Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-server-cookies

Willem Toorop <willem@nlnetlabs.nl> Mon, 12 October 2020 09:47 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97EEF3A13BF for <dnsop@ietfa.amsl.com>; Mon, 12 Oct 2020 02:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tt4HHUSDgzxl for <dnsop@ietfa.amsl.com>; Mon, 12 Oct 2020 02:47:53 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442C53A0FA6 for <dnsop@ietf.org>; Mon, 12 Oct 2020 02:47:53 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 812B36008C for <dnsop@ietf.org>; Mon, 12 Oct 2020 09:47:51 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.142]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1602496071; bh=UX0nWI3CKal2fQ6Dih1aTZwavbbcNCHMgDpyVZc8SLc=; h=To:References:From:Subject:Date:In-Reply-To:From; b=ZaryFXGMLd/MYIPsTpNpj/gHL82BYj45U4NIqjhEbH9o94FPZiyC0DP9AlAgd0e8v wiWh6T2lJ11euLx2xvGerPUX7y4qXvVrLW3CsO99v0RNaAJ+RYBnDGWAxEz0HnYQyv vM0jLGn2maeyCfnnZDFAvvZtlCdutyyzXWX6lO6m/cb5J0KJjveJLW0Ds8bJnS1Yga FxGlHfWJ5Kt4i0AL8Cvy33eoewaHSR/FURZsSkg+SJZH+nMdEwW51P7Um3TGqWSuS4 /iZ62XBlvBdJzRTnVm0yNQwYjHDnuvQyNMkuX/5O7rRCkmFIUL+T8TU9O9Dl2yj66t B4PBOsppdhVYQ==
To: dnsop@ietf.org
References: <894E9A77-1CE0-4513-AC89-15622A2ADABD@NLnetLabs.nl> <CAH1iCiqMWogWLr1Cw-3LYo_wkem4zV1adqUc0xna5qd+H5x3YA@mail.gmail.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; keydata= mQINBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABtCNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPokCTwQTAQIAOQIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQTcNO5dskF7zBUeUQDl+PghL3ekmAUCXgm/sAAKCRDl+PghL3ekmLEOD/0W 50GFW5OfS/aZ3k7BfoBgSYEpgs3wUPxFCvkw4LsREcSLSdE9jFfIWh7sGiS1yP/kQGZr/yUn R58nAjGr9exyB90VsgEQqUlbks5nCqQZZrMcZRgHCB0IitYZqewBfl/GON/mqApTEQXgTJS7 0wi66828X7AyCA6kPgUfDl5V/zOE0GKm8ejNtKIIEnscNHUwpNpwTF/EegU6Fo6Ih4/bMvpg RytCgIi1tdmWETeyKjL7ASIGZL0kZkTfhQZV+V5NgToDnMFxPyndvv57Fip2mUSPkAAWRhgq ApL797C/KMpc1mCK43g6gD21KP01e5yz1BnSc09NJ7huLHYDFQKRBCfbUZuJe0KSibpRgmNE YaWT1sxByxqPbTmWDgvRXy4TGhkPm21wLqRACVmymd/KiFHdaB5NzWzrC5C0eWSCs2oziDuy Szf8/71sI8pNwjqBIp/8zA8ZI9AZrCkgzeuEeyKBcjW8O83iJkx2S9CC0KBrryvTi2QwitHX +WxJnGlOFNLQG4fp9/6EDuPUEKgmbqaiooCgDyU4aHYPFpUrHTc8aajahJ29wcXkWkIrm6rB mWzT/+05jyrrMl0HoSmZIqhwgtGHrWw+bnCxBZV2JOynDE0n+z4zh8N4rQ1vvCXu36CcR/62 YFTliLVKowkFtqO+om6DO8MBws/FoYnw/LkCDQRNbPNRARAApOziFbP3grro+2weP9wG0eYk InH0Gwc/x6hSN3iIFHtxaBNOC3U8YI0HMI8Yi5SJrzTx2rG7Uvw5aNCnBcMKNeoCJufSYIkx E41WzPEkqSNidkYoY6jxyDs6ZAFnIR3qqt/FV/93Acux1BMlnPP1sY7G5hUAC7Src8dbmAYV z6mnd43jurMYzESOygROP9yVrGOqKyiEbXf+GQ/o+8OgPs4504Z1BA/xvgZEEPqtn8Wowu/g LzTMOfMIfWsuk0ZCmV/VqfLTpZMCwMvh/qAQAsfrZMjE5fhTtbF668fHIpc4C4357H8y8XZr PXbhhtxYLu3V2pVbfKzbTMpp6Z6bJdIrFXpoyfgoFwkXcJ0zWgAFkPK+Iv16XtD/JDKWlkLo SXhCjBo8g4C7M50hzpy4zo9Na8ECtwpWBCFZ8myF94WZ+TGnP+FZz0rjTIKOZv6E9kivdFtd KxAi1RSQGo5Iwc2ugiBf4hpYyrd7vIwd0yqUqvSVTnaV8Ft8QKOV4H807grdIYkE/NOAu3N7 4uxbFIlChAxYq/ohLBCtbeuyZSOqBA2tIZE5fetHLw2+7Otq+zhrcWZ1SkchbDYp9jYzoCxf 0cEW5GyKaCoWNCblVupcDs20ckKcDVG+peWD+InnD4MSUeizHCMdL5Rt6MMaZVD4hOqWHf33 Wiw+NmrUjLUAEQEAAYkCNgQYAQIAIAIbDBYhBNw07l2yQXvMFR5RAOX4+CEvd6SYBQJeCb+w AAoJEOX4+CEvd6SYnQwQAKUN8F1N3G5rRgdyorRjX9+NEvZSn6sFAZZsngkO1fWny3z9PoGS 9n3OrKdqO2U9NdwvdWELyuFIv+3spd6Mn6DSYLSfqjg9i+YGC3AiQNoRR+VX1FWQ/TatFLpq +o1Lby04sWABhKic6pCxeCPXY2CzE7DSfUtMwBsPheK4JhpQNt6U4+7x24QIHbxcivpTq59V 7fZB8JpUgoN1k7DEAes9MEd1iOKM6ZucKgx1Q3elaS8DjRW7nJl+U9eaufa3BVt3+J3eL3Lr Q6ep4IDNEkQJoOwJytBzVQJcGkE0pdkSjO4jEocsNcQRVTahOazuYVUyYezqHDxUltAJqBux jnyyR2zZayDCoX82+UI0jtubwz1rFMqCdzID8n3PPn0AlmcHAsSNnCv4mIhI+tofc6bndNcu tJZMjoYA1MmEhgx1TStQptAQP/ZRNwV2TZFR20gwQWV1p/5R/GTlP3olNdC9Ojy0AmFMBLZb x7PI75HVJ2wtF8aq7vo2iltEM1k1zhl0Su5Ov/TEBq6JhqD5UzpqJPV6tTz76EEXfx58AxFh fVkytieLXCPI0kQTWfenexd9DUANCoa/TfYIEOi7YHJGYx/DpjfSPfThDxTGfWt0WaMILpOq +YTFA468fQW5xgeVvJlBNry4dT1XXgVbe/H+CN7q7C0Y1Ng11VOfO65X
Message-ID: <3f1fd876-62d7-18db-30a9-0cade4cff7f4@nlnetlabs.nl>
Date: Mon, 12 Oct 2020 11:47:48 +0200
MIME-Version: 1.0
In-Reply-To: <CAH1iCiqMWogWLr1Cw-3LYo_wkem4zV1adqUc0xna5qd+H5x3YA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W6Z1zPgA8rhiSC682C4ScIT5fxM>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-server-cookies
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 09:47:56 -0000

Thanks Brian,

All but one nit resolved in these commits:

*
https://github.com/NLnetLabs/draft-sury-toorop-dns-cookies-algorithms/commit/db51181a
*
https://github.com/NLnetLabs/draft-sury-toorop-dns-cookies-algorithms/commit/e1e763e8

For your convenience, a rendered possible future version of the document
with these changes can be viewed here:

*
https://raw.githubusercontent.com/NLnetLabs/draft-sury-toorop-dns-cookies-algorithms/master/draft-ietf-dnsop-server-cookies-04.txt

I've provided a bit more feedback inline below.

Op 10-10-2020 om 23:13 schreef Brian Dickson:
> 
> 
> On Fri, Oct 9, 2020 at 8:38 AM Benno Overeinder <benno@nlnetlabs.nl
> <mailto:benno@nlnetlabs.nl>> wrote:
> 
>     This starts a Working Group Last Call for
>     draft-ietf-dnsop-server-cookies.
> 
>     Current versions of the draft is available here:
>     https://datatracker.ietf.org/doc/draft-ietf-dnsop-server-cookies/
> 
>     The Current Intended Status of this document is: Standards Track
> 
>     FYI, I will not shepherd this document, as it was written with one
>     of my coworkers.
>     Tim Wicinski will be Document Shepherd.
> 
>     Please review the draft and offer relevant comments.
>     If this does not seem appropriate please speak out.
>     If someone feels the document is *not* ready for publication, please
>     speak out with your reasons.
> 
> 
> I have read the document, and support publication (modulo very minor
> nits that should be fixed).
> 
> In addition to these nits, I do have one further suggestion for Section 8.
> 
> I'm not sure if it is too late to make such a suggestion, but on reading
> (and thinking about) the spec,
> it could be useful guidance (particularly for clients which may not be
> aware of changes to their Client-IP address):
> 
> "o   In order to determine that a Server has detected a change to the
> Client-IP, a Client may consider
>       a BADCOOKIE error sooner than would be expected from a Server
> Cookie refresh as a signal
>       that the Client-IP may have changed, and thus that a new Client
> Cookie should be created for each Server."

This is too late. For privacy reasons, the server should not be able to
discover that the Client-IP changed so it cannot *track* Clients with
the help of a DNS Cookie.  The Client needs to detect source address
changes before it uses it to send out queries.

> 
> Nits:
> Introduction - I believe "provides" should be "provide", to agree with
> the singular "is" of the verb. (Sorry, grammar nit.)
> 
> Section 1.1 - I believe all the "Section Section" instances should
> really just be "Section".
> 
> Section 4 - "too frequent" -> "too frequently". 
> 
> Section 4.3 - "in the anycast." -> "in the anycast set."
> 
> Section 4.4 - hash calculation, end of first line "Client-IP," ->
> "Client-IP |"

(from Wikipedia)
SipHash is not actually a cryptographic hash, bot only suitable as
message authentication code: a keyed hash function like HMAC.

It has the form SipHash(message, key)

Thanks,
-- Willem

> 
> Section 5 - "anycast group" -> "anycast set"; "us used" -> "is used"
> 
> Section 8 - "like for example five minute." -> "for example five minutes."
> 
> Brian
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>