Re: [Doh] WG Review: DNS Over HTTPS (doh)

Warren Kumari <warren@kumari.net> Fri, 22 September 2017 19:48 UTC

Return-Path: <warren@kumari.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C4F132D53 for <doh@ietfa.amsl.com>; Fri, 22 Sep 2017 12:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qydvmhHbPnUX for <doh@ietfa.amsl.com>; Fri, 22 Sep 2017 12:48:22 -0700 (PDT)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2F76132D18 for <doh@ietf.org>; Fri, 22 Sep 2017 12:48:21 -0700 (PDT)
Received: by mail-wr0-x22c.google.com with SMTP id z39so1656263wrb.8 for <doh@ietf.org>; Fri, 22 Sep 2017 12:48:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ztOBYbGPh/QZ7m6HC3QkFUJXhkPVyAdYXgJEOaLq1OU=; b=UOZp2s4grSeNtAwQQjH4VsNyxRCob1plM6SKGv8UnzgkoyxRX4EemxkaHgpJBiOw/b WfvWa+wrAN4CJLzaJDpTkOhrWV4P81IWsALpvTWGkvcAbCz/a9/SUIaDI25CV4yeKswG xZYW/7rZAlKb0plQgL86EaVHurMQtFGfmoxvbsdiIhIxUJwlJT6F3GEH5pHfQyiRau1s rnijovMCQRMLVfDY1Ti+iqwg+B8f0Kza+9DvqzQKMbAUjePhJbyvfK67wa/HphhOq94T Q5+gMCn7xqdcZ9fvaaWqKzJ0hrWTQWyQHieB9bmrmYTej5QulOvE3LN3Uyjm6D7MvKZC vvRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ztOBYbGPh/QZ7m6HC3QkFUJXhkPVyAdYXgJEOaLq1OU=; b=hRdkDnnAOWjOedvOFKJUNGUF7xFuw0AE4d69XP5RviLoiOtZKIu9UTxFIUF38tbWxO Tej7bOuGjyJtn291zL5tonpgVNuQbASmAdMIZdCzadgBcqLHnDYLC+HkObHPNLUJUINm 1AoTWTWklXYNlBsYdr5FBqgtR/9QK5hF7oduOcMqrZFVN2446aSg9A0C6AEOYSwwFLRO qrgMI20ORMwxeQRjRtBe50i9n0x7UxHG6Utnit0VPKBe70G4nZerMXpnLQ/BGixJRCC2 QE3DSckar7K5v9k4NwUKSHZfZQIrax/AbkmE3acByb+XnPjMn/byZ2RT4vnBe5+GYlXS aEBw==
X-Gm-Message-State: AHPjjUj3MZWVaEsVUMM8MF2SSRUXAKks0P3A6jHThiaABzR9P2doCd3j tjoXdp71NQw1FZk5y/v4e8/wkBTO+3MRlk1gh7mzLg==
X-Google-Smtp-Source: AOwi7QC/ELzLY5lPJPFWyk8wtS47R+QdTUx2G1gliyi9s2W6kJWbUW6pn19cKKUP5vGpDhntTlc+U7qB7qGXE1IIvoI=
X-Received: by 10.223.177.211 with SMTP id r19mr205795wra.2.1506109700038; Fri, 22 Sep 2017 12:48:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.164.141 with HTTP; Fri, 22 Sep 2017 12:47:39 -0700 (PDT)
In-Reply-To: <0d059767-51eb-d583-1122-a11f4ba9a4aa@cisco.com>
References: <150549029332.2975.12341647131707994474.idtracker@ietfa.amsl.com> <20170920151458.GA22670@faui40p.informatik.uni-erlangen.de> <eaadc24d-6150-2396-64b6-708266de1c69@nostrum.com> <c06bfd5a-743a-aa9f-68b4-4a60badc8bed@cisco.com> <a34c98e2-7129-1d1a-947b-20cafa236119@nostrum.com> <5e9cb711-d798-c6b9-d6c3-c7619bcbadd7@cisco.com> <2E3B3E8E-7C8D-4662-B5C8-D11C390EE5ED@mnot.net> <CA+9kkMBD3qntDXGa3tWpcGRUWN4g4ivbMWMZrWRP-BBeJFOWVQ@mail.gmail.com> <alpine.DEB.2.11.1709221301470.2486@grey.csi.cam.ac.uk> <CAHw9_i+0AKRQnnUkagB1XqoiiNVvcYu5psaHPrqzCetbudEu0w@mail.gmail.com> <0d059767-51eb-d583-1122-a11f4ba9a4aa@cisco.com>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 22 Sep 2017 15:47:39 -0400
Message-ID: <CAHw9_iJz7oPs=621R5VeF_P2K-GEA4Q4acYYDcLxw=H50Y=1sQ@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Tony Finch <dot@dotat.at>, Ted Hardie <ted.ietf@gmail.com>, doh@ietf.org, IETF <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/VgUgprYVChgEjeVJvtXQulxS_w0>
X-Mailman-Approved-At: Fri, 22 Sep 2017 13:53:29 -0700
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 19:48:24 -0000

On Fri, Sep 22, 2017 at 1:23 PM, Eliot Lear <lear@cisco.com> wrote:
> Hi Warren,
>
> Just a point of information:
>
>
> On 9/22/17 6:24 PM, Warren Kumari wrote:
>> Unfortunately you cannot separate case 1 from case 2 -- if you make it
>> something that enterprise folk can detect / block (on BYOD devices)
>> then you have provided that facility to everyone.
>
> Good guys generally have an existing security association with the
> device (if a bad guy has a security association with the box, we call it
> 0wn3d).

Yes, and no (and why I specified BYOD) -- a number of enterprises
allow employees to bring in personal phones / tablets / computers and
use them on the corporate network... without requiring that they
install a profile / place the devices under management -- I've lost
the reference (I'd thought it was off the BYOD wikipedia page), but
the number of organizations doing this was scary (to me!). Now,
perhaps these same organizations don't currently monitor their
employee usage through DNS...

W

>
> Eliot
>
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf