Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-00.txt

Paul Wouters <paul@nohats.ca> Mon, 09 September 2019 12:52 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC3D912004A for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 05:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mj0u4dxy6NdY for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 05:52:37 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4A30120047 for <dnsop@ietf.org>; Mon, 9 Sep 2019 05:52:37 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 46Rp3Q74wgzCqr; Mon, 9 Sep 2019 14:52:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1568033555; bh=3Ud36VEjkKzXsKTL/Lc7IS3h8Hr8G0B8fRNky9ssnSI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=TBxVmr0R79P2RJ1RcDdRuBtqdA2yQb1wdNEhqC9XX1YGZF6i718KEXgxJEHMKiYeV LuVIw+nrQzC/29asHHIN583m6zRXTeNmcHyF2pInAeKreSCC3RHshHEsmX3ph3btUO Tm+yzdvc8xFuqt0j9dUpaESiuOlAWLEC3XT5KGUk=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 2zk_O71b6IjV; Mon, 9 Sep 2019 14:52:33 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 9 Sep 2019 14:52:32 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id ABEBA88B; Mon, 9 Sep 2019 08:52:31 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca ABEBA88B
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A2AAC401AF16; Mon, 9 Sep 2019 08:52:31 -0400 (EDT)
Date: Mon, 9 Sep 2019 08:52:31 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Willem Toorop <willem@nlnetlabs.nl>
cc: dnsop@ietf.org
In-Reply-To: <86ff56cd-c936-0a81-b276-f4fd61635c7f@nlnetlabs.nl>
Message-ID: <alpine.LRH.2.21.1909090848430.8758@bofh.nohats.ca>
References: <156802477017.28268.17780089460480647573@ietfa.amsl.com> <86ff56cd-c936-0a81-b276-f4fd61635c7f@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yhH-v0Vls7SC-zL5p7RS7wHq-R4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 12:52:40 -0000

On Mon, 9 Sep 2019, Willem Toorop wrote:

> The only change since the previous version (i.e.
> draft-sury-toorop-dnsop-server-cookies-00) is that we no longer
> recommend to include the Client IP address with constructing client cookies:
>
> When implementing DNS Cookies, several DNS vendors found that
> impractical as the Client Cookie is typically computed before the Client
> IP address is known. Therefore, the requirement to put Client IP address
> as input to was removed, and it simply RECOMMENDED to disable the DNS
> Cookies when privacy is required. herefore, the requirement to put
> Client IP address as input to was removed, and it simply RECOMMENDED to
> disable the DNS Cookies when privacy is required.

Wouldn't this enable me to obtain some cookies from within a network,
and then re-use those cookies from outside the network? The reason for
including the IP was the pin the cookie to the specific client IP.

I cannot see a diff because you didn't instruct the data tracker that
this adopted document continues from the individual submission :(

I was going to look at the diff to the security section, but I guess
there is none because the document does not yet contain a security
section. But I would expect a good write up of the impact of not
including the IP address in a cookie in that section.

Paul