IETF Logo Mail Archive

Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edns-client-ip-00.txt

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 28 January 2010 21:18 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FB733A67E1; Thu, 28 Jan 2010 13:18:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-7zBnve1jTh; Thu, 28 Jan 2010 13:18:57 -0800 (PST)
Received: from psg.com (psg.com [147.28.0.62]) by core3.amsl.com (Postfix) with ESMTP id 9F9143A67B2; Thu, 28 Jan 2010 13:18:57 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Nabgc-000382-2g for namedroppers-data0@psg.com; Thu, 28 Jan 2010 21:13:58 +0000
Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <nweaver@ICSI.Berkeley.EDU>) id 1NabgZ-00037d-Nx for namedroppers@ops.ietf.org; Thu, 28 Jan 2010 21:13:55 +0000
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id o0SLDc6i001349; Thu, 28 Jan 2010 13:13:38 -0800 (PST)
References: <7c31c8cc1001271556w4918093er6e94e07cb92c4dc4@mail.gmail.com> <6184.1264657589@nsa.vix.com> <4966825a1001280807i768a33ccs98f809366bce33d8@mail.gmail.com> <48894.1264695230@nsa.vix.com> <50A91B20-5AC1-4819-91ED-E5141F068D48@wiggum.com> <52065.1264699087@nsa.vix.com> <FDD5D1103B8EA4D13C4A2C4C@Ximines.local> <EEAAE4BF-BBA9-4141-BECC-A8440715597F@icsi.berkeley.edu> <64E75C1F63E69611DE870231@Ximines.local> <0BA9FFB0-A051-46E6-990D-04F385DA5EF0@ICSI.Berkeley.EDU> <79E447BA4454658934413A0F@nimrod.local>
In-Reply-To: <79E447BA4454658934413A0F@nimrod.local>
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <8419C7FF-27E8-47AD-924C-BE42AC75E54E@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, Paul Vixie <vixie@isc.org>, namedroppers@ops.ietf.org
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edns-client-ip-00.txt
Date: Thu, 28 Jan 2010 13:13:38 -0800
To: Alex Bligh <alex@alex.org.uk>
X-Mailer: Apple Mail (2.1077)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

On Jan 28, 2010, at 12:49 PM, Alex Bligh wrote:

> 
> 
> --On 28 January 2010 12:16:57 -0800 Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> wrote:
> 
>> 3:  The third party resolver offers a significant value add, such as
>> programmable blocking, automatic blocking of malicious sites, and far
>> more agressive prefetching of common names and related information to
>> speed up results.
>> 
>> People are NOT using OpenDNS, UltraDNS, or Google's public DNS because
>> their ISP's resolver is broken/evil, they are using it because they offer
>> real perceived benefits.
>> 
>> And this ISNT'T a behavioral change for every caching resolver.  One of
>> the beauties of this scheme is ONLY the third-party resolvers and
>> authorities which desire this behavior will need to implement this at
>> all.  In fact, the Bind developers could say "No way in hell will WE
>> implement this", but a few big recursive resolver providers and CDNs do,
>> and it becomes a success and the problem is solved.
> 
> Hmmm... ok, part of my objection was to lines like (from 4.1)
> "In the reply, the server MUST include an edns-client-ip option."
> On your reading, that MUST only means "where the incoming query
> has the option set AND where the server is using the data in
> some way". It doesn't, however, say that. I think it should be
> clear that a server, whether or not it the software supports
> the draft, and whether or not it is configured to return
> answers with this option for some queries, is always free
> to discard the edns client ip option (i.e. treat it as if
> it isn't there). I don't see a particular problem with it using
> the data silently then not returning a netmask. In which case
> the MUST should simply read "MAY".

Agreed.  Perhaps the best way is something like the following rules:


The authority MUST NOT use an EDNS0 client-ip-option if the request did not include a client-ip-option [1]

The authority MAY specify a broader netmask in the returned value [2]


When the resolver's own address is a publically-routable address, it SHOULD use the request's source IP address as the basis for the client-ip-option value, if no client-ip-option value was specified in the request [3]

If the resolver's own address is a non-routable address, it MUST NOT generate a client-ip-option value, but may pass a client-ip-option value [3]

If the resolver receives a request with a client-ip-option value, it should either REMOVE this value or pass it unchanged, it must not modify this value [4]


The resolver which uses or creates client-ip-option values SHOULD keep track of any authority which ignores or responds with an error for a request containing a client-ip-option but responds properly for the same request without a client-ip-option.  After three such failures, the resolver should remove all client-ip-option values in communication with this authority [5]




[1] Ensures that authority changes will not affect non-compliant resolvers

[2] Ensures that the authority if it cares about load, can specify a broader netmask.

[3] Removes the need for client changes under most conditions.  Prevents the NAT from being an issue.

[4] ALLOWS clients to take advantage of this, but doesn't requires it.

[5] Ensures that resolver changes will not prevent names from resolving.


As a result, you get a system where:

a) Partial deployment works with just changes to the authorities and resolvers which care about this feature.

b) Authorities, resolvers, and clients which don't implement this feature won't see an effect.


As important, the number of servers which would need to implement this feature is low, but the number of USERS which would benefit is substantial.


> But if the idea of this is to institute a signaling mechanism between
> caching resolvers that are non-local to their users (and you
> say these are >= 97% third party resolvers) and certain authoritive
> nameservers, why insist that the IP address passed is the IP
> address of the client, which gets you into all these NAT problems.

Actually, the external address of the request is the right answer for all these NATs, so there is no problem.

> Why not just allow the end user to specify an arbitrary IP address
> which is the IP address he'd like authoritative nameserver to
> treat as the source address for the query (possibly with a netmask
> to indicate which bits are accurate), rather than saying he MUST
> use the local IP address etc. etc.; so I could configure my
> local (behind NAT) resolver with the external IP address.
> And the privacy-paranoid could just pick any IP they know to
> be in the same AS / network locality / whatever. Rather than
> "client-ip-option" it is a sort of "source-hint-option".
> This would also be useful in debugging problems to do with DNS
> 'cleverness' too (e.g. "dig +source-hint=x.x.x.x ....").

Sounds good, and makes sense.  But in absence of a client-specified value, the default value should be derived from the request's SRC address.

v2.23.0 | Report a Bug | By Email