IETF Logo Mail Archive

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

Neil Cook <neil.cook@noware.co.uk> Tue, 12 March 2019 11:43 UTC

Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE7D8130F25; Tue, 12 Mar 2019 04:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.106
X-Spam-Level:
X-Spam-Status: No, score=-1.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCRDU9jzXJDR; Tue, 12 Mar 2019 04:43:35 -0700 (PDT)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id B8ED2126C01; Tue, 12 Mar 2019 04:43:34 -0700 (PDT)
Received: from [10.20.120.143] (unknown [86.107.204.117]) by mail.noware.co.uk (Postfix) with ESMTPSA id 071CB1C0206; Tue, 12 Mar 2019 11:40:15 +0000 (UTC)
From: Neil Cook <neil.cook@noware.co.uk>
Message-Id: <2508EF3D-F82D-4BA5-A2FC-6287A76724BA@noware.co.uk>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4C0A1DF0-6BF5-480C-B9BC-52CC38D68A19"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Tue, 12 Mar 2019 12:43:31 +0100
In-Reply-To: <BYAPR16MB27902B449F94D0332AAED8E8EA490@BYAPR16MB2790.namprd16.prod.outlook.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Paul Vixie <paul@redbarn.org>, "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Christian Huitema <huitema@huitema.net>, nalini elkins <nalini.elkins@e-dco.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <CAPsNn2VAgLDW++kb=Csfczp4oydqa4sY-dKWw7P7qTwj=MfxdQ@mail.gmail.com> <b405fbdd-dc36-5df1-b5bc-9ff2dcb149a2@cs.tcd.ie> <BYAPR16MB27902B449F94D0332AAED8E8EA490@BYAPR16MB2790.namprd16.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: -100
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedutddrgeekgdefvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfpgffknfevqffqmfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffktgggufffjgfvfhfosegrtdhmrehhtddvnecuhfhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqeenucffohhmrghinhepihgvthhfrdhorhhgpdgvgigrmhhplhgvrdgtohhmnecukfhppeekiedruddtjedrvddtgedruddujeenucfrrghrrghmpehinhgvthepkeeirddutdejrddvtdegrdduudejpdhhvghloheplgdutddrvddtrdduvddtrddugeefngdpmhgrihhlfhhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqedprhgtphhtthhopefvihhruhhmrghlvghsfigrrhftvgguugihpgfmohhnuggrsefotgetfhgvvgdrtghomhdprhgtphhtthhopehsthgvphhhvghnrdhfrghrrhgvlhhlsegtshdrthgtugdrihgvpdhrtghpthhtohepphgruhhlsehrvggusggrrhhnrdhorhhgpdhrtghpthhtohepughohhesihgvthhfrdhorhhgpdhrtghpthhtohepughnshhophesihgvthhfrdhorhhgpdhrtghpthhtohephhhuihhtvghmrgeshhhuihhtvghmrgdrnhgvthdprhgtphhtthhopehnrghlihhnihdrvghlkhhinhhssegvqdgutghordgt ohhmpdhrtghpthhtohepughnshdqphhrihhvrggthiesihgvthhfrdhorhhgpdhrtghpthhtohepmhgrtghkvghrmhgrnhhnsegstggsshhmrdgtohhmpdhrtghpthhtohepvhhithhtohhrihhordgsvghrthholhgrpeegtdhophgvnhdqgigthhgrnhhgvgdrtghomhesughmrghrtgdrihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/2lOnigYjCWMjLeIh0koTRF2w1zE>
X-Mailman-Approved-At: Tue, 12 Mar 2019 06:16:47 -0700
Subject: Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 11:43:37 -0000

>> ISTM that it is quite possible that enterprises that deploy their own DoH
>> services could potentially reduce such leakage and gain overall. (I'm
>> assuming here that sensible browser-makers will end up providing
>> something that works for browsers running in networks with split-horizon
>> setups before those browsers turn on DoH as a default at scale.)
> 
> If Enterprise network provides a DoT/DoH server, browser should be able to discover and use the Enterprise DoT/DoH server.

Well until now there has been no discovery mechanism for DoH servers. There is now draft adopted by the DoH WG that proposes a discovery mechanism. However whether browsers actually use it is another question. Hence the draft by VIttorio.

Neil

> On 12 Mar 2019, at 06:14, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> wrote:
> 
>> -----Original Message-----
>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>>
>> Sent: Tuesday, March 12, 2019 5:30 AM
>> To: Paul Vixie <paul@redbarn.org <mailto:paul@redbarn.org>>; doh@ietf.org <mailto:doh@ietf.org>
>> Cc: nalini elkins <nalini.elkins@e-dco.com <mailto:nalini.elkins@e-dco.com>>; Konda, Tirumaleswar Reddy
>> <TirumaleswarReddy_Konda@McAfee.com <mailto:TirumaleswarReddy_Konda@McAfee.com>>; dnsop@ietf.org <mailto:dnsop@ietf.org>; Ackermann,
>> Michael <mackermann@bcbsm.com <mailto:mackermann@bcbsm.com>>; Christian Huitema
>> <huitema@huitema.net <mailto:huitema@huitema.net>>; dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>; Vittorio Bertola
>> <vittorio.bertola=40open-xchange.com@dmarc.ietf.org <mailto:vittorio.bertola=40open-xchange.com@dmarc.ietf.org>>
>> Subject: Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
>> 
>> 
>> (This distribution list is too scattered and diverse. Be great if some AD or
>> someone just picked one list for this.
>> In the meantime...)
>> 
>> On 11/03/2019 20:43, nalini elkins wrote:
>>> impact assessment that certain changes such as DoH and TLS1.3 will
>>> have on enterprises,
>> 
>> TLS1.3 will, I expect, noticeably improve security for an awful lot of
>> enterprises in time.
>> 
>> As for DoH, I wonder has anyone done studies on how split-horizon names
>> and access patterns leak today?
>> 
>> I don't recall having read that kind of study. I can imagine many ways in
>> which that kind of stuff would leak. I'd be very surprised if it never happens.
>> I don't know how often it does.
>> 
>> For names, leaking once is kinda fatal. For access patterns, I guess one leak
>> exposes an IP address that's interested in a name (e.g. secret-
>> project.example.com) but more would be needed for broader access
>> patterns to be exposed to "foreign"
>> recursives and/or in-band networks.
>> 
>> ISTM that it is quite possible that enterprises that deploy their own DoH
>> services could potentially reduce such leakage and gain overall. (I'm
>> assuming here that sensible browser-makers will end up providing
>> something that works for browsers running in networks with split-horizon
>> setups before those browsers turn on DoH as a default at scale.)
> 
> If Enterprise network provides a DoT/DoH server, browser should be able to discover and use the Enterprise DoT/DoH server.
> 
> -Tiru
> 
>> 
>> Cheers,
>> S.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/listinfo/dnsop>

v2.23.0 | Report a Bug | By Email