Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls.
"Christian Huitema" <huitema@huitema.net> Fri, 19 August 2016 18:49 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECCBA12DB31 for <dns-privacy@ietfa.amsl.com>; Fri, 19 Aug 2016 11:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YPGuQ3JdRL7 for <dns-privacy@ietfa.amsl.com>; Fri, 19 Aug 2016 11:49:05 -0700 (PDT)
Received: from xsmtp04.mail2web.com (xsmtp24.mail2web.com [168.144.250.190]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EFC012DAFC for <dns-privacy@ietf.org>; Fri, 19 Aug 2016 11:48:58 -0700 (PDT)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1baoqb-0002hl-2Z for dns-privacy@ietf.org; Fri, 19 Aug 2016 14:48:57 -0400
Received: (qmail 8111 invoked from network); 19 Aug 2016 18:48:52 -0000
Received: from unknown (HELO huitema2) (Authenticated-user:_huitema@huitema.net@[131.107.160.201]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dns-privacy@ietf.org>; 19 Aug 2016 18:48:52 -0000
From: Christian Huitema <huitema@huitema.net>
To: "'Tirumaleswar Reddy (tireddy)'" <tireddy@cisco.com>, 'Bob Harold' <rharolde@umich.edu>
References: <CAHw9_iLWW-e_de9ieq_oe_eR=RBWg9swG7EiAPTp93825Vm=pw@mail.gmail.com> <CA+nkc8AQHF1vD5V9rMd=WHHNERt8zKa5s+XKmNAbHWshXuzL-Q@mail.gmail.com> <e1354ea4f0f946399237a561de2c3818@XCH-RCD-017.cisco.com> <CA+nkc8B6yV9K5n_5_HFCLvqiHfb5_RMq6V-W4U_QhdYgM5c+KA@mail.gmail.com> <6df901a79a9142969e4b31808e1ff60a@XCH-RCD-017.cisco.com>
In-Reply-To: <6df901a79a9142969e4b31808e1ff60a@XCH-RCD-017.cisco.com>
Date: Fri, 19 Aug 2016 11:48:50 -0700
Message-ID: <022101d1fa4a$54909360$fdb1ba20$@huitema.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0222_01D1FA0F.A8345370"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGo0Z9JJ7Jb5yEeZz5Ft1Aq/2qQ7wEtCp6LAKD3HZgCLVrm5QJAtd9coHEKOrA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/NKmdz1kbTbsUFr8XGbjE5U9SVVQ>
Cc: 'Warren Kumari' <warren@kumari.net>, dns-privacy@ietf.org, DPRIVE-chairs@tools.ietf.org, draft-ietf-dprive-dnsodtls@ietf.org
Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls.
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 18:49:09 -0000
I reviewed the latest iteration of the DNS over DTLS draft (draft-ietf-dprive-dnsodtls-10). It is fine. I just have a couple of editorial nits: In the beginning of section 3.1, there are two paragraphs repeating the same convoluted description of which port to use. It could probably be refactored to be a bit simpler to read. Something like one paragraph explaining which port to use, then a reference to “the selected port” in the other paragraphs. The text in section 3.2 refers to the HelloVerifyRequest message of DTLS. This brings a general problem with the document, which replicates a lot of text from RFC 6347, such as the flow diagram in section 3.3. On one hand, that makes the document easy to read, but on the other hand it makes the document unnecessarily dependent on the details of DTLS implementation. The “HelloVerifyRequest” is necessary when the IP address of the client has not been verified, but the DTLS module may well be using some caching strategy to remember the required cookies, and the server may well in these cases respond immediately with a ServerHello message. We may also see clients and servers resuming old session, as actually documented in section 4. And we may well see the DTLS implementation evolve when TLS 1.3 becomes available. It would be simpler to just refer to RFC 6347 with text like “if the DTLS handshake succeeds according to [RFC6347]”, rather than replicate content. That way, we would require only minimal changes to DNS over DTLS when the DTLS spec evolves. -- Christian Huitema From: dns-privacy [mailto:dns-privacy-bounces@ietf.org] On Behalf Of Tirumaleswar Reddy (tireddy) Sent: Thursday, August 18, 2016 7:18 AM To: Bob Harold <rharolde@umich.edu> Cc: DPRIVE-chairs@tools.ietf.org; dns-privacy@ietf.org; Warren Kumari <warren@kumari.net>; draft-ietf-dprive-dnsodtls@ietf.org Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls. From: Bob Harold [mailto:rharolde@umich.edu] Sent: Thursday, August 18, 2016 6:56 PM To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com <mailto:tireddy@cisco.com> > Cc: Warren Kumari <warren@kumari.net <mailto:warren@kumari.net> >; dns-privacy@ietf.org <mailto:dns-privacy@ietf.org> ; DPRIVE-chairs@tools.ietf.org <mailto:DPRIVE-chairs@tools.ietf.org> ; draft-ietf-dprive-dnsodtls@ietf.org <mailto:draft-ietf-dprive-dnsodtls@ietf.org> Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls. On Thu, Aug 18, 2016 at 1:14 AM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com <mailto:tireddy@cisco.com> > wrote: From: Bob Harold [mailto:rharolde@umich.edu <mailto:rharolde@umich.edu> ] Sent: Wednesday, August 17, 2016 9:13 PM To: Warren Kumari <warren@kumari.net <mailto:warren@kumari.net> > Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org> ; draft-ietf-dprive-dnsodtls@ietf.org <mailto:draft-ietf-dprive-dnsodtls@ietf.org> ; DPRIVE-chairs@tools.ietf.org <mailto:DPRIVE-chairs@tools.ietf.org> Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls. On Tue, Aug 16, 2016 at 1:05 PM, Warren Kumari <warren@kumari.net <mailto:warren@kumari.net> > wrote: Dear DPRIVE WG, The authors of draft-ietf-dprive-dnsodtls have indicated that they believe that the document is ready, and have asked for Working Group Last Call. The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsodtls/ Please review this draft to see if you think it is ready for publication and send comments to the list, clearly stating your view. This WGLC ends Tue 30-Aug-2016. In addition, to satisfy RFC 6702 ("Promoting Compliance with Intellectual Property Rights (IPR)"): Are you personally aware of any IPR that applies to draft-ietf-dprive-dnsodtls? If so, has this IPR been disclosed in compliance with IETF IPR rules? (See RFCs 3979, 4879, 3669, and 5378 for more details.) Thanks, Warren Kumari Looks good to me. A couple grammatical concerns: Section "3.1. Session Initiation" The last sentance might sound better by adding "therefore" in the middle: "There are significant security issues in mixing protected and unprotected data, therefore UDP connections on a port designated by a given server for DNS-over- DTLS are reserved purely for encrypted communications." [TR] Updated in my local copy. Section "4. Performance Considerations" This sentence does not read well to me: "TLS False Start] which reduces round-trips by allowing the TLS second flight of messages (ChangeCipherSpec) to also contain the (encrypted) DNS query. " [TR] How about the following line ? TLS False Start [I-D.ietf-tls-falsestart] can reduce the round-trips in certain situations. [BH] That would work.. I was think just change "which reduces" to "can reduce": "TLS False Start] can reduce round-trips by allowing the TLS second flight of messages (ChangeCipherSpec) to also contain the (encrypted) DNS query. " [TR] Thanks, updated. -Tiru -Tiru -- Bob Harold
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Christian Huitema
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Bob Harold
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Bob Harold
- [dns-privacy] Start of WGLC for draft-ietf-dprive… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Stephane Bortzmeyer
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Allison Mankin
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Allison Mankin
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tim Wicinski
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)