Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification

["Winfield, Alister" <Alister.Winfield@sky.uk>]

That's an interesting use case, and I think it deserves more exposition.  To me, it raises questions like
* How did the client get configured to use the specified URI template in the first place?

Hopefully some process defined by the working group but right now perhaps it’s from an auto-upgrade list in the client.

* Why should the client use the CPE resolver instead of the central resolver, if they are administered by the same entity?

The idea would be that some process as yet undefined gives the URI template to the client but assuming we want to be able to change the template to support differential services possibly changing with time of day eg (malware filtering, no filtering, security monitored etc) plus…


  1.  First mile latency often accounts for >90% of total latency with many home connections so even with a slow CPE cache its faster than going to a central service.
  2.  DoH creates a large connection count issue which you can throw compute and other hardware at to solve but its far easier to reduce it where possible eg reduce the many clients to 1 connection from each CPE to the DoH service. Far easier to scale. To give an idea there is often >10 devices per network service if each connects once you have a problem if it’s actually ~5 clients per device then we have to handle x50 connections. A reasonable sized ISP might be worried about supporting 100,000,000’s of stateful connections instead of 1,000,000’s of nearly stateless requests. (likely overestimating but it’s not hard to get to huge numbers if lots of people, devices and clients use DoH)
  3.  If the customer wants it, the CPE resolver can chose different settings on a per-device basis at the CPE. Yes you can configure different URLs in the clients but that’s hard to get customers to do right. Especially if you have to do it to each application separately.
  4.  Caching at the CPE reduces upstream resolver load by quite a lot more than you might imagine not actually a big problem but it’s nice to avoid adding compute if there is a cheaper solution trivially available.

* How does the server know which CPE to redirect the client to?

I’m are assuming here that this is an ISP running both elements so knowing how to map the incoming IP to the name its currently using / was told to use is relatively trivial.

* What are the trust properties of a certificate stored on the CPE?

You got me ! This is the one thing that has me staring hard at a sheet of paper full of crossed out ideas. One mistake and you might as well run over an unencrypted connection. Getting a signed certificate is easy. Ensuring no-one connected to the CPE can’t get a certificate for the same name is somewhat of a challenge. Avoiding storing such a cert and key on the flash is possible with some provisioning action at connection time.

Alister.
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD