Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
Petr Špaček <petr.spacek@nic.cz> Thu, 29 November 2018 08:11 UTC
Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8AF12D4F2 for <dnsop@ietfa.amsl.com>; Thu, 29 Nov 2018 00:11:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.021
X-Spam-Level:
X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4cv1ZFfdjPY for <dnsop@ietfa.amsl.com>; Thu, 29 Nov 2018 00:10:58 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 420C1129533 for <dnsop@ietf.org>; Thu, 29 Nov 2018 00:10:57 -0800 (PST)
Received: from [IPv6:2001:1488:fffe:6:203d:eeff:fee4:e890] (unknown [IPv6:2001:1488:fffe:6:203d:eeff:fee4:e890]) by mail.nic.cz (Postfix) with ESMTPSA id 41CE662D4A for <dnsop@ietf.org>; Thu, 29 Nov 2018 09:10:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1543479054; bh=yIdWG+QO9YyIPBuWEQTHSrLmbBn1QtYOnKVmjRs3wP8=; h=To:From:Date; b=qPeSiL+3wTMyTDlXhb0R5rWsMwBa2E1YyMP6lsfOLbFHswUHjQyKOvpTtCEK8BMuC unxt1/O4I8KPUEC4OHYUWAgwcI+Kq1EYwrQAYnrmYQv8kGdyONcw4MerOlFZpP65oq DNYxqv7r2t8XzxnnXc3lptGAEaMNkpj3GVvOOaEs=
To: dnsop@ietf.org
References: <CAHw9_iL6CpLf6h_ysWEjvNjzaU2TPk-SyVGzLs_J9Yk_5A4OmA@mail.gmail.com> <46B41554-ABC0-4939-99E3-703E1FD998D5@hopcount.ca> <alpine.DEB.2.20.1811261658250.3596@grey.csi.cam.ac.uk> <23550.37961.117514.513410@fireball.acr.fi> <CAHw9_iJ0XFzErwbUci_WmN1pzZHbapj2JNu4j2YbMFbBt-m+aw@mail.gmail.com> <7DE4235C-A00F-493A-A5A0-96FCF9C32621@nohats.ca>
From: Petr Špaček <petr.spacek@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= xsFNBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABzSJQZXRyIMWgcGHE jWVrIDxwZXRyLnNwYWNla0BuaWMuY3o+wsF9BBMBCAAnBQJYa4wfAhsDBQkDwmcABQsJCAcC BhUICQoLAgQWAgMBAh4BAheAAAoJEM6N1qGlCiHkjGoP/3fvimzczcaqPM8lgY9fKKcr2DhH 42HF+fXsj0SvPeEoYDuWwIcsTGna6sdmrhCD/mB6eCNivAOcZYDH7j3YDgdFX2xy1sRY0ylF uyfcOT1Qn1xNTglSaf00gUWDgLBQB/USphB9Of6U1ka4gLJpCWKoZ3cLQe09cUpq9HOZYs/g WSNx9UTr06fcO0rtgZpg+IZJN/R2ORhQBwk4n2Dtx5J+Xyoy7ht1Fwz07BWAGJ4P8oJOhsi1 LukDD8ul3+6IeoSbRvyGpP6boegaMwxPR10VgsrYU2t1cK58iRv/xJ3TClb0JBn5aI3Bmh1j mPROrC55tvxRoeRLmxXHzbPZpWdbRjEcf9SEiAGNTgo9C+eXbubeSETWgisfJhZ4ebhkHnfz e+e+hvbaTSoFyMbKeOlfoYCmaDRBgT53i72HIkvO+HrVcmulZytw/yyOHuwObEFVgn3AeORv rb8I1kiv5W4wnZxDslhCeRR+wMGiKhc9ewU/mg3Rqo6GN+8mT0DHnsHuq1lu3WYslfNYkBSo nFcctFD2KXVozrwpn3vWJ4Qt6qu5XS1lDCD5WshZXh7qoISWnnMqsMyBW/R7WyiABeIz4uOg SkRwT2wSUYr+JtBZIjREy2JQDVhjf18DL1Qa7OxSes8YwWSx1pQAzwbfFx0gzRDyIT/39le4 pX430yTQzsFNBFhri/0BEADFp4ZfxSoKTAad0IkFK9CVoZ6XKywYLFNPPhzw++gbvHL2EX7Q qhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQou0FeSNnzRGb607U8OFOPQ+ei92Mm 1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkhwtWU/6yo+RZs7cFRuihuLl8FuoP0 A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAwGDtjWkBVawpoHWwq58OQSx5piwyO CnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdWJw5OV9BoA7UTHG95xVHV5QiEm6q6 igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8mmKyS8E+mSh3djmqdJNHF1pJqKxA xPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03duzocyU95DfP/lwNJr5SH918Vf1t7 WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkSeXNoMlHJOIqbqm7N414I0HytbENf 7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw3f3Gn3+PDzGEHI9sfQv/mYvO77oR SGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6IfZZ0OIWKLSRa/DQARAQABwsFlBBgB CAAPBQJYa4v9AhsMBQkDwmcAAAoJEM6N1qGlCiHkn54P/AgyzrffYzRq6d7vHfFhd8HzHHrU BtOK+5182DME1JX9Aow5Dy9kbfxAfTc4tbCY5EnhoUICbmVAJ5wL5lrGxQPSnulIyF8OmJjc VlGI6zXYvP0VHZ/L8dPcf+RPqhMCPpaxe2+h5XpPxvOkDLlnCrsA4J1bAGW5kpxdGnY4aRrv aKhtGMqgSwSx25l3RnoOROU/hTDV4EHCuTkMRfILmsuNT7It40iL5nyDiJ8o3p1CLjRwUzVn 4r4jE8DXhbWXaKJ0KQZpKiQDVV7qJcJIeBJvZpFfxJ44LxBct9TkC69ROntYhd6M7031DT3P IYW9VyMhLN5dRfzhEdFUc+3AlnoOOKcGwYiCnH2DwDva3ZicOAH8099mWZcwVL/sjKKbJGPo JbdT9C3gSnsoa3uBbsiChRhAno80Jsk/igb4QaMw4PsS3230kfBGkQ/oAPPM0iJ9kn8NXB/9 iBe5cKEUiiYQfSn9x1HyG0sT3/jSYaq3obmBNHJE24w/RKWoPsaKjoyaInAuU5L0cNZ30OWd eWFREIxlajFl2vXb9nCc80/i6PceJySiyJgd5cYEL4hfn/B6RXph9kAJySsqlIZoBhcwneGX mAS0M41jJjuIQdt5pkLhM9XoXjBFMGGtA/CtiicEgitItJfVCxdLG4bZOCrfPmevMGLxpEmB GouQ9dVQ
Organization: CZ.NIC
Message-ID: <209bcfb6-0bed-a6e1-616e-e2a4749f2dfd@nic.cz>
Date: Thu, 29 Nov 2018 09:10:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <7DE4235C-A00F-493A-A5A0-96FCF9C32621@nohats.ca>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7vFt_8lreOSlyIon24ulNlb3slE>
Subject: Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 08:11:02 -0000
On 29. 11. 18 1:47, Paul Wouters wrote: > On Nov 29, 2018, at 04:53, Warren Kumari <warren@kumari.net > <mailto:warren@kumari.net>> wrote: >> helps mitigate this -- as Tero says above, the user would have to jump >> through many stupid hoops in order to make themselves vulnerable. > > That’s what we came up with when we talked to ekr. > >> If think that if the text around "that can be updated out of band" >> were strengthened (the current wording sounds like being updated out >> of band is one option, but e.g being updated in-band and "approved" by >> the user is another), and it were made a bit clearer how the whitelist >> might be managed I'd be (grudgingly) willing to remove my DISCUSS. > > I have no problem making that text stronger / clearer. > >> Again, I don't love this, but I think that the mitigations can be made >> to work, and it *does* solve a real world problem. > > Yes, if we want enterprises to deploy DNSSEC, we need this. The > internal/external views are almost always administrated by a different > party, so the likelihood of sharing private key is extremely unlikely > (plus we would be telling them how to run their infrastructure). > >> Can anyone *not* live with this? >> W > > I’m fine with the phrasing changes you are requesting. > > Paul I'm wondering if we could add NXDOMAIN mandatory check and accept INTERNAL_DNSSEC_TA only if "external DNS server" resolves given name to NXDOMAIN. It seems to me that it would eliminate most problematic cases like com. hijack etc. Only problem I can see are cases where "external view" actually serves non-NXDOMAIN answers - I have no idea how common is that. What do you think? Petr Špaček @ CZ.NIC >> On Wed, Nov 28, 2018 at 8:12 AM Tero Kivinen <kivinen@iki.fi >> <mailto:kivinen@iki.fi>> wrote: >> >> Tony Finch writes: >> > Joe Abley <jabley@hopcount.ca <mailto:jabley@hopcount.ca>> wrote: >> > > >> > > It seems to me that the intended use-case is access to >> corporate-like >> > > network environments where intranet.corporate-like.com >> <http://intranet.corporate-like.com> might exist on >> > > the inside but not on the outside. >> > >> > More likely cases like corporate-like.local or >> corporate-like.int <http://corporate-like.int> or >> > like.corp etc. usw. :-( >> >> Yes, this is the more common practice to use. I.e., several companies >> quite often have (multiple) internal domains they use. Because those >> are internal domains they cannot get real certificates for them. >> Because they cannot use real certificates they use self signed >> certificates, thus users have to click on "trust this web site having >> invalid certificate yes/no". The idea is that with TLSA we could get >> some kind of security for those internal sites. >> >> More competent companies might also run their own CA and use that to >> sign internal web sites, but unfortunately those more competent >> companies usually then also have heavy IT processes that requires all >> kind of complicated stuff to get things be signed by corporate CA, and >> then developers setting up intranet / chat system / testing setup etc >> revert to self signed certificates, because it is easy. On the other >> hand getting DNS names added to the internal DNS is usually something >> that happens often, and is not too hard to do, getting TLSA record >> along with the name should also be quite easy. >> >> Now when browsers start to make it harder and harder to allow access >> to self signed certificates, users are seeing more and more problems >> with that. >> >> > Private DNSSEC trust anchors should be distributed in the same way >> > that you would distribute corporate X.509 trust anchors. >> >> This is exactly what is proposed by the draft, execpt that it is split >> in two parts, i.e., the names for which TAs can be given are >> distributed in same way as X.509 trust anchors, the actual contents >> for the TA for that whitelisted name is distributed inside IKE. >> >> The draft requires the whitelist to pre-configured before starting up >> the VPN connection. It also do require implementations to ignore all >> those settings unless user have explictly configured split-tunnel on >> for that connection. >> >> I.e., in the example the VPNs-R-Us would not be able to set those >> configuration settings, nor would it be able to provide dialog asking >> that. >> >> VPN-R-Us would require provide instructions how to configure your VPN >> client to do that, i.e., it would need to ask users to do following: >> >> - In your IPsec VPN configuration dialog click "Add" to add new >> VPN. >> - Type in VPNs-R-Us for name, and IP of f00::BA5 as IP-address. >> - Click advanced >> - In Advanced settings to go the enterprise VPN tab >> - In there click the Enable Split-tunnel setup check box. >> - Answer YES to question verifying that you really want to configure >> this manually, and do not want to use the managment profile >> provided by the enterprise (normally enterprise VPN setups are >> managed automatically by profiles provided by the company, normal >> users usually do not even have option to change anything). >> - After that click "Add items to DNSSEC whitelist". >> - Type in "farfetch.com <http://farfetch.com>", and click OK. >> - (vpn client would probably forbid him adding .com to list as or if >> it is added it would be ignored), so VPN-R-Us is smart and asks >> following: >> - Type in "paypal.com <http://paypal.com>" and click OK. >> - Click OK to few times and get the VPN configuration setup. >> - Then fire up the VPN client. >> >> More likely VPN-R-Us would say if you do not want to do that, just >> download this easy binary exe that will do all that configuration for >> you (and some others they do not mention). >> >> I.e., that whitelist needs to be modified out of band. Usually it is >> done by the management system taking care of the enterprise profiles, >> i.e., the same program that installs X.509 roots for the company CA, >> and mandates that virus checkers are up to date before allowing >> connection to the corporate network, and which also configures the VPN >> connection too. >> >> If you are running that kind of programs you have already given all >> control to whoever provided you that program (VPN-R-Us, or the >> enterprise). >> >> In enterprise case, you usually do not have option not to, as those >> softwares come pre-installed and you cannot uninstall or not to use >> them. On the other hand do not use your work laptop to go to paypal, >> if you do not trust your company... >> >> And yes, the enterprise (or VPN-R-Us) management.exe could also >> install those TAs directly for the global system use without any >> problems. This would not be problem for the VPN-R-Us (they would be >> happy to have fake TA in your system even when you are not using their >> VPN), but enterprise might not want to have its TA there when you are >> not connected to its network, just to limit the exposure, and they >> might want to update the TA contens, even when the whitelisted domain >> name stays same. >> >> I.e., if the TAs cannot be transmitted and agreed to be taken in use >> (after comparing them to whitelist) inside the IKE, then enterprises >> will most likely just install them by the management system for >> general use (or not use DNSSEC). I think that would weaken security >> more than what is proposed in this draft. >> -- >> kivinen@iki.fi <mailto:kivinen@iki.fi> >> >> >> >> -- >> I don't think the execution is relevant when it was obviously a bad >> idea in the first place. >> This is like putting rabid weasels in your pants, and later expressing >> regret at having chosen those particular rabid weasels and that pair >> of pants.. >> ---maf
- [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-spl… Warren Kumari
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Joe Abley
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Tony Finch
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Paul Hoffman
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Ted Lemon
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Joe Abley
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Paul Hoffman
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… John Levine
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Paul Wouters
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Ted Lemon
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Ted Lemon
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Tony Finch
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Joe Abley
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Tony Finch
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Tero Kivinen
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Warren Kumari
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Mark Andrews
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Petr Špaček
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Ted Lemon
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Scott Morizot
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Paul Wouters
- Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme… Benjamin Kaduk
- Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-i… Paul Wouters