Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

Eliot Lear <lear@cisco.com> Mon, 11 March 2019 18:18 UTC

Return-Path: <lear@cisco.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37B4E127817; Mon, 11 Mar 2019 11:18:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JDjCD1zumkE; Mon, 11 Mar 2019 11:18:46 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 515F7124BF6; Mon, 11 Mar 2019 11:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1823; q=dns/txt; s=iport; t=1552328325; x=1553537925; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=9mPEcRMiekLBZECWcZaKEmPMlpeC/M66XkfYVe+320o=; b=Br5lY4mUur1RCrpJxTZ8ZifyCV/B9hmuPPf3aojWvokEe9y+aWiUS51T zz15zMjeKQMbqjKnGy8edsyPmlLvqTQzVqvBMFUOLQ5a4tbzxMzOEbmdf vKstG8hux6txXpX8CLIV1af6DU/Z3ZG72uC5b7xYMf3tgNVpOnwuFWaYN s=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A+AAAFpYZc/xbLJq1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBZYNpEieECYh5jDwlmiEIAwEBhGwChFw4EgEBAwEBBwE?= =?us-ascii?q?DAm0ohUoBAQEBAgEjVgULCxgqAgJXBhODIgGBbQiwSIEvhUWEYQ+BL4FJiUc?= =?us-ascii?q?0gX+BOAwTgkyICzGCJgOMIIUckmUJhFmOMxmTOppRgm4CBAYFAhWBXiE1gSE?= =?us-ascii?q?zGggbFWUBgkE+kA4+AzCQQAEB?=
X-IronPort-AV: E=Sophos;i="5.58,468,1544486400"; d="asc'?scan'208";a="10678156"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Mar 2019 18:18:43 +0000
Received: from ams3-vpn-dhcp7163.cisco.com (ams3-vpn-dhcp7163.cisco.com [10.61.91.250]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x2BIIdwW030066 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 11 Mar 2019 18:18:40 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <36C6BE4B-5919-4658-9AF1-AB1572E5999C@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_295A2059-7727-4DA6-A31E-32969A940D0C"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 11 Mar 2019 19:18:38 +0100
In-Reply-To: <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
Cc: nalini elkins <nalini.elkins@e-dco.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>, Christian Huitema <huitema@huitema.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Paul Vixie <paul@redbarn.org>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-Outbound-SMTP-Client: 10.61.91.250, ams3-vpn-dhcp7163.cisco.com
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/fnFZSpoMuUeA58aJLomkN12-JNE>
X-Mailman-Approved-At: Mon, 11 Mar 2019 19:45:46 -0700
Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:18:47 -0000

Hi Paul,

> On 11 Mar 2019, at 19:12, Paul Vixie <paul@redbarn.org> wrote:
> 
> 
> 
> nalini elkins wrote on 2019-03-11 10:26:
>> Tiru,
>> Thanks for your comments.
>> > Enterprise networks are already able to block DoH services,
> i wonder if everyone here knows that TLS 1.3 and encrypted headers is going to push a SOCKS agenda onto enterprises that had not previously needed one, and that simply blocking every external endpoint known or tested to support DoH will be the cheaper alternative, even if that makes millions of other endpoints at google, cloudflare, cisco, and ibm unreachable as a side effect?

That or it will require a bit more management at the MDM level.  I’m hoping the latter.  And I hope that one output of all of these documents will be a recommendation regarding MDM interfaces.

Eliot