Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients

Eric Rescorla <ekr@rtfm.com> Mon, 11 March 2019 21:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D44D1311BC for <dns-privacy@ietfa.amsl.com>; Mon, 11 Mar 2019 14:44:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZAOupmuETJA for <dns-privacy@ietfa.amsl.com>; Mon, 11 Mar 2019 14:44:45 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A191311B0 for <dns-privacy@ietf.org>; Mon, 11 Mar 2019 14:44:45 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id q128so429737ljb.11 for <dns-privacy@ietf.org>; Mon, 11 Mar 2019 14:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sam505zgsCd4xS0GDxc95SdRRrIiEzBvkZxClj8SJM8=; b=PX4xJSz19ZfjXdUd1A3RlzN6snHwtwMusqu49PW+0QVlM87e7vQ2qCAx6aIq9NR+Aj nI6fjjSSU9efseOW+8Dt2fL2d8Rn7zs9jYtJtZL181PYXVmbVJn6PdY21M9hrIdNfs8w zItowLEBban6O67HTLM8ufsJgFbBEatsGEXHHZiPCoyumzUxXgeuplilcWlDPg1eGfmB hrKrdQktRvYnzmCQmM8O/8bYZkgtwEWqPCWDkNovc0si0olFgkw3OkuPWxmHjZW3k/1j 0hAlLkQTDqXql7ywX5812CFjMATMUuSp+zgUhnYUVTp6cAr5OkKl0zZsr64pJMsSvgUX PZ6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sam505zgsCd4xS0GDxc95SdRRrIiEzBvkZxClj8SJM8=; b=mRl850eKibsFxJCwf/mMBQ7/upfZkapykMqicnvZnuR35mM6cRP7YeOqBpcaseqLcx Q0eVaNTE48lUrTE3ysVQw/RzYDF+VfVqTDoEzEiNe5mMkDrb3Ox325ZlbHLatJDjbz6d vLDSdsmEY9ZhJS5HA1Pi0GrhCFtz+qgef0hmAco0wQYloH/sE/ZlMwOWGihCl0IkavfZ azkO/U4eFGU4d8CvV5eRFIEdvv0A1GGnNePjG0Pn6r1X17aF5McaP4TlacvqlPkMNbzB zzpa/3GItOXCjxEfwNKwYfiCQ/XHjpv991h+72GVbNl7tPL5GUAOl/Y9yWb2gjl8OXP+ tDRg==
X-Gm-Message-State: APjAAAV4XI0OspI9byi4P9zTjv40mRbduXcxSaMrsbV3adMdGMcbfS/V 7S2neBIYCRGHtNGJmWepoBa6LDIsgiIRqRy2HXNjWw==
X-Google-Smtp-Source: APXvYqxd4PhGkBRB2L2/BsARmjVc3HmD76PqpPA6wzAuaeYWmTOs7hOBMeuU4yxhVwE0+Z6n8ZEUg3DIB/8t6ZhOaNo=
X-Received: by 2002:a2e:3c19:: with SMTP id j25mr18007587lja.72.1552340683124; Mon, 11 Mar 2019 14:44:43 -0700 (PDT)
MIME-Version: 1.0
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
In-Reply-To: <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 11 Mar 2019 14:44:06 -0700
Message-ID: <CABcZeBOWM0Ps-j3V-CK6VPy0LAqeo7-t7odUZy+dk9d-oCSDsg@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: nalini elkins <nalini.elkins@e-dco.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>, Christian Huitema <huitema@huitema.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000fd036c0583d87ac0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/cRQnPwJiJE9LMYqaZ3YOJ1uHYSg>
X-Mailman-Approved-At: Mon, 11 Mar 2019 17:31:25 -0700
Subject: Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 21:44:48 -0000

On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie <paul@redbarn.org> wrote:

>
>
> nalini elkins wrote on 2019-03-11 10:26:
> > Tiru,
> >
> > Thanks for your comments.
> >
> >  > Enterprise networks are already able to block DoH services,
> i wonder if everyone here knows that TLS 1.3 and encrypted headers is
> going to push a SOCKS agenda onto enterprises that had not previously
> needed one,


I'm pretty familiar with TLS 1.3, but I don't know what this means. TLS 1.3
doesn't generally encrypt headers any more than TLS 1.2 did, except for
the content type byte, which isn't that useful for inspection anyway.
Are you perchance referring to encrypted SNI? Something else?

-Ekr

and that simply blocking every external endpoint known or
> tested to support DoH will be the cheaper alternative, even if that
> makes millions of other endpoints at google, cloudflare, cisco, and ibm
> unreachable as a side effect?
>
> CF has so far only supported DoH on 1.1.1.0/24 and 1.0.1.0/24, which i
> blocked already (before DoH) so that's not a problem. but if google
> decides to support DoH on the same IP addresses and port numbers that
> are used for some API or web service i depend on, that web service is
> going to be either blocked, or forced to go through SOCKS. this will add
> considerable cost to my network policy. (by design.)
>
> --
> P Vixie
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>