Re: [dnssd] I-D Action: draft-ietf-dnssd-srp-23.txt

Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 13 October 2023 08:00 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 507BEC14CF05 for <dnssd@ietfa.amsl.com>; Fri, 13 Oct 2023 01:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faM_k_u3uGlT for <dnssd@ietfa.amsl.com>; Fri, 13 Oct 2023 01:00:43 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on2123.outbound.protection.outlook.com [40.107.13.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEF6C14F748 for <dnssd@ietf.org>; Fri, 13 Oct 2023 01:00:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dpfR8ZnhUDsoh4DOt9x+QAtXTC/sDGfOz1eAMbkJzd/QQQu6dOtNFTDIJoFs3BnGFUHQtcZCuilBX/D9QwGjdbpK9VuBX9tdIx6th0moOVij9aaKIhaARuI8+Z1LogFsNV4xcuMTjLQX3z9OlqVykDeIpovXPmae7GvABXaUuuAOy0FFEAKEMYNykvjhzsgZY5nU9/dyrpCa7eYTBYhXdqJS9JpDHgs/z1VZSuUdq37eqHefXXxtMjZgAK79n2Cl294DCJuppB6lP4Y2IWxHR5CZ0WGxoxSTFzFwsNfW0cGIpBUJrxNvlw1uL4U3U6/fDkOxO/MfmJgRYxcSTeauoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AJssIA6JzdZ5GmUHHCU7s91U1Lt9t52sgBrbxEmPT3s=; b=J6g03ZTCUVyH4MYXqpq+IUAmF9oJL1KPL+Nb2EaPjk1xkjAX5ctU57aYmqImZADB8+KYjGN6du+tp71B+SKVhD7scTD8vn3ojbxcO2UdUDhF/SYDtsq0Q7WvWMrEz+r4WV2W2/t560bo27gGn7NwZK203Uf56kkKnmIjF6w+XBCCyuJ67uyZTKe0UeOXsHCsprDqn3P6/47xLGCaBHjKF7jwUoihiJVIwwwo+hXpgkMitAwsUQ2qEqCvMiI62rupDPiHpWex7zdFVVfn2A9da65WkmCtq4gybFAkPwGd1qZol6fog91wEXrbVYEOqprDi4oepP21m1p4p5rjcw6RdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AJssIA6JzdZ5GmUHHCU7s91U1Lt9t52sgBrbxEmPT3s=; b=SEV86OGFSNBdBszBB+ajkY059kXD2iTOnHFGqPphkZN4Gh02xi+F4pRiNrPyyy7uwOhK4gZsuwEOIURww8PT6y2cDDpTVZokLNjLLa8+fKjE3FqvL50Emr9E5HV1M9QZ755pgBEvbkiDr9nWg3a2cdJU725vUyPCzfSWs6XJN8A=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by PA4P190MB1389.EURP190.PROD.OUTLOOK.COM (2603:10a6:102:102::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.46; Fri, 13 Oct 2023 08:00:38 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::a34:3a35:c58d:3cdf]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::a34:3a35:c58d:3cdf%6]) with mapi id 15.20.6863.043; Fri, 13 Oct 2023 08:00:38 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Ted Lemon <mellon@fugue.com>, Alexander Clouter <alex+ietf@coremem.com>
CC: "dnssd@ietf.org" <dnssd@ietf.org>
Thread-Topic: [dnssd] I-D Action: draft-ietf-dnssd-srp-23.txt
Thread-Index: AQHZxyROoxLcDP8FdEKzoOzOZ1E/t7A4ckUAgAAFdgCAABqVgIAABDOAgArLGiCAAAsVAIAC5TsAgAA1MgCAAApNAIAAAfAAgAEyOVA=
Date: Fri, 13 Oct 2023 08:00:38 +0000
Message-ID: <DU0P190MB1978A74E04F7DD85A9845C69FDD2A@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <169118866241.13601.15936262706231533955@ietfa.amsl.com> <ee7f1fcc-ed24-457e-9fad-0248cd2d7fee@app.fastmail.com> <CAPt1N1kxtBAyAMbp=pwneNJEWUE300CGGQtr0wMdPbdUye7YYA@mail.gmail.com> <65676093-1ec8-4693-af49-79141507b6c3@app.fastmail.com> <CAPt1N1ndBC-yqd9T+08xoenT1stm5c0mP=2b2hWBFtF4VExJxQ@mail.gmail.com> <DU0P190MB197824A5BFCF64175FBF48ECFDCDA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAPt1N1nrGnRbkQ6Tt6ztdsKM5YHfSxz2s7deBxfsnh0EKVkDvA@mail.gmail.com> <c66882fb-3495-4cba-b901-067a230100b0@app.fastmail.com> <CAPt1N1nOuhcK-4m7sjP1PO9KaKKYujoe-2aLuNuxTaHsn38c9A@mail.gmail.com> <e20a8d54-69f3-4db3-b45e-daf9e7b4707d@app.fastmail.com> <CAPt1N1=xuQgRxoFk-kRx99pZwVrREnr4CPJQULmL4VQGWw1+bw@mail.gmail.com>
In-Reply-To: <CAPt1N1=xuQgRxoFk-kRx99pZwVrREnr4CPJQULmL4VQGWw1+bw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|PA4P190MB1389:EE_
x-ms-office365-filtering-correlation-id: 929d579f-9377-4faf-9acb-08dbcbc27d1e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lm7BHWz06ejgpxFQTOGwNsWuzEhi3+2fyyHMtUO66Y79EyZ/ej3rt36+YdGEdek5yLc6Ec7tlTDsvQr43yKyg9xSVzwbtf+CtfqMz9pQjgmINt9QAds+iGtod2o53FdZQIsMz0Z/1qcVLRQBVJGhSzJUm38m05wuS5YjpIIGrznyYNnThLbtH/TqWMuyuNW9yp3vupfD74jKl48VkxEOxHCre9+eIYa7rYWmb16KxRij/kjBn0F6KPN46pRsiJsfPRUaCRQcMEXwFou4DXaZDjsIMWBydjvx2Vf0czO4yuhnipa4Mfvyd6Q2B3POcO/AFoWSDJAoNpYO7q0J6n+uTo/B+6NVuYQVyRyIbF51v9lWlC+tFqDXqw2RP9JKrxLKzM6FD6Hl8YyOHZx1SwyFHv6gGPBa9ThyIa/YEOSQ4RdiapbA2npINHmx4a8ZkD91SrLbhylxY28614EB9KJKj/mXy7v8mAZ2Yln/21TBDUkylMyGsVght7VhLFucUOG5sr/GU+IpVEdftRz/U/vx2pdwQjBnd8onGf2kPFEs2IXrW3pnfct3PluH/ESd722zKFPPtHgf5wvvRcgquoTvM7JmjG0IaSXuVBYmeIckhZqXFyHpqjzBoRS1G2RUi4Rk
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366004)(136003)(39830400003)(346002)(376002)(396003)(230922051799003)(451199024)(64100799003)(186009)(1800799009)(122000001)(53546011)(7696005)(9686003)(6506007)(38070700005)(38100700002)(55016003)(66574015)(86362001)(83380400001)(71200400001)(26005)(44832011)(8676002)(5660300002)(52536014)(316002)(2906002)(41300700001)(8936002)(110136005)(64756008)(66446008)(76116006)(66946007)(66556008)(66476007)(478600001)(4326008)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eHZGW+gofvtzx5q4vbKghje8I7LXLoz7lZOTE2N/UpzvpL/xQr8f8Rop1c6b4qeTlkeDayLPglilJ86eKRk2xsWRennMcIn5HYmC/JFxp/ZxsRrS1qSShT6aacHBLfg8sBgZb3jX7GlNY8X+3PKpZ6Xq55pWpyTi41V5l0jJp0W4FsMDPfjSu1YGgBMNu09qnS7RpjoH4/I97phjwbNRx7fewQpnUz3ZTjb+oIaft7Uax+LwUpKO2KGhH+yWsuexQZxrXcp4BYfC9D47eKk1ZVNNkwZshy5KQGOxWLS44rpakYrx78SBBSQzynnyHxKpjLoUsMkz9QHWA50k/YQlQ/mDsbJjOJlrXWMdIVhj2UX3lcOggGqaBtjSki0vU/pr7WxX1DARz0dR1Cc0qyqLTLRwvnpQpz4ycDhQe/fdQJOuizPNkLgLZ1mtujke9Sjm6/A+hS/1Cj57QlfjJW1qTTQ9hRdNqQMop8xtFWTU6DHZCw6AjhMGbwFMr++QxNvy1O0c8sfF4LFVmLHnH/2JWa+xI/HoR8I3Af9uv/gUxXok1sBNuRS4M9nFb/t66TcrHE///wMrWO9Unp2+6KyLaOEBX8skuX3ehusw+VkUVBe2e2K7jBsoMourDUYEC0nHXQfsUzz0y1wkPW56SbQHTh+QoohsbG3eA2s6IOErMA1uYownV0AEY8xgOa7gtFMXiNumM5GhVbgo6d5TM5Of40GEUOT4uXBRvJze8fnxMLpu/CITYP2BQav3c2CJvTbygVzfFyvNGq08obhTpz4F+xFNomNWc0uppx3sTgmS/P9lHOC975HRR7s9+0uyjUamAqic+0xlmIPHn4SXx2rd2+ZW8M4+xnHINwhZkanzscqIPw6nhv3ILwY/ocaQW86WTG4tTt+VwqoEPlENNianOfp7pEGcjdVNlL+YBGeH60dSqzntlBU8k2DsBaCzXyI5NhArcE1evk+l5iQGwvETHQ14HJwMp/eDh48nJUZu/Iaz4jescHcV17w4cw6M7OqpQAWBUbB3HbiKoi0wPWBloVTfs8IDCLe2s+OuIhWJKs/QK7V4MeF2xIGPu31jE7dVrPnD9Mz5f+niae3QsERGvqgbU+6iKBqA1HUm17CV98xB0BelCNjWpsqsxHBL0LSyNBniMmOXTs/iceZC/p31sE8idYk/IgtOxDEW8c+h6z8VJGyZ4kuAZDjgWxdOCyKfL3G4mdqcUPtZ/RbyXwpvRKyAiBNPv02rJlW6iKfhvJ5uCOh1VttQGQ3xtkFIsSfOuTJkIwCFX95j+OJEBMe7YIeRVkTS2/WbnjEtM3BAdP2g8NqjLDr/NxfqaT20YY14Pv2DBu1wDAsfsb9IvTM50aTvm51k34Nk5ZqeNcXQzru0obcQYXhAcEkopt0FZi45J8LoGIhWVq2m4SUsN4d6qJ8LyOfJabusN/PDY/EeLCSfbVwm4ylN/Z02TnYeNC1vbSon8TqwgPx6CFC2VTq+q0WlJtRcF/T/OEqRl9AUsE3NwJ6aEUtNDIPf+RLYy+uXMk27xu4BN1U1bn9kwWTSU7LS8jy7E9n5/gB00iGd9xg5GTgTZzEChL7dpdo1zLbI
Content-Type: multipart/alternative; boundary="_000_DU0P190MB1978A74E04F7DD85A9845C69FDD2ADU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 929d579f-9377-4faf-9acb-08dbcbc27d1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2023 08:00:38.6285 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UmxNMkVn9uCzQVUxwwDsO0g9WTggB3cKQQSb06JnLgGpBnakZm+uJ7gkw3LAnrYr90PFJJwz/nhtmP2m2Vh1XtUCylsKAgMSXeuHreTEel0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4P190MB1389
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/73U6Ci2N-bcRn23fPD6R0dphE8w>
Subject: Re: [dnssd] I-D Action: draft-ietf-dnssd-srp-23.txt
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 08:00:48 -0000

> may mean less need for various administrative controls such "what is the stub interface"

This is an interesting topic; for various types of stub routers this will be known and fixed by design. E.g. for 6LoWPAN stub routers it will be (nearly) always fixed by design that the 6LoWPAN interface is the stub interface, and the other (Wi-Fi, Ethernet, … ) is the AIL interface.
That may be useful to consider in the SNAC WG: to make this implicit assumption explicit.

If the SRP registrar is hosted on a stub router it can then easily apply by default some security policies like rejecting a registration that doesn’t come from the stub network (if that is desired), or rejecting a registration with a non-stub source address if that registration comes from the stub interface (if desired).

Esko

From: dnssd <dnssd-bounces@ietf.org> On Behalf Of Ted Lemon
Sent: Thursday, October 12, 2023 15:34
To: Alexander Clouter <alex+ietf@coremem.com>
Cc: dnssd@ietf.org
Subject: Re: [dnssd] I-D Action: draft-ietf-dnssd-srp-23.txt

For non-constrained hosts, we require that they use TCP. So cookies don't help. Cookies are only useful for Do53 UDP.

Hm. I think maybe I see the disconnect. I don't think we ever said this, but the assumption here is that for the constrained use case, there is a router between the constrained nodes and the rest of the world, and the router can either act as an SRP server, meaning that it definitely will be able to validate that the constrained nodes are on-link, or it can act as a DNS proxy, meaning that it can proxy DNS messages it receives with Do53 UDP to the SRP server over TCP, again satisfying the proof-of-locality requirement.

The idea is definitely not to make the network operator do this, since in the vast majority of cases this will be an end user with little to no network fu.

We didn't specify this in detail because we didn't want to (ahem) constrain implementors to a particular approach—we just wanted to point out that they needed to do this for the constrained use case.


On Thu, Oct 12, 2023 at 6:27 AM Alexander Clouter <alex+ietf@coremem.com<mailto:alex%2Bietf@coremem.com>> wrote:
On Thu, 12 Oct 2023, at 13:50, Ted Lemon wrote:
> This is why we require a TCP connection for all non-constrained nodes: that
> gives us a three-way handshake.

Sure, but I am still hung up on Source Validation, but if flogging a dead horse happy to let it rest, after all I only rocked up here at the eleventh hour... :)

I am focusing on the non-constrained hosts and think DNS cookies may be able to help.

If spoofing is considered impractical, which I am starting to think the group has settled on, then I'll grab my coat.

Allowing non-TCP registration, even for full hosts, is only a suggestion.

My concern is expecting the administrator of the registrar to have a given amount of control over the local network may be a big ask.

Implementation wise, DNS cookies may mean less need for various administrative controls such "what is the stub interface" and where meeting the (really low bar) of RPF on the router/host may not be possible.

DNS cookies though in themselves are not a trivial amount of work to implement, less work on one side means of course usually more work elsewhere...a type of work someone may consider not worthwhile.

Cheers