Re: [DNSOP] EDNS0 clientID is a wider-internet question
Christopher Morrow <morrowc.lists@gmail.com> Tue, 25 July 2017 13:53 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 788D3131A7C for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 06:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55ouGxLjiKsw for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 06:53:20 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81B51276AF for <dnsop@ietf.org>; Tue, 25 Jul 2017 06:53:19 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id r14so53898558qte.4 for <dnsop@ietf.org>; Tue, 25 Jul 2017 06:53:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=uvQiZ57nysPR6lhLyeGvDPAtXNmq7SSidQLCB02+4d8=; b=ZKCtsDKk16uhZZl7mb1w14DyRR+ArDRY/12v0be5MDIYStI+EKITK9QZ6rbL1jYhvX gzY9irkQmkSmwQbZyTxe8uiivUpdvAfKeZd2Tp8r11Pfp8mXC78xIlw+c7uNeUu+qsZU S61tjULl8dGp6pjZLJaD5Cc8YUe1wDDxA/+1GdePLIfoNLzuszxdlvj/SwYofWuthu42 h6FduvDvGmZfnp5bkN7D1u88YdY9EtnWsEUAD55j95r3bPkGTPwVYGzrsT5hWDWOYjiY LSO3e0cjb/0HEkwuarO1VTDcVzLQpKIDFE1k2JPWgft5bAMGdORZNKujtCfLn4R1gQVz wZHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=uvQiZ57nysPR6lhLyeGvDPAtXNmq7SSidQLCB02+4d8=; b=s/y6VE+QlT/whJwMwoBE+yYz/e4KbQTbYSzWLYKsTRHHISMS1YomolJ0vgm4dr1jDQ y5WwfmldsF5ObMRj0coKIzoakyDCzSGOrkWZLvsYMD7+7mdF74sfFR5I3qefdvfcXH1M mXel9jv1idhrUHcYMLionWWdH6SL7chFuKnbDOTj0NH02Sskjiy3ztb9ot1DdbZXdo0b o234xBDOvle0c6ysJoveKjDRqYpAhpdGOSCnzobaeEbS1za9f/DwTnsClVjWF56cVcgd rn5RZxcaUc0RFh6ibnSth6+ck343zwFS8HCSyaUN9yHyYQ97YWcRzTARj/RvMBi3gjQl m9sQ==
X-Gm-Message-State: AIVw112dJXjjOgdB6/9+/dzwwTEHYoGpquuAbtjUYfLNwzggHu3Ph4eX HPijgb5Bwn/eW+0qEnmuEF6t1XBHpXgx
X-Received: by 10.200.34.87 with SMTP id p23mr24222632qtp.279.1500990799098; Tue, 25 Jul 2017 06:53:19 -0700 (PDT)
MIME-Version: 1.0
Sender: christopher.morrow@gmail.com
Received: by 10.140.99.115 with HTTP; Tue, 25 Jul 2017 06:53:18 -0700 (PDT)
In-Reply-To: <7E291C54-9C0E-418F-A9A4-AB2FFB1700E6@fugue.com>
References: <CAKr6gn1mZ7VTfM_wtpFX-G95wg-bWRA_YciZScFvr-YX8eYdWg@mail.gmail.com> <CAPt1N1nutxneiZg1JR90O5vRXVs+0WHvRtHpwCRyn4bXpf6g4A@mail.gmail.com> <CAL9jLaZrsiGZUPJzT1bZG-K2mTt3wP=x05-_Qp=rRh8uaBjS4g@mail.gmail.com> <7E291C54-9C0E-418F-A9A4-AB2FFB1700E6@fugue.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Tue, 25 Jul 2017 09:53:18 -0400
X-Google-Sender-Auth: WQ1Z6B2Sp7emsc5uliHuHbc_rdQ
Message-ID: <CAL9jLaar=tf6no0O5CxxKnCRzO6QXqnDAX4Hbvy5YatZzanMiQ@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: George Michaelson <ggm@algebras.org>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a11404b4c6439f5055524a729"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lzYTe1bjLuAYYkWfZ7dR4E-XZeQ>
Subject: Re: [DNSOP] EDNS0 clientID is a wider-internet question
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 13:53:22 -0000
On Tue, Jul 25, 2017 at 5:55 AM, Ted Lemon <mellon@fugue.com> wrote: > On Jul 24, 2017, at 8:59 PM, Christopher Morrow <morrowc.lists@gmail.com> > wrote: > > and at the cache->auth layer it's potentially the case that the provider > can say: "use precision of /24" or "use precision of /17" ? So, there's > really not much "pii" that can be worried over at the > provider-cache-resolver (they already know who you are...) and they > (provider) can decide how much granularity is "important" to release to the > upstream authoritative cache. > > > There is no such thing as an upstream authoritative cache. The filtering > is being > apologies, 'upstream (from the cache resolver's perspective) authoritative SERVER'. > done at the cache. This is not client subnet: this is client ID. So > the cache, which is not authoritative, is receiving PII about a specific > client machine. Being able to > I agree with this, the cache resolver sees the client's IP address. > filter the PII at the CPE would indeed improve privacy in this case; the > problem is that the CPE has to have a UI or API that allows that to happen, > and they don't. > > I don't think the CPE is the answer, the cache-resolver CAN decide to send along in it's edns0 option: "1.2.128.0/17" instead of "1.2.3.0/24". Or it seems to me that this is a fine knob to add to resolver software... granted you'd need some extra config about your client subnets in use. > The reason DNS filtering is useful is not that it is forced upon the end > user, but that it allows devices that use the default cache to get > filtering in a way that does not > I don't believe the goal of the draft is to enable filtering. Certainly for a nation-state actor you could see: "Oh, now I know what subnets use the resolver over there, so I can limit useful replies, or steer requestors toward 'better/approved' content' > depend on the software installed on them. So e.g. your IoT device can be > infected by a worm but not actually exfiltrate any private information to > the attacker, because the attacker's DNS is blocked. > > you seem to be conflating a few things here... or using 'content filtering' in a different way here than before in this response. > Being able to know that a particular device is a particular device is > actually quite useful in this context; unfortunately, there is no way to > distinguish "useful" and "personally-identifying". Even if you only > identify the IoT devices in your home, by doing so you reduce the search > space for identifying the other devices. > > I don't think the draft is aiming at 'device' as much as 'region of the network'. The cache resovler COULD choose to send /32 (or /128) level data in the edns0 option, but that seems counterproductive, and a bit invasive. -chris
- [DNSOP] EDNS0 clientID is a wider-internet questi… George Michaelson
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Ted Lemon
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Suzanne Woolf
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Robert Edmonds
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Christopher Morrow
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Paul Wouters
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Paul Wouters
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Jacob Hoffman-Andrews
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Paul Vixie
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Ted Lemon
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Christopher Morrow
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Christopher Morrow
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Barry Raveendran Greene
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Jacob Hoffman-Andrews
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Paul Vixie
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Robert Edmonds
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Barry Raveendran Greene
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Paul Vixie
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Robert Edmonds
- Re: [DNSOP] EDNS0 clientID is a wider-internet qu… Paul Vixie