Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients
Eric Rescorla <ekr@rtfm.com> Mon, 11 March 2019 21:44 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D44D1311BC for <dns-privacy@ietfa.amsl.com>; Mon, 11 Mar 2019 14:44:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZAOupmuETJA for <dns-privacy@ietfa.amsl.com>; Mon, 11 Mar 2019 14:44:45 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A191311B0 for <dns-privacy@ietf.org>; Mon, 11 Mar 2019 14:44:45 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id q128so429737ljb.11 for <dns-privacy@ietf.org>; Mon, 11 Mar 2019 14:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sam505zgsCd4xS0GDxc95SdRRrIiEzBvkZxClj8SJM8=; b=PX4xJSz19ZfjXdUd1A3RlzN6snHwtwMusqu49PW+0QVlM87e7vQ2qCAx6aIq9NR+Aj nI6fjjSSU9efseOW+8Dt2fL2d8Rn7zs9jYtJtZL181PYXVmbVJn6PdY21M9hrIdNfs8w zItowLEBban6O67HTLM8ufsJgFbBEatsGEXHHZiPCoyumzUxXgeuplilcWlDPg1eGfmB hrKrdQktRvYnzmCQmM8O/8bYZkgtwEWqPCWDkNovc0si0olFgkw3OkuPWxmHjZW3k/1j 0hAlLkQTDqXql7ywX5812CFjMATMUuSp+zgUhnYUVTp6cAr5OkKl0zZsr64pJMsSvgUX PZ6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sam505zgsCd4xS0GDxc95SdRRrIiEzBvkZxClj8SJM8=; b=mRl850eKibsFxJCwf/mMBQ7/upfZkapykMqicnvZnuR35mM6cRP7YeOqBpcaseqLcx Q0eVaNTE48lUrTE3ysVQw/RzYDF+VfVqTDoEzEiNe5mMkDrb3Ox325ZlbHLatJDjbz6d vLDSdsmEY9ZhJS5HA1Pi0GrhCFtz+qgef0hmAco0wQYloH/sE/ZlMwOWGihCl0IkavfZ azkO/U4eFGU4d8CvV5eRFIEdvv0A1GGnNePjG0Pn6r1X17aF5McaP4TlacvqlPkMNbzB zzpa/3GItOXCjxEfwNKwYfiCQ/XHjpv991h+72GVbNl7tPL5GUAOl/Y9yWb2gjl8OXP+ tDRg==
X-Gm-Message-State: APjAAAV4XI0OspI9byi4P9zTjv40mRbduXcxSaMrsbV3adMdGMcbfS/V 7S2neBIYCRGHtNGJmWepoBa6LDIsgiIRqRy2HXNjWw==
X-Google-Smtp-Source: APXvYqxd4PhGkBRB2L2/BsARmjVc3HmD76PqpPA6wzAuaeYWmTOs7hOBMeuU4yxhVwE0+Z6n8ZEUg3DIB/8t6ZhOaNo=
X-Received: by 2002:a2e:3c19:: with SMTP id j25mr18007587lja.72.1552340683124; Mon, 11 Mar 2019 14:44:43 -0700 (PDT)
MIME-Version: 1.0
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
In-Reply-To: <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 11 Mar 2019 14:44:06 -0700
Message-ID: <CABcZeBOWM0Ps-j3V-CK6VPy0LAqeo7-t7odUZy+dk9d-oCSDsg@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: nalini elkins <nalini.elkins@e-dco.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>, Christian Huitema <huitema@huitema.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000fd036c0583d87ac0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/cRQnPwJiJE9LMYqaZ3YOJ1uHYSg>
X-Mailman-Approved-At: Mon, 11 Mar 2019 17:31:25 -0700
Subject: Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 21:44:48 -0000
On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie <paul@redbarn.org> wrote: > > > nalini elkins wrote on 2019-03-11 10:26: > > Tiru, > > > > Thanks for your comments. > > > > > Enterprise networks are already able to block DoH services, > i wonder if everyone here knows that TLS 1.3 and encrypted headers is > going to push a SOCKS agenda onto enterprises that had not previously > needed one, I'm pretty familiar with TLS 1.3, but I don't know what this means. TLS 1.3 doesn't generally encrypt headers any more than TLS 1.2 did, except for the content type byte, which isn't that useful for inspection anyway. Are you perchance referring to encrypted SNI? Something else? -Ekr and that simply blocking every external endpoint known or > tested to support DoH will be the cheaper alternative, even if that > makes millions of other endpoints at google, cloudflare, cisco, and ibm > unreachable as a side effect? > > CF has so far only supported DoH on 1.1.1.0/24 and 1.0.1.0/24, which i > blocked already (before DoH) so that's not a problem. but if google > decides to support DoH on the same IP addresses and port numbers that > are used for some API or web service i depend on, that web service is > going to be either blocked, or forced to go through SOCKS. this will add > considerable cost to my network policy. (by design.) > > -- > P Vixie > > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
- [dns-privacy] New: draft-bertola-bcp-doh-clients Vittorio Bertola
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Stephen Farrell
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Vittorio Bertola
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Christian Huitema
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Vittorio Bertola
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… nalini elkins
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Christian Huitema
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… nalini elkins
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Paul Vixie
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… nalini elkins
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Christian Huitema
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Paul Vixie
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Neil Cook
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Stephen Farrell
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Neil Cook
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… nalini elkins
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Paul Vixie
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… nalini elkins
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Brian Dickson
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Stephen Farrell
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Eliot Lear
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Daniel Stenberg
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Eric Rescorla
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… nalini elkins
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Stephen Farrell
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: [Doh] [DNSOP] Ne… Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] [Doh] [DNSOP] New: d… Eliot Lear
- Re: [dns-privacy] [EXTERNAL] [Doh] [DNSOP] New: d… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [Doh] New: draft-bertola-bcp-do… Stephane Bortzmeyer
- Re: [dns-privacy] New: draft-bertola-bcp-doh-clie… Stephane Bortzmeyer
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Stephane Bortzmeyer
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Stephane Bortzmeyer
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Neil Cook
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Eric Rescorla
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Jim Reid
- Re: [dns-privacy] [Doh] New: draft-bertola-bcp-do… Neil Cook
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Jim Reid
- Re: [dns-privacy] [EXTERNAL] [Doh] [DNSOP] New: d… Eliot Lear
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Christian Huitema
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Michael Sinatra
- Re: [dns-privacy] [Doh] New: draft-bertola-bcp-do… Yishai Beeri (yishaib)
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Stephen Farrell
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Christian Huitema
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Stephen Farrell
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Brian Dickson
- Re: [dns-privacy] [Doh] New: draft-bertola-bcp-do… Stephane Bortzmeyer
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Ralf Weber
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Christian Huitema
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Stephen Farrell
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Mark Andrews
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Paul Wouters
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Wouters
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Stephen Farrell
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Raymond Burkholder
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Vittorio Bertola
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… nalini elkins
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Vittorio Bertola
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Christian Huitema
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Raymond Burkholder
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Christian Huitema
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Vittorio Bertola
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Christian Huitema
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Eliot Lear
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Paul Vixie
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Brian Haberman
- Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertol… Livingood, Jason
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Christian Huitema
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Brian Dickson
- Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertol… Raymond Burkholder
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… william manning
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Watson Ladd
- Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-… Paul Vixie