[DNSOP] Stephen Farrell's Discuss on draft-ietf-dnsop-5966bis-05: (with DISCUSS)
"Stephen Farrell" <stephen.farrell@cs.tcd.ie> Thu, 07 January 2016 00:09 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B69FB1A1B17; Wed, 6 Jan 2016 16:09:18 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.11.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160107000918.2664.4578.idtracker@ietfa.amsl.com>
Date: Wed, 06 Jan 2016 16:09:18 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/U5iK_8id7-IKIiQCXFCF7ygcIEw>
Cc: tjw.ietf@gmail.com, dnsop@ietf.org, draft-ietf-dnsop-5966bis@ietf.org, dnsop-chairs@ietf.org
Subject: [DNSOP] Stephen Farrell's Discuss on draft-ietf-dnsop-5966bis-05: (with DISCUSS)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2016 00:09:18 -0000
Stephen Farrell has entered the following ballot position for draft-ietf-dnsop-5966bis-05: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-5966bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Don't we need text warning that TFO is likely problematic with DNS privacy and that attacks that try to prepend information (via TFO) to otherwise secured sessions could occur? While that might sound a bit far-fetched we have seen exactly that kind of issue with HTTPS that had practical impact on Webdav. (The TLS renego and then triple handshake attacks.) So while using TFO may not enable a slam-dunk CVE level 10 attack, I think you do need to consider and talk about it. (Or maybe you did and figured out no attack can work, but then I'd guess you'd be so happy, you'd say that too:-) I'm not sure how this'd best be resolved, but one thing might be to talk to the folks thinking about TCPINC as they have at least hit this as a potential issue for tcpcrypt and for tcp-use-tls. Otherwise, this is a fine document on which I'll ballot yes when the above is sorted.
- [DNSOP] Stephen Farrell's Discuss on draft-ietf-d… Stephen Farrell
- Re: [DNSOP] Stephen Farrell's Discuss on draft-ie… Allison Mankin
- Re: [DNSOP] Stephen Farrell's Discuss on draft-ie… Stephen Farrell
- Re: [DNSOP] Stephen Farrell's Discuss on draft-ie… Mankin, Allison