Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Patrick McManus <mcmanus@ducksong.com> Mon, 25 March 2019 09:31 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265E9120389 for <dnsop@ietfa.amsl.com>; Mon, 25 Mar 2019 02:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=B0JGrUGg; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=fL951X9M
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VAk4B42K0zh for <dnsop@ietfa.amsl.com>; Mon, 25 Mar 2019 02:31:34 -0700 (PDT)
Received: from outbound1f.eu.mailhop.org (outbound1f.eu.mailhop.org [52.28.59.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4089C120387 for <dnsop@ietf.org>; Mon, 25 Mar 2019 02:31:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553506292; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=O0yJtNTW/ir2SgjoP/nPKaGOGVsHTKjagvv76XkfKpqm6/9oJHYoJKJUYWfwjeTpCLl89moV+8oqf AG3t5DBQelHifuz7CgcSgqvlMugyftWrTRRJBVQ+m1N1Ry8/UzMq4ak76oXiIAvwcxxs9KlFxuVkej BW7mNJUwEeLD4OV5E1zZxm28E9+b+KnJ/d+MUAIoClcF204AOe/YYB1jvkT9v82IqMC7liib8Kd1D3 YsHAH2eWy3Te3cbzku2YzN2i8dV0AM6M4uidaxC5cNRS5syyq1qTGEH4J8hCEObxvNKxXzzI9vCPBu 1NGGtrIQzw0cOA1h/RLITkxYBtNfYTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=7RBGxW3NhccRVa/PfRstk5sM+M4XvVxI6oLzE0u9fqY=; b=F+HT/pTxBOW9bo5I6NvsNGeA61tyoHHN/73OUydyCjpjphx6BstsUSoHpXbNw/L2TsnZdwIxZfVzS UVKqYXu6RIgZSXkZUMAaPJ1n+n63Nd+FkLprtXfHC+jszdgc6WkwhwT5zJZDOoIrUXFpcn5ErKQjz2 MZj2plgCgT0SklbJHlOsyVlMu5tR+nyDEn7x3v8t9QVXT8eeQ3ADazEBRE5hW5+zKNyriw+YRjoMfs RWiwnUtknodL8T+hbps0eQuE65RNLbm7Rc0HfqRv8KbTtwGpvu0WKPn24cfVdKBUOJ6sVOlL6gSU15 Qzfk3E9606maRZm1XYtnhEHVAGnz3Kw==
ARC-Authentication-Results: i=1; outbound2.eu.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.46; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=7RBGxW3NhccRVa/PfRstk5sM+M4XvVxI6oLzE0u9fqY=; b=B0JGrUGgoOroP1FaZJDcf+5yXoEBY0EEYVMDE0sucqzsn8cMLBG7ACOlbOfhGvNn+wIOu4GvuAmms x2yxXJ29yE/jvzBuB05Ww333JffI6jfagZuH6e4irR2utw8cJTtdFl6f+u3G1uoKm2Feu/vAEwq75C 6ZDwHrzWYYogh57E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=7RBGxW3NhccRVa/PfRstk5sM+M4XvVxI6oLzE0u9fqY=; b=fL951X9MPYsPMFmvsVqIAJuOGaSbgUDO/8btvnXXn89mIF1XGAsgZ7zM6LOTahee2TKwooM928bqq waYu2H/jvMhFLT4O6kKHSo2tZHfURgreuDl4gSKVEn/zFRRkT0nbE+9otIENknuhV2Yn3tn9rB9QrI 5yLuEdFQdVU5an3gly0n8QmspWYHFJFIYenE4gwfaOOfYms8LAaWk8sGoWTN0MZBNqkEtN66LWBga4 DWtjBAbgE+1BextJJyziQMLeAeFli2/e2e8BTlMv2uq7oxRNm1VpBSqm/EsJ/sprxKbk727jxDJqXj GqJx3iVHsUmtmHOsEHpS1VWxpDtAuqQ==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: c458748a-4ee0-11e9-803b-31925da7267c
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.46
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f46.google.com (unknown [209.85.210.46]) by outbound2.eu.mailhop.org (Halon) with ESMTPSA id c458748a-4ee0-11e9-803b-31925da7267c; Mon, 25 Mar 2019 09:31:29 +0000 (UTC)
Received: by mail-ot1-f46.google.com with SMTP id c16so7386222otn.4; Mon, 25 Mar 2019 02:31:28 -0700 (PDT)
X-Gm-Message-State: APjAAAVWdTKt/4rVbAxm4KFlpfic0nye41ENYwQQ9PudEYRdpIx8agQR dxh9BuGZnbr3TGCulMcbsGWHImhOuo6QBnhfNfI=
X-Google-Smtp-Source: APXvYqxCT6/Wa+8v2GAt/e2mGmCXpKii+GBClz8Yio8DJlrvAMusLso7XvCd07w89RG7g/GRzn8PxC+TKeOdvu/v1d8=
X-Received: by 2002:a05:6830:183:: with SMTP id q3mr18030074ota.204.1553506288300; Mon, 25 Mar 2019 02:31:28 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com> <E7E54A3B-4C85-4B64-BEFD-51891534DC9D@gmail.com> <CAOdDvNqKja9SRWa7FpjnGR3XZbVwZbitoU0yuWc+oXw3xXFEQA@mail.gmail.com> <CAH1iCirtvx2eipt65+TbazZ1f4uKiu6HA2PjVmPiAkGjN-hbEw@mail.gmail.com>
In-Reply-To: <CAH1iCirtvx2eipt65+TbazZ1f4uKiu6HA2PjVmPiAkGjN-hbEw@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Mon, 25 Mar 2019 10:31:17 +0100
X-Gmail-Original-Message-ID: <CAOdDvNoKGVhNkdacKUTefa40f_spxjvmDsbd5g78+A9TBuUdKg@mail.gmail.com>
Message-ID: <CAOdDvNoKGVhNkdacKUTefa40f_spxjvmDsbd5g78+A9TBuUdKg@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>, "doh@ietf.org" <doh@ietf.org>, "wjhns1@hardakers.net" <wjhns1@hardakers.net>, "dnsop@ietf.org" <dnsop@ietf.org>, "huitema@huitema.net" <huitema@huitema.net>, "vittorio.bertola=40open-xchange.com@dmarc.ietf.org" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007876100584e7de3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iGbBZue2BHcmwrvk66GCGDEKTN4>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 09:31:36 -0000

On Mon, Mar 25, 2019 at 9:37 AM Brian Dickson <brian.peter.dickson@gmail.com>;
wrote:

>
>
>>
>> \Other than blocking all-but-a-few (or all, or a few) DoT servers, I do
> not believe anyone has proposed explicit downgrade triggers.
>

that's the downgrade I am referring to



> Or do you mean, when a DoT connection is blocked by e.g. a firewall (or
> other network enforcement device), that an RST is generated? I believe the
> RST requires sequence number validation before it can be processed by the
> TCP stack, which means the entity doing the RST generally needs to be in
> the data path. Other than "lucky guess" or "high volume attempts", I don't
> believe RST to be a serious threat.
>

path manipulation attacks are real. arp attacks.. bootp attacks.. rouge
access points. stingray. all kinds of things. unauthenticated network
packets are just that: unauthenticated. RST (or blackhole) is a good
indication that a path isn't going to work - its not a good indication of
who is expressing that policy (or whether it is a policy at all).

Anyhow - I'm really not trying to amp up this thread.. I just felt that
there were a few relevant points to the discussion that had not been
introduced.




>