Re: [DNSOP] [dnsext] We want to have fruitful discussions - please review

"Hosnieh Rafiee" <ietf@rozanak.com> Mon, 03 March 2014 09:14 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1DF81A0349; Mon, 3 Mar 2014 01:14:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.147
X-Spam-Level:
X-Spam-Status: No, score=-2.147 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwmjREuC2KL7; Mon, 3 Mar 2014 01:14:11 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id 633DB1A09B7; Mon, 3 Mar 2014 01:14:11 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 77E6F23E2D59; Mon, 3 Mar 2014 09:14:07 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pG7cUBr69PLr; Mon, 3 Mar 2014 10:14:05 +0100 (CET)
Received: from kopoli (g226063187.adsl.alicedsl.de [92.226.63.187]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id D61D223E2D58; Mon, 3 Mar 2014 10:14:04 +0100 (CET)
From: "Hosnieh Rafiee" <ietf@rozanak.com>
To: =?gb2312?B?J8nxw/ffX9TVJw==?= <jinmei@wide.ad.jp>
References: <002101cf3495$1ad2d570$50788050$@rozanak.com> <CAJE_bqdFknJ7Dy9QUJaQUj9Ca40TM0jWCfGNNyUSEkF5d39Rqw@mail.gmail.com>
In-Reply-To: <CAJE_bqdFknJ7Dy9QUJaQUj9Ca40TM0jWCfGNNyUSEkF5d39Rqw@mail.gmail.com>
Date: Mon, 3 Mar 2014 10:14:03 +0100
Message-ID: <004601cf36c0$ec06e7d0$c414b770$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFEEoOGM85KTJERR1lopDpQwQOweAERl5Lnm9zL4aA=
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/g0PPzrut-92A4qFlYKHWPiDpC4s
Cc: 'dnsop' <DNSOP@ietf.org>, 'DNSEXT Group Working' <dnsext@ietf.org>
Subject: Re: [DNSOP] [dnsext] We want to have fruitful discussions - please review
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 09:14:17 -0000

Hi JINMEI,

Thanks for your question and review.

> > [...] For DNS resolver, it
> > receives this IP address securely via the option in the router
> > advertisement message.
> 
> So, the security of this approach relies on how securely the client can
get the
> resolver's address, e.g.,
> - Using SEND for RAs with RFC 6106
> - (If and when it's defined) Using public-key based DHCPv6
>   authentication
> And, to make this part secure, the client needs to get the router's
certification
> or the server's public key securely beforehand.
> 
> Is my understanding correct?

To some extend correct but not but it is not bound to that option. One
example is where you are in untrusted network like a Café. We assume that
you cannot trust your router or the router does not support SeND and you
really want to ensure that MITM attack will not happen during browsing any
websites (like your bank or etc) then you can always set an IP address of a
trusted resolver yourself. One example can be the use of an IP address of
the google resolver or any other resolver that supports cga-tsig (it can be
your home resolver as well). Your node can verify that using CGA/or SSAS
algorithm.

I hope I could answer your question. 
Smile,
Hosnieh