Re: [DNSOP] draft-tale-dnsop-edns-clientid

Ray Bellis <ray@bellis.me.uk> Wed, 29 March 2017 05:27 UTC

Return-Path: <ray@bellis.me.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029CC129685 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 22:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLqOIVMGkJbZ for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 22:27:04 -0700 (PDT)
Received: from hydrogen.portfast.net (hydrogen.portfast.net [188.246.200.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7A3A12967B for <dnsop@ietf.org>; Tue, 28 Mar 2017 22:27:02 -0700 (PDT)
Received: from 107-1-12-170-ip-static.hfc.comcastbusiness.net ([107.1.12.170]:53769 helo=rays-mbp.local) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1ct66e-0008LH-EV (Exim 4.72) for dnsop@ietf.org (return-path <ray@bellis.me.uk>); Wed, 29 Mar 2017 06:25:16 +0100
To: dnsop@ietf.org
References: <22745.38650.113925.208670@gro.dd.org> <04dcb30b-e20c-f064-36be-2b7bcc45d9d9@bellis.me.uk> <22746.53073.480897.456359@gro.dd.org>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <a2f28b67-d47d-3f6a-e7dc-faa47e6db5a5@bellis.me.uk>
Date: Wed, 29 Mar 2017 00:25:15 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <22746.53073.480897.456359@gro.dd.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Xp2Hm02SLLTSGFIp5JhKdAWZz4E>
Subject: Re: [DNSOP] draft-tale-dnsop-edns-clientid
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 05:27:07 -0000


On 28/03/2017 16:02, Dave Lawrence wrote:

> Understandable.  I honestly have similar reservations.
> 
> One thing that clouds this a little, as far as our draft is concerned,
> is that the ISP's CPE already knows this information so in a sense it
> isn't that a different party is being informed.
> 
> What I'm trying to accomplish with this draft is acknowledge the
> practical realities that this sort of option is already in use on the
> Internet and will continue to be used no matter what the WG does about
> either of our drafts.  I also wanted to drag the PII issues out into
> the open, into one place where they would have to be confronted by
> implementers and operators.
> 
> I fear that a splintered effort on including full client-identifying
> information in several different ways is going to lead to problematic
> fragmentation and harder management.

The examples in your draft appear focused on identifying specific end
user devices, e.g. to selectively enable parental controls on a
per-device basis.

Mine is intended to identify clients based on their presented IP address
(whether that be the public IP address of multiple NATed end users
talking to a recursor, or the external IP address of a recursor talking
to an authoritative server).  The primary purpose is for admission
control (i.e. ACLs).

I therefore think there's a simple test here:

If we can imagine scenarios in which an auth or recursive server that is
behind e.g. a load-balancing proxy needs to know *both* the internal
"client ID" (per your draft) and the client's effective external source
IP address (per mine) then both drafts serve their own distinct purpose
and shouldn't be merged.

Ray