Re: [DNSOP] New Version Notification for draft-bellis-dnsop-xpf-00.txt

Ray Bellis <ray@bellis.me.uk> Fri, 10 February 2017 13:12 UTC

Return-Path: <ray@bellis.me.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B16DB1298BC for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 05:12:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp47SnaQtT0x for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 05:12:47 -0800 (PST)
Received: from hydrogen.portfast.net (hydrogen.portfast.net [188.246.200.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD7B1298C1 for <dnsop@ietf.org>; Fri, 10 Feb 2017 05:12:46 -0800 (PST)
Received: from [46.227.151.81] (port=52943 helo=rays-mbp.local) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1ccB0F-0004un-TV (Exim 4.72) for dnsop@ietf.org (return-path <ray@bellis.me.uk>); Fri, 10 Feb 2017 13:12:43 +0000
To: dnsop@ietf.org
References: <148371232017.17418.17291340320637379369.idtracker@ietfa.amsl.com> <dab36e0b-81a5-e9cc-0a07-416061ce9b74@isc.org> <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com> <af8e10d1-1b39-dd86-a131-198bfde80076@bellis.me.uk> <A719BB79-A018-4C15-B9DD-F0E032D11123@powerdns.com>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <3a687531-932a-c88b-8f9c-2d8ca4df0433@bellis.me.uk>
Date: Fri, 10 Feb 2017 13:12:45 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <A719BB79-A018-4C15-B9DD-F0E032D11123@powerdns.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LfJMqdoYo4lVflK7quXGgYZNrFs>
Subject: Re: [DNSOP] New Version Notification for draft-bellis-dnsop-xpf-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 13:12:49 -0000


On 10/02/2017 12:52, Peter van Dijk wrote:

> However, both in ECS, and now in XPF, we do not get client’s port
> number. With increasing CGNAT deployment, this makes it impossible to
> distinguish clients once a request has passed through a proxy, like
> dnsdist or a TLS frontend.
> 
> Can you please consider adding a port number field?

I see where you're coming from, but I'm not inclined to add it (yet) for
a couple of reasons:

1.  CGNAT is evil ;-)

2.  If I add this, then folks will want other transport related fields
   (indeed I already had at least one other person suggest this).

Are the server side ACLs etc that need to be able to identify the client
so fine grained that they'd really give different treatment to different
clients arriving from the same CGN IP address?

This is probably something that the WG should consider if (or hopefully
when) this becomes a WG item.

kind regards,

Ray