZO/Jkuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+VgoCthRRrehP04IHWvAKgzInFB8OJ/xVEwUyFlM8kw=; b=FD30P9qFvAJ/2Fahi1WZVo4xK8NI7SprlSWSzHrjwh/2QkTz5vWJVQsUoEHkNjPGiqtw1rkgtbIKxbuIA60HLlbDD97AnhZOpPFIzodhnEEranfLEfJ72sCEGZc8Kd7tXIaJh4ret4lgm5RfcRxUJ3tRoBmQF7xLesUUw0K7RKJF7ppOBiCADdyY3RZqbxfTTi9Fq8U/LwnngJ9GcqgUPzGo9lCtNetQbv0Toyf9/NTIsZoJYubkmxkwsPMZTeGcZp8BnwsK5X8PaXiNgZNFQl5fOImcflB+ZmjP4kFuNAY2OouGXpcIJsOSFDX/McM3G+Skq1jLOaFUBmyNefHPcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+VgoCthRRrehP04IHWvAKgzInFB8OJ/xVEwUyFlM8kw=; b=P/2ni70K5k3AVjpseV11LVZWduhkbr7/228kLZjbag9uvdZe2QSZaU7oC0gqbnM8wxcKS8QNpzEWqbVn4JPwN4st3djsx8xcC9eOeii+fTUrY/ihjBM3+yq/iajbKGsRedyfTxestuHUV+BJC2GXy6e8b8tYzeclujgtfPGuzTE=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by SN7PR11MB7440.namprd11.prod.outlook.com (2603:10b6:806:340::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.17; Thu, 9 Feb 2023 10:04:21 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946%7]) with mapi id 15.20.6086.017; Thu, 9 Feb 2023 10:04:21 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Alan DeKok <aland@deployingradius.com>
CC: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
Thread-Index: AdkTyYf4WW79bmtwQoGOi227i49tLgAA5RyACgBS4TAAJNutAAABISNg
Date: Thu, 09 Feb 2023 10:04:20 +0000
Message-ID: <BY5PR11MB4196E25F3A53AC4B4BE7E3E2B5D99@BY5PR11MB4196.namprd11.prod.outlook.com>
References: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com> <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com> <BY5PR11MB4196BB5D2805639398D344B5B5D89@BY5PR11MB4196.namprd11.prod.outlook.com> <9291_1675933339_63E4B69B_9291_403_1_66463ab113c04cc88d3446194c92971c@orange.com>
In-Reply-To: <9291_1675933339_63E4B69B_9291_403_1_66463ab113c04cc88d3446194c92971c@orange.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-02-09T08:38:15Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=6ef5d0c6-0fe1-42ca-8bc0-6da73f4eb1ea; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|SN7PR11MB7440:EE_
x-ms-office365-filtering-correlation-id: bd015bd0-2efd-4413-925e-08db0a85033f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hZlUeUBER7naTL7PAty/0p8dG9Soan70egqENNyguWw/Kknj2JdWBsNCJCPjnF6GCvvt2DTymZiiwLrd3BCoq2uDaJfBvI7trtXgTE7toU/PmHixwt2f7GqBRUccdVJ+o+NcklXfFwjLrQWxHohKH9W+o34QJjPHQB79W4IT/3h86A9hvQS50GOok/MAQqs9E2RBluAdLQ+ri4S/GyBXPvbpWLsUlthxkgiSoCVp1vRH70VJpJgnFyDuqGlsZVjtEfaVVLUEHMu9+x+esIGSXT6sjTn4aDvWS6fnk5MNcAqanhdGvUMH2POibIWcUDkwFY4gYm5kM2gEJPHWj9STjQbO/+rxYZXJeQesCPJAFSOhYOo4U+gIXEKBHy8an/c7TYZKZTYONMzDxsxLf0ZDKCuD7dqZjmclVmVl+e/ZkwLYFTp1qn1zKW3ojATKrSZXha8GUAinm6jpwxMgu99t7PVzRAM0YO1tg/1aZyw94bLQwJoBhgMI2lyiXyiTNS4DcUgQi7PA7wAPM6wBnq7sLQCMhnIMHLu00E39CpH5jw0sMeo9zX0M3runR9aIzpcQKOK4OO98/Y8Uz/vt6wuGkLWLqTSL5l7DwZn8P1mHS4bXzsFON9LxgVcY3nIule4MERwTGVlwvATfwc2hrZM2qXJDSfK4iHvw7vND+img1dKgtTh6mC4p4ghYGh95z19n6c0qj63eh8qWFxy3jfy3JA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(346002)(396003)(39860400002)(366004)(136003)(376002)(451199018)(2906002)(86362001)(38100700002)(122000001)(71200400001)(66574015)(7696005)(186003)(26005)(76116006)(6506007)(53546011)(110136005)(9686003)(33656002)(38070700005)(55016003)(64756008)(54906003)(83380400001)(66476007)(316002)(66446008)(66946007)(66556008)(4326008)(478600001)(41300700001)(52536014)(8676002)(5660300002)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tOEZGHT5iDk6W+3EClO6faJzecmasoFj5jUwiSFvA02rfWWah27tX9+dZb/Fbu38tktq1m7VdQ+CQ9nFz0ZsUtq0/Z00+Io5tUG4BeZEQeHWE/LFbaPCt1SoxQSK9QfXUx8uWvimQzIJRS/s81F3SwA4Tfp6oQMrCpzmz2a0bGAmAg+ctR8c1TRrw9iYptf5dExi7rcqg6DbHQc49usE/IqLxPzPMGjiA0JO+j2JAl8Wnb88SARMQhr+0mr6Oqvnq9nN1kNjBlIEqPC+qtLJ4U1feXnyx/6dzI6Fxh32jiZfkbYrj8kz+oiwlzpAPu61CEJhFr0uM+NkC82HlpBlXcU7lkJuFHRLpLiJKNC/EU0RXRJrdccfscRr6p58xNPd1R5G3a+f+f4+hiubUBBox6GLnBIDOTNnTRfAWC+atze+/O2II3orq6vrGcUFZvuNuY37kfL4RFPwT96E/yHu4ffL6CWbewVKc8q/O6E0931wMIYxXq4bTAUyhQD4rnZWK8f3FFIlNj3u47h7TOPpCRdBKNDEfi6xsCK/dDLw91H1mdX9Yj9+RrXLX4b5GP/jb36R7nCFJ9BhIsMfkRbkZ3h14+BnbumlTUxaI/nXBrXXFx4XjjoMsEChrPYp5rEiCBKftp5PaezUEgDRpr41whbs0A3B6r4DBi1bjMvgKh+GamvRLX5aE1aPc5gL3NqvW6pheU9EEuWAykEnz9WxxhiNGS13FzIRbhOGdlh6n81das0PQhBYwtMBCSfGgDylGT7cD/wNTecK6IuDYwxP+0dE5R0nxvN8/aW7iT2jq4o+55vy0iraullSZ5Cfa3rvWR9YXe0vdQFM5RtGZYiBHXEeA8i3pSduBffG9oSoSqCAzgtSerM8QntAUTVKpcYOSzGXaXqK8RWL+1TRgmiN50DkLWyVTxfBByGodR9n7zBgQPB2Rfb9pwb/+gPfr02h60G6j4S2hPwov44vx4ibP5r1eKygd/8gZYTGmUGm0tDerDNJmvBR3/92doDBCxuTdcVo/8t/5InBzDlrcuX2bLwGLnDAAhih/3zpFoJGFRFLrOyeWuSiPe2tMuvMNxkkBG/hIfC0PpemHzd7Oop9lKdR1TdiarJWJWq5xvN22wW/d4DQ8iQZVpMcLE+Iq/lmhgWTnb7ft4EcZWi6CRlX2ykLfweliuKeZ2nRgYO4N28+ZkhFuYP5kV9igIbx4eaUHaNKEX0E04N/hDFbMtXh5UMTqmfMJ/n/Lae89/Uc4zA0ph7xw5ffXY2nedZoaBfGEoHGBNLVqv8c0Xj67jbF6B9Mb/bckZDxOD0fdeaqv0L80Mrq11J8+FoJHEs3wZLxab5jHUn0A31oRGQhoSsSVByENBnWRnj1CvrAWBQRJME0RaHd/ZZf3vost2Hpo4RYdef6TBiPSwDaTP8SmFz1De+RiSVQfvMBurQB52tj0EkfQgsI5di3vI8k7GEYX5WXJzZRRTAh9YfnoiJDD2ttqoh5C7wA4wUyACwLmkL56xrRjFm3IPj5IMBGv1H0utu2ACF3Cni4a84acMz8iXCkgLGmJli1JC579jVhuUYmCr/DYaeLclsrpU8fF6Tq0k+I
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd015bd0-2efd-4413-925e-08db0a85033f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2023 10:04:20.3858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vajM5JlkrS2i6CiPulMh75Jpg2y0oCbdYhiaAdjX39JqTTjV0gVyG8fUfCDDMBDodOFjB61PWjQQbKZx5CFHPg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7440
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.234, xfe-rtp-004.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Resent-From: alias-bounces@ietf.org
Resent-To: jclarke@cisco.com, henk.birkholz@sit.fraunhofer.de, zhoutianran@huawei.com, rwilton@cisco.com, warren@kumari.net, mohamed.boucadair@orange.com, kondtir@gmail.com, aland@freeradius.org, bevolz@gmail.com, dhcwg@ietf.org
Resent-Message-Id: <20230209100435.9F96BC14EB18@ietfa.amsl.com>
Resent-Date: Thu, 09 Feb 2023 02:04:35 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/CemMXpksyBaxFS-1CF2NmUo5qT0>
Subject: Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 10:04:35 -0000
Hi Med, Alan, > -----Original Message----- > From: mohamed.boucadair@orange.com > <mohamed.boucadair@orange.com> > Sent: 09 February 2023 09:02 > To: Rob Wilton (rwilton) <rwilton@cisco.com>; Alan DeKok > <aland@deployingradius.com> > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org; opsawg@ietf.org > Subject: RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07 > > Hi Rob, all, > > Please see inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Rob Wilton (rwilton) <rwilton@cisco.com> > > Envoyé : mercredi 8 février 2023 20:39 > > À : Alan DeKok <aland@deployingradius.com> > > Cc : draft-ietf-opsawg-add-encrypted-dns.all@ietf.org; > > opsawg@ietf.org > > Objet : RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted- > > dns-07 > > > > Hi Alan, > > > > Sorry for the delay. Please see inline ... > > > > > -----Original Message----- > > > From: Alan DeKok <aland@deployingradius.com> > > > Sent: 19 December 2022 17:13 > > > To: Rob Wilton (rwilton) <rwilton@cisco.com> > > > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org; > > opsawg@ietf.org > > > Subject: Re: [OPSAWG] AD review of > > > draft-ietf-opsawg-add-encrypted-dns-07 > > > > > > On Dec 19, 2022, at 11:53 AM, Rob Wilton (rwilton) > > > <rwilton=40cisco.com@dmarc.ietf.org> wrote: > > > > It isn't really clear to me why some of the registries are > > needed, > > > > specifically > > > the ones in 8.4.1 and 8.4.2. Why not allow any v4 or v6 DHCP > > > attribute to be carried within the DHCPv6-Options or DHCPv4- > > Options field? > > > > > > The original intent of the document was to define a limited > > set of > > > DHCP options which could be carried in RADIUS. i.e. option X > > would > > > map to RADIUS attribute Y. After some discussion, this was > > deemed to > > > be unworkable, and changed to the current method. > > > > > > The previous limitations were still kept, however. > > > > > > While it is useful, I could see issues with allowing any DHCP > > option > > > to be transported in RADIUS. I'll have to dig deeper to get > > into details. > > [Rob Wilton (rwilton)] > > > > Okay. > > > > > > > > > > > > > (2) p 4, sec 3. DHCP Options RADIUS Attributes > > > > > > > > Absent any explicit configuration on the DHCP server, RADIUS > > supplied > > > > data by means of DHCP*-Options Attributes take precedence > > over any > > > > local configuration. > > > > > > > > This point may be worth discussing. Naturally, I would > > explicit > > > > configuration > > > to a network device to generally take precedent over implicitly > > > learned configuration from the network. > > > > > > I'm not sure which options are "implicitly learned" from the > > network. > > > One set is configured in the device, and another is configured > > on a > > > per-user / per- session basis. This allows for sane defaults, > > with > > > specific over-rides where those are needed. > > > > > > If the options configured on the device always take precedence > > over > > > the per- session options (via RADIUS), then there isn't much > > point in > > > sending per-session options. > > [Rob Wilton (rwilton)] > > To give a regular configuration example, if you were to enable the > > Ethernet auto-negotiation protocol but also explicitly configure > > an 10/100/1000 Ethernet interface to run at 100 Mb/s then I would > > expect the explicit client provided configuration to take > > precedence over negotiating the speed value. > > > > It sounds like, in what you describe, the configuration is > > effectively hierarchical. I.e., it is really because the RADIUS > > supplied configuration is more-specific that it takes precedence > > over the local configuration. If so, that is expected, but I > > think that it would be helpful to clarify the description to make > > that clear. > > > > [Med] OK. We can make this change: > > OLD: > Absent any explicit configuration on the DHCP server, RADIUS > supplied data by means of DHCP*-Options Attributes take precedence > over any local configuration. > > NEW: > RADIUS supplied data is specific configuration data that is > returned as a function of authentication and authorization checks. > As such, absent any explicit configuration on the DHCP server, RADIUS > supplied data by means of DHCP*-Options Attributes take precedence > over any local configuration. [Rob Wilton (rwilton)] This is okay, but would probably prefer a slight tweak to the last sentence to: RADIUS supplied data is specific configuration data that is returned as a function of authentication and authorization checks. As such, absent any explicit configuration on the DHCP server, RADIUS supplied data by means of DHCP*-Options Attributes take precedence over any less specific or default local configuration. But I'll leave this to the authors to decide. > > > > > > > > > > (3) p 6, sec 3.2. DHCPv4-Options Attribute > > > > > > > > Permitted DHCPv4 options in the DHCPv4-Options Attribute > > are > > > > maintained by IANA in the registry created in Section > > 8.4.2. > > > > > > > > Comparing this text to the description for v6, this > > description is > > > > silent on > > > whether multiple instances of the same DHCPv4 option MAY be > > included. > > > Should that be specified here? > > > > > > Likely, yes. The RADIUS attributes are simply carrying DHCP > > > options, as if they were in a DHCP packet. So all of the DHCP > > rules > > > about option handling should apply here. > > [Rob Wilton (rwilton)] > > Okay. > > > > > > > > > > > > > (4) p 10, sec 7. Table of Attributes > > > > > > > > The following table provides a guide as what type of RADIUS > > packets > > > > that may contain these attributes, and in what quantity. > > > > > > > > Am I right that this is just a duplication of what is > > described in > > > > section 3? If > > > so, perhaps change "guide" to "informative guide" and include > > text to > > > refer back to the canonical definition in section 3. > > > > > > Sure. This table is traditional in RADIUS RFCs, so the text > > here > > > mirrors previous RADIUS RFCs. > > [Rob Wilton (rwilton)] > > Okay. > > > > > > > > > > > (8) p 3, sec 3. DHCP Options RADIUS Attributes > > > > > > > > These attributes use the "Long Extended Type" format in > > order to > > > > permit the transport of attributes encapsulating more than > > 253 octets > > > > of data. DHCP options that can be included in the DHCP*- > > Options > > > > RADIUS attributes are limited by the maximum packet size of > > 4096 > > > > bytes. In order to accommodate deployments with large > > options, > > > > implementations are RECOMMENDED to support a packet size up > > to 65535 > > > > bytes. > > > > > > > > I didn't find this text clear. E.g., limit is 4k but should > > support up to 64K. > > > Which implementations should support larger packet sizes? Is > > this RADIUS > > > implementations? > > > > > > It's a limitation of RADIUS. Everything RADIUS has to support > > 4K packets. > > > Later RFCs allow for 64K packets. > > [Rob Wilton (rwilton)] > > > > Okay. If this will be obvious to everyone implementing/deploying > > RADIUS then fine, otherwise it might be worth including an > > informative reference to the RFC that increases the limit to 64K. > > > > > > [Med] We do already have the following: > > Note: The 4096 bytes size limit was relaxed by other RFCs, e.g., > [RFC7499] and [RFC7930]. > > Do we need to say more? Thanks. [Rob Wilton (rwilton)] Nope. I missed that you already state that. > > > > > > > > > > > > > > (9) p 5, sec 3.1. DHCPv6-Options Attribute > > > > > > > > This field contains a list of DHCPv6 options. Multiple > > instances > > > > of the same DHCPv6 option MAY be included. Consistent > > with > > > > Section 17 of [RFC7227], this document does not impose > > any option > > > > order when multiple options are present. > > > > > > > > Is there any requirement to merge multiple instances of > > options together, > > > presumably they are logically just concatenated today. > > > > > > The rules for DHCP options processing should apply. > > [Rob Wilton (rwilton)] > > > > Okay. Should that be stated here, or at least made consistent > > with the v4 description that has been updated to: > > > > | This field contains a list of DHCPv4 options. Multiple > > instances > > | of the same DHCPv4 option MAY be included, especially for > > | concatenation-requiring options that exceed the maximum > > DHCPv4 > > | option size of 255 octets. The mechanism specified in > > [RFC3396] > > | MUST be used for splitting and concatenating the instances > > of a > > | concatenation-requiring option. > > > > [Med] We can echo the relevant part from 8415 here: > > OLD: > This field contains a list of DHCPv6 options. Multiple instances > of the same DHCPv6 option MAY be included. Consistent with > Section 17 of [RFC7227], this document does not impose any option > order when multiple options are present. > > NEW: > This field contains a list of DHCPv6 options (Section 21 of > [RFC8415]). Multiple instances of the same DHCPv6 option MAY be > included. If an option appears multiple times, each instance is > considered separate and the data areas of the options MUST NOT be > concatenated or otherwise combined. Consistent with Section 17 of > [RFC7227], this document does not impose any option order when > multiple options are present. [Rob Wilton (rwilton)] Looks good. Let me know when you have posted an updated draft. Thanks, Rob
- [dhcwg] AD review of draft-ietf-opsawg-add-encryp… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Alan DeKok
- Re: [dhcwg] AD review of draft-ietf-opsawg-add-en… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Alan DeKok
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)