Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients

Eric Rescorla <ekr@rtfm.com> Mon, 11 March 2019 21:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1731311A3 for <dnsop@ietfa.amsl.com>; Mon, 11 Mar 2019 14:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PyTnfYawCKTF for <dnsop@ietfa.amsl.com>; Mon, 11 Mar 2019 14:44:48 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 155B61311B9 for <dnsop@ietf.org>; Mon, 11 Mar 2019 14:44:45 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id q128so429736ljb.11 for <dnsop@ietf.org>; Mon, 11 Mar 2019 14:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sam505zgsCd4xS0GDxc95SdRRrIiEzBvkZxClj8SJM8=; b=PX4xJSz19ZfjXdUd1A3RlzN6snHwtwMusqu49PW+0QVlM87e7vQ2qCAx6aIq9NR+Aj nI6fjjSSU9efseOW+8Dt2fL2d8Rn7zs9jYtJtZL181PYXVmbVJn6PdY21M9hrIdNfs8w zItowLEBban6O67HTLM8ufsJgFbBEatsGEXHHZiPCoyumzUxXgeuplilcWlDPg1eGfmB hrKrdQktRvYnzmCQmM8O/8bYZkgtwEWqPCWDkNovc0si0olFgkw3OkuPWxmHjZW3k/1j 0hAlLkQTDqXql7ywX5812CFjMATMUuSp+zgUhnYUVTp6cAr5OkKl0zZsr64pJMsSvgUX PZ6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sam505zgsCd4xS0GDxc95SdRRrIiEzBvkZxClj8SJM8=; b=DIcISK8ipECBhOPjbdghUP9aU/4bQ0O/mL1sHM4ne65y42Fh2aJm7f9x/OqswUq/UH irVeKYKUmP9TUa8Yy3ZNDQovBjbGMq5F9SKkh/ZhXX7bsYY6g7WPtuGQIgcdiR062ara RB1BX7FQX+Jv8n/6Y6Ii/Cwm76njkOTx0V9QrH/jZIJCVd/2/kt8vu7Z4Jd8Zrzn2EZ+ vAnstGjPWcZsDUNNeKanHVVbIROA+TT3tk8ETsUsfsC5ZgCJUiPsLCTS/dDUbMInbmgW 6U7RuUW7AFM3tP/mGzMkwYDrQGZXA/suqLSA63hm7yL8K+56bSlu8E7XalDZAZC9GGxu /t7w==
X-Gm-Message-State: APjAAAXW+LdNAc/7mxjMhUq96jAdgBNOQVUyelARDQ3lixJ66d70NzVu iREvb8F/0Cqe1EUtngMuHIpSl4cGMQgHH8K4FrKF+A==
X-Google-Smtp-Source: APXvYqxd4PhGkBRB2L2/BsARmjVc3HmD76PqpPA6wzAuaeYWmTOs7hOBMeuU4yxhVwE0+Z6n8ZEUg3DIB/8t6ZhOaNo=
X-Received: by 2002:a2e:3c19:: with SMTP id j25mr18007587lja.72.1552340683124; Mon, 11 Mar 2019 14:44:43 -0700 (PDT)
MIME-Version: 1.0
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
In-Reply-To: <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 11 Mar 2019 14:44:06 -0700
Message-ID: <CABcZeBOWM0Ps-j3V-CK6VPy0LAqeo7-t7odUZy+dk9d-oCSDsg@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: nalini elkins <nalini.elkins@e-dco.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>, Christian Huitema <huitema@huitema.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000fd036c0583d87ac0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o3xMjsmjWBEeGmmXDnQYJx-rlZE>
Subject: Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 21:44:49 -0000

On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie <paul@redbarn.org> wrote:

>
>
> nalini elkins wrote on 2019-03-11 10:26:
> > Tiru,
> >
> > Thanks for your comments.
> >
> >  > Enterprise networks are already able to block DoH services,
> i wonder if everyone here knows that TLS 1.3 and encrypted headers is
> going to push a SOCKS agenda onto enterprises that had not previously
> needed one,


I'm pretty familiar with TLS 1.3, but I don't know what this means. TLS 1.3
doesn't generally encrypt headers any more than TLS 1.2 did, except for
the content type byte, which isn't that useful for inspection anyway.
Are you perchance referring to encrypted SNI? Something else?

-Ekr

and that simply blocking every external endpoint known or
> tested to support DoH will be the cheaper alternative, even if that
> makes millions of other endpoints at google, cloudflare, cisco, and ibm
> unreachable as a side effect?
>
> CF has so far only supported DoH on 1.1.1.0/24 and 1.0.1.0/24, which i
> blocked already (before DoH) so that's not a problem. but if google
> decides to support DoH on the same IP addresses and port numbers that
> are used for some API or web service i depend on, that web service is
> going to be either blocked, or forced to go through SOCKS. this will add
> considerable cost to my network policy. (by design.)
>
> --
> P Vixie
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>