Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edns-client-ip-00.txt

"Roy Arends" <roy@nominet.org.uk> Fri, 29 January 2010 13:10 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 961153A6A64; Fri, 29 Jan 2010 05:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.598
X-Spam-Level:
X-Spam-Status: No, score=-106.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAXoG7o0l+dE; Fri, 29 Jan 2010 05:10:32 -0800 (PST)
Received: from psg.com (psg.com [147.28.0.62]) by core3.amsl.com (Postfix) with ESMTP id 8200C3A692B; Fri, 29 Jan 2010 05:10:28 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1NaqXA-0009vX-Ki for namedroppers-data0@psg.com; Fri, 29 Jan 2010 13:05:12 +0000
Received: from [213.248.199.24] (helo=mx4.nominet.org.uk) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <roy@nominet.org.uk>) id 1NaqX5-0009uW-6B for namedroppers@ops.ietf.org; Fri, 29 Jan 2010 13:05:07 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=w+qL44+2jdEkS2C7PbDoSCIbJczIEQco2ZMeuL9IW6vqZXCz4XbuEQvL y/5Psk8t9tSUh7rWkpmNYY1kc8R2XQ8+4UhA/av0OqUS+B6FgBYj4XPkB 221PDbbN9g+nTI/;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=roy@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1264770307; x=1296306307; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Roy=20Arends"=20<roy@nominet.org.uk>|Subject: =20Re:=20[dnsext]=20Re:=20I-D=20ACTION:draft-vandergaast- edns-client-ip-00.txt|Date:=20Fri,=2029=20Jan=202010=2014 :05:03=20+0100|Message-ID:=20<OF675CC47F.6FE1B342-ON80257 6BA.00453090-C12576BA.0047E04C@nominet.org.uk>|To:=20Wilm er=20van=20der=20Gaast=20<wilmer@google.com>|Cc:=20namedr oppers@ops.ietf.org|MIME-Version:=201.0|In-Reply-To:=20<7 c31c8cc1001271556w4918093er6e94e07cb92c4dc4@mail.gmail.co m>|References:=20<7c31c8cc1001271556w4918093er6e94e07cb92 c4dc4@mail.gmail.com>; bh=VdlN7OQt+/EY9bJTvaka5vhG8t70r46OAoSvq5ac7EY=; b=vd3UU9IrJq3ZJrvjusp0ysfn524DPkMeDS3Wmad+c9KrePiAZ5kzxh64 nvSs/Qmi18Jpg3Jr2KLkCYIKGITPR9n5SyDsVjWcASPstCliNDdeiPyXA yKAlWKi97SOIfRu;
X-IronPort-AV: E=Sophos;i="4.49,368,1262563200"; d="scan'208";a="15869904"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx4.nominet.org.uk with ESMTP; 29 Jan 2010 13:05:05 +0000
In-Reply-To: <7c31c8cc1001271556w4918093er6e94e07cb92c4dc4@mail.gmail.com>
References: <7c31c8cc1001271556w4918093er6e94e07cb92c4dc4@mail.gmail.com>
To: Wilmer van der Gaast <wilmer@google.com>
Cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edns-client-ip-00.txt
MIME-Version: 1.0
X-Mailer: Lotus Notes Build V85_M2_08202008 August 20, 2008
Message-ID: <OF675CC47F.6FE1B342-ON802576BA.00453090-C12576BA.0047E04C@nominet.org.uk>
From: Roy Arends <roy@nominet.org.uk>
Date: Fri, 29 Jan 2010 14:05:03 +0100
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 29/01/2010 01:05:05 PM, Serialize complete at 29/01/2010 01:05:05 PM
Content-Type: multipart/alternative; boundary="=_alternative 0047E04AC12576BA_="
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

Wilmer van der Gaast wrote on 01/28/2010 12:56:45 AM:

> Hello everyone,
> 
> I spoke to Olafur about this idea in Hiroshima last year. I'm afraid
> the deadline for Anaheim already passed, but we hope we can discuss it
> on-line in the meantime and decide if it should become a WG item in
> Maastricht later this year.
> 
> To summarize the I-D: It specifies an EDNS0 option that carries IP
> address information (by default only the first 24 bits to preserve
> privacy) of the user that triggered a DNS resolution. This should
> allow authoritative nameservers that give geo-targeted responses to be
> more accurate, even in cases where the resolver and its users aren't
> close to each other. To preserve the ability to cache such responses
> efficiently, the option in the response can indicate which exact
> subnet it should be cached for.
> 
> Comments are more than welcome.

I haven't read the whole thread, so maybe this has been proposed before: 
Why not encode the client IP address (32 bits) plus the netmask in cidr 
form (6 bits) in base32 and prefix it to the query.

So, 10.0.0.2/8 would translate to B8AAAQ=I, and the query would then 
simply be: B8AAAQ=I.localized.google.com 

No stub implementation or resolver implementation has to be changed. 
Transient through resolvers as opposed to EDNS. Example works for IPv6 as 
well.

This can simply be done through a redirect on the server side, plus some 
cookie to keep state: 

Client connects to www.google.com over http.
Webserver now knows the clients IP address (10.0.0.2), issues a redirect 
to B8AAAQ.localized.google.com
Client resolves B8AAAQ.localized.google.com
Auth server responds with B8AAAQ.localized.google.com A 10.90.9.73 

There is no netmask in the above example. Instead of the above method, the 
application can set the query prefix to B8AAAQ=I.

The whole discussion about client privacy is a bit over the top, as 
obviously, google can in theory already harvest client IP address by 
looking what connects to their webserver. With the above trick, it could 
even correlate which ip address uses which resolver.

Roy