IETF Logo Mail Archive

Re: [dnssd] I-D Action: draft-ietf-dnssd-srp-00.txt

Ted Lemon <mellon@fugue.com> Wed, 24 October 2018 21:03 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86E32130E19 for <dnssd@ietfa.amsl.com>; Wed, 24 Oct 2018 14:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFwnwlHbJTDM for <dnssd@ietfa.amsl.com>; Wed, 24 Oct 2018 14:02:57 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76CC2128D68 for <dnssd@ietf.org>; Wed, 24 Oct 2018 14:02:57 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id l41-v6so7326580qtl.8 for <dnssd@ietf.org>; Wed, 24 Oct 2018 14:02:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aXxkg1R7OWTNBTM2ivOgFMTHxJC7i3taUca3bW4R1vU=; b=WCRUJ5/LUVX0IByw+RJhEmYVC55siBObAA7Pw+z4VZftZm+xKZRzHKH5Nh/hp2sqFV IZpi13dM9zqpwFF/2jCJa7FB3AS/WwNF0KGgS0/GiO2vnw7xp9eAmPWVXVmBue5fVl5+ aAb+/RbEiGUzkX2YLhxPdskI99K4OCqZHjZyEGR2hTHXx+rvS63d6TZ+a5GnraMFm9B6 MP2MmPeSd+TaxEsZdXG4SgeesiGUAlxQEBqkUtV84sDpt660aYRSn+7rLGaQPeR4v5SS Qwj+GT0qYc3xmcKTEpQzQFeFaM5P3GZDcRqFn32PBeqXAxIQBIcFjejYpfWG/9l9884W nQZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aXxkg1R7OWTNBTM2ivOgFMTHxJC7i3taUca3bW4R1vU=; b=i8SinJMFnCX0fdzfFmrTumgHjuwy96Jii/I95z5cNaygTs/SBsJMUpvIh4mg8dtl2m y1ex372XwntanvPerQxRA/a8jCTgRChAf+djiu9hBAEZqtR3d/nAp5SfkNRxWaHN7SJ6 mynYU9k0WTQ0VacyKyfCgn/80T646/mHvZqG4NlOa/m8/QC/fRFvTHcUh+05Wen5GBxs IZwokMs5B3NlzQIB3Ksvb5Op1PCVF5XJt5ALn6zWqwQzAPUABX6z4jjoM3Qf0mHClpfx AW5/d0uBfQCK5f2hP8wDDHESDkzmaFq2e0pvnuKJreX0XjmlGeqzfBBn3smOuuPFDMxD A4wQ==
X-Gm-Message-State: AGRZ1gIEgdq8KIhc/0Qi2xtb4W1pCazVxYrmpX6f36M/Ol4oKrq63EgO T8crwLnNTfFBQSi0aJXLW6wPO4BPZpMtkfteIhHNm2+IjEM=
X-Google-Smtp-Source: AJdET5cwPoZbfhr4oyZsmOH6FDTaJPhuHsk2PnaQW+p2ChXXvulG6zOJ+X04hO6oWvMUtgzZ+AqkhbDMXzGqKjTJHGw=
X-Received: by 2002:aed:366a:: with SMTP id e97-v6mr4151772qtb.75.1540414976481; Wed, 24 Oct 2018 14:02:56 -0700 (PDT)
MIME-Version: 1.0
References: <154030974108.31401.380315367024024351@ietfa.amsl.com> <99A9AE56-486D-4FF9-81D7-2EE9E372C808@bangj.com> <CAPt1N1kgjWxa-ftwA67BSuVme2xN29Gz84sSRKvW0BfAmgiyMw@mail.gmail.com> <F3A5B26B-015A-4485-8630-B0B5F100CA6F@bangj.com>
In-Reply-To: <F3A5B26B-015A-4485-8630-B0B5F100CA6F@bangj.com>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 24 Oct 2018 17:02:19 -0400
Message-ID: <CAPt1N1nJ7PscwFuPCV8wG=VHepY54EMgVwM1G4fpGkXCXsBAGA@mail.gmail.com>
To: Tom Pusateri <pusateri@bangj.com>
Cc: dnssd <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007af9170578ffcf6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/GpwhYbFO_weKUJMnwEV-V4v_hOU>
Subject: Re: [dnssd] I-D Action: draft-ietf-dnssd-srp-00.txt
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 21:03:02 -0000

Right, I remember the discussion now.   But service registration is always
limited to the administrative domain.   Your objection doesn't really make
any sense.   This is not DNS update.   This is DNSSD Service Registration.
 It's only for service registration, and services are registered where they
are present, not across the Internet from somewhere else.   If you think
there's a SRP that works from random locations in the Internet, you should
write up the use case and we can talk about it.   But I think it would be
the protocol that would require the special name, not this one.

Also, I think Stuart and I both count as 1, so it's 2:1.   :)

On Wed, Oct 24, 2018 at 4:35 PM Tom Pusateri <pusateri@bangj.com> wrote:

> Looking at the archive, Toke was the only other person that commented and
> he didn’t specifically comment about the name, just that he supported
> adoption.
>
> So that’s 1-1 not counting the authors.
>
> Maybe encryption was more specific than I meant to state as a concern.
> From the document:
>
> "SRP updates have no authorization semantics other than first-come,
> first-served.  This means that if an attacker from outside of the
> administrative domain of the server knows the server's IP address, it
> can in principle send updates to the server that will be processed
> successfully.
> Servers should therefore be configured to reject updates from source
> addresses outside of the administrative domain of the server.”
>
> The main problem is that it’s restricted to an administrative domain.
>
> And previously, you stated that encryption would break the goals of the
> protocol because it’s supposed to be done in a single message which can’t
> happen when using DoT.
>
> Tom
>
> On Oct 24, 2018, at 3:55 PM, Ted Lemon <mellon@fugue.com> wrote:
>
> Hm, my recollection is that there was a long discussion on the mailing
> list, and you were the odd man out.   In any case, SRP can be done over
> DoT, so encryption is certainly possible if required.
>
> On Wed, Oct 24, 2018 at 2:13 PM Tom Pusateri <pusateri@bangj.com> wrote:
>
>> If you were present in Montréal, you may remember that I supported this
>> work for adoption but wanted to see the named changed.
>>
>> There didn’t seem to be any other responses one way or the other. Since I
>> believe in rough consensus, it would be good to know if others feel the
>> same.
>>
>> The discussion was then moved to the list and can be found in the
>> archives.
>>
>> My main objection was that because it wasn’t possible to use encryption
>> with this scheme, it was not a general purpose solution and had to be
>> restricted to a subset of the use cases. Therefore, it should have a name
>> that reflects it’s inherent limitations.
>>
>> Thanks,
>> Tom
>>
>>
>> > On Oct 23, 2018, at 11:49 AM, internet-drafts@ietf.org wrote:
>> >
>> >
>> > A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> > This draft is a work item of the Extensions for Scalable DNS Service
>> Discovery WG of the IETF.
>> >
>> >        Title           : Service Registration Protocol for DNS-Based
>> Service Discovery
>> >        Authors         : Stuart Cheshire
>> >                          Ted Lemon
>> >       Filename        : draft-ietf-dnssd-srp-00.txt
>> >       Pages           : 19
>> >       Date            : 2018-10-23
>> >
>> > Abstract:
>> >   The Service Registration Protocol for DNS-Based Service Discovery
>> >   uses the standard DNS Update mechanism to enable DNS-Based Service
>> >   Discovery using only unicast packets.  This eliminates the dependency
>> >   on Multicast DNS as the foundation layer, which greatly improves
>> >   scalability and improves performance on networks where multicast
>> >   service is not an optimal choice, particularly 802.11 (Wi-Fi) and
>> >   802.15.4 (IoT) networks.  DNS-SD Service registration uses public
>> >   keys and SIG(0) to allow services to defend their registrations
>> >   against attack.
>> >
>> >
>> > The IETF datatracker status page for this draft is:
>> > https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/
>> >
>> > There are also htmlized versions available at:
>> > https://tools.ietf.org/html/draft-ietf-dnssd-srp-00
>> > https://datatracker.ietf.org/doc/html/draft-ietf-dnssd-srp-00
>> >
>> >
>> > Please note that it may take a couple of minutes from the time of
>> submission
>> > until the htmlized version and diff are available at tools.ietf.org.
>> >
>> > Internet-Drafts are also available by anonymous FTP at:
>> > ftp://ftp.ietf.org/internet-drafts/
>> >
>> > _______________________________________________
>> > dnssd mailing list
>> > dnssd@ietf.org
>> > https://www.ietf.org/mailman/listinfo/dnssd
>>
>> _______________________________________________
>> dnssd mailing list
>> dnssd@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnssd
>>
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd
>
>
>

v2.23.0 | Report a Bug | By Email