IETF Logo Mail Archive

Re: [Dots] Eric Rescorla's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Fri, 22 February 2019 22:19 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93847130FB7; Fri, 22 Feb 2019 14:19:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqdhuxZYKJ0z; Fri, 22 Feb 2019 14:19:09 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-eopbgr820102.outbound.protection.outlook.com [40.107.82.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10B0B130E7F; Fri, 22 Feb 2019 14:19:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wyINtex64m1Rti1o5hC4AxvhS07O3G9i5P34SnaTVqE=; b=LVwkWeY6LRWFMyIJobKT4CfHhRSkathqNF7xSrUxjUauxt/l6D36DXBrqoZ7V6X9vQwnJd9YK/BOqSX7rVeVi1IRou75kK2iOVI4rg++Qf7ixjnlpKIvljh9lWmp7bwW64GmZThIuojW6x683w9kV1jC2xLsJPPpt1ueluTfEeg=
Received: from CY4PR01CA0018.prod.exchangelabs.com (2603:10b6:903:1f::28) by SN6PR01MB5182.prod.exchangelabs.com (2603:10b6:805:c1::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Fri, 22 Feb 2019 22:19:06 +0000
Received: from DM3NAM03FT013.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::206) by CY4PR01CA0018.outlook.office365.com (2603:10b6:903:1f::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.15 via Frontend Transport; Fri, 22 Feb 2019 22:19:06 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT013.mail.protection.outlook.com (10.152.82.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Fri, 22 Feb 2019 22:19:05 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x1MMJ1Wu030838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Feb 2019 17:19:03 -0500
Date: Fri, 22 Feb 2019 16:19:01 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Eric Rescorla <ekr@rtfm.com>
CC: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-dots-requirements@ietf.org" <draft-ietf-dots-requirements@ietf.org>
Message-ID: <20190222221900.GG69562@kduck.mit.edu>
References: <155076138334.8654.4433425046363509880.idtracker@ietfa.amsl.com> <BYAPR16MB27907AFCEC70695076EFD2B9EA7F0@BYAPR16MB2790.namprd16.prod.outlook.com> <CABcZeBOAYzwf1SzdEJWwGgd3z3t+nGeJ1i4GW58OOwoDtLCn5w@mail.gmail.com> <DM6PR16MB27948B94FCBF0A460F90A9C7EA7F0@DM6PR16MB2794.namprd16.prod.outlook.com> <CABcZeBNezmCh7X80BqnizXmX2r42SS=+h3PWO9vpboMaDW30og@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABcZeBNezmCh7X80BqnizXmX2r42SS=+h3PWO9vpboMaDW30og@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(979002)(136003)(39860400002)(376002)(346002)(396003)(2980300002)(13464003)(199004)(189003)(76176011)(356004)(106002)(58126008)(7696005)(23676004)(2486003)(36906005)(316002)(246002)(50466002)(54906003)(786003)(2870700001)(88552002)(93886005)(336012)(2906002)(426003)(186003)(86362001)(26005)(5660300002)(305945005)(53546011)(1076003)(8676002)(6916009)(4326008)(476003)(956004)(33656002)(8936002)(11346002)(446003)(229853002)(126002)(14444005)(486006)(47776003)(6246003)(55016002)(53416004)(75432002)(106466001)(104016004)(478600001)(26826003)(18370500001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR01MB5182; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8795cb9f-35f7-43c3-be38-08d69913c240
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:SN6PR01MB5182;
X-MS-TrafficTypeDiagnostic: SN6PR01MB5182:
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB5182; 20:LmiDf+1wXMaiw/a0Z9THVtqLcjkewGtK9T9mkym6/TNDra1KaWZ7fvv2DZOmCfj90jppKH0OVYW3QJX66OI59aBwssXmYoiBaHermjqaj+GWfv+mhYVpKDfYw+MecgV5fpgt+mBEDh8TEYr0TFEBk26fIFXA9cQfmSLJjajj9YUPKo4jkTXZgndpgexuS1g4YdZJCWCDl82+fFCR9p5PRKsGfpnh3dxgS1hDjXUHqdH7gLxgB77EbLhjMAYZpeVP0TI65HWhwNZk0TOaoKJuGRaKdH3FigrxROxUJC2nTcmbrmEPvt9as8vOWHcXOz4hlJViMGWM5ak+mSNMqVLJAunNAEGcRqkII5aaL9uv3h5qI3jds1mCaJB+Uow2shJOSAJ48WGSDQ5fuEjk4NnXWQGT5BsNJDC2ZGPZPJIaXnsN1sKYBFlgFdUmfRp/qDysdal763lQBmD/oLG3056Fl0pWyivA9OAkoFWI8kHYS4h332eGTWZx99UGhvATNPHYmPQjqGN8R+8NyxupVDjBCwRTxJs7hq9OYV45gx+XkAY/VE1yQaoigKPR9WsgWp84rLIvWStPfrLS4m6htQ2OTYcN6BAPsNDhdrgOCeH/eRA=
X-Microsoft-Antispam-PRVS: <SN6PR01MB5182FAE011F670ECC9F80B5AA07F0@SN6PR01MB5182.prod.exchangelabs.com>
X-Forefront-PRVS: 09565527D6
X-Microsoft-Exchange-Diagnostics: 1;SN6PR01MB5182;23:pb5GGlDIMDj3RJz/RN2KnicSgz6cm4eVlq69VKdRfwVq3Stu2yzUzVMXR/BH2YWgoL/K4Mc7oKPl3qNCY3jxK48614ERVX9WejKR9QFDVO5VOIr0rERd7hikFmehZKHaRsSsFHB7tfaS4ZrBozFfYDStP9k3EwZm8cqc/Z+ET5aRpg9WFP8RlBZRCTAkuLMwmiWyy2WpeRnBezTeSr7q8LotfYOMN1uZp2SV0b0FlggN5Or5cAi/SsEwQr8u3gZ3Di3TMMIqKCabn6jH6S+2Ki+7nYyJC7ymNoheYsVS5wmKzl6BLSYII/9y2avff+jwqE6U4zHkwoqAKBQPCWplEXwUr5j5x7mki/Fv3pDBHJP8OQEadag4gvCHdcU9hkjGjZGUmgjvPrQMNiDk9giuvIp2xBAPXhWx/H8zyt9GqPFruzjEcqbeZtvIxiIDYG431mJqZnY9umOPI5RjKf4SLy//w1FAOMWvS/S6+SggkB9iKd78ifM51sG43wRJz6dh/bb5llEWVBNErIMZ6lPo7f2tyUkP9DT4MDT5sKdjTq4fndgQ8kt8COCp7iBIJAx2HXx128NkSXjt0yqR4ScoletE/H0e5pG2XITI8GHg0Wx3P3TL+O7pRbiKOukfImLU6bZmeDVdrpGlxNH/G/Niu+jnvHSlPgmXWFbBiJFJ1w/TiqpKhVakmWk+/NhlesaHS5K2SG4TiPsV/7Ug7LvBv/zg5KgpHiKlDHvsCLa0Azm/UaREi3ucLXtfc84HfVbHIMmT3clPAX9vyY2x0mZYJL6qHJkANQ73Cu2he4t/Yp7d9JIW3tQzqhO5pmE3dduQREi+ZEA1UnuVVlXyFxlneWB3imGjEmbmvvrQSRPZDLLv1IyaW/PlgAQbAXB+zTYjdRWshIVzkfvOJZYVt/7GOPOjc/AFt8MKB92vep+UjZfenF0TYk5mSblzv00+/oasq6goQfEvx1YvK6zpixW3G1CSby61u5kXQnME//fEGkBLTnRvx/p6VE4EfLlqQMfTvKaH723k0egkhP2T1QWcErG6ucB3qkua8Jq9nvLLY7K/A3ukcKesp9mMiy7t16q84lq2TAj52PJqhKMh2I4Qn8qBsIv4q9jCZecvwuO+Phd6Z39wjnqlKrTItnCGnc8dVtm4xZ/FigGl5FmwDEZJawsHnIL5CKmFFF/pCxyMZpYocWP/iFzukmVOzbdILT7OdSN0lR+k1bbhuNcvnrz6pMtEDU/JJ5YGJlSOnSqovZi9H4E36alcaNbSk/1Bsivn9k7wKYpILjV//Tt+MZboN5D+hS2AXdpwISvWZcrwi/oFuTGV6DwnBk+w118dDbASwDLQDMAQ8M5Oiwr++tRHRQ==
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: lz8jyG5NodCrH4xbmkiLheiT4cl2TYOL3FjRVKZd7yxx3kEaWgR7U59hdSQhBw7tlCZgJz+aMZUREvt+AUPjcOm+XCMI5W2vUHvqk6rqY56rEG3wbh/X11QXUE4dhJUdplh4ry+e9CcmrK7Gv3sr0xMPmLAuFAFiDklV5CjT2GoQfCp/s7/qPGEPTUFIrqlTc16p9uLOIpaY3h5jA/G58xwZwo1p7A23SJrpLcehGuQYEK0whlxe2aHg5JqF4GHzshMrUbXJIcXjqQLujpFhRsX5mVCI5kbBRK1mM1amQ2MbvJqBvgwfpCgnVoTzlmP4UX9pbJxu6Fmr/urQUDi39fQVEXWwqLCTPwn4Ll0bq6Glxba8YoukejtNfJO+Rpe1lTNMWnUeUmkBW5Kqz05NobOA2me41Tm1Zf4CHRsY6Cs=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Feb 2019 22:19:05.6541 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8795cb9f-35f7-43c3-be38-08d69913c240
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB5182
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/6JlVTt88W72s8eA6NEAi-SDlo9U>
Subject: Re: [Dots] Eric Rescorla's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 22:19:16 -0000

On Fri, Feb 22, 2019 at 08:44:58AM -0800, Eric Rescorla wrote:
> On Fri, Feb 22, 2019 at 8:06 AM Konda, Tirumaleswar Reddy <
> TirumaleswarReddy_Konda@mcafee.com> wrote:
> 
> > *From:* Eric Rescorla <ekr@rtfm.com>
> > *Sent:* Friday, February 22, 2019 7:11 PM
> > *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> > *Cc:* The IESG <iesg@ietf.org>; dots-chairs@ietf.org;
> > frank.xialiang@huawei.com; draft-ietf-dots-requirements@ietf.org;
> > dots@ietf.org
> > *Subject:* Re: Eric Rescorla's Discuss on
> > draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
> >
> > On Fri, Feb 22, 2019 at 3:41 AM Konda, Tirumaleswar Reddy <
> > TirumaleswarReddy_Konda@mcafee.com> wrote:
> >
> > > -----Original Message-----
> > > From: Eric Rescorla <ekr@rtfm.com>
> > > Sent: Thursday, February 21, 2019 8:33 PM
> > > To: The IESG <iesg@ietf.org>
> > > Cc: dots-chairs@ietf.org; frank.xialiang@huawei.com; Liang Xia
> > > <frank.xialiang@huawei.com>; draft-ietf-dots-requirements@ietf.org;
> > > dots@ietf.org
> > > Subject: Eric Rescorla's Discuss on draft-ietf-dots-requirements-18:
> > (with
> > > DISCUSS and COMMENT)
> > >
> > >
> > > DETAIL
> > > S 2.2.
> > > >         free to attempt abbreviated security negotiation methods
> > supported
> > > >         by the protocol, such as DTLS session resumption, but MUST be
> > > >         prepared to negotiate new security state with the redirection
> > > >         target DOTS server.  The authentication domain of the
> > redirection
> > > >         target DOTS server MUST be the same as the authentication
> > domain
> > > >         of the redirecting DOTS server.
> > >
> > > what is an "authentication domain"?
> >
> > We are trying to say both the redirecting and redirected target DOTS
> > server belong to the same administrative domain.
> >
> > Modified the last line as follows:
> > The redirection DOTS server and redirecting DOTS server MUST belong to the
> > same administrative domain.
> >
> >
> >
> > How do I interpret this as the redirected party? Does it have to be the
> > same identity in the certificate? Something else?
> >
> >
> >
> > The redirected (or alternate) DOTS server’s FQDN will be conveyed by the
> > redirecting DOTS server, and DOTS client uses the same explicit trust store
> > to validate
> >
> > both the servers certificates.
> >
> 
> OK, so the client has no way of knowing if these are actually the same
> admin domain, it's just an operational requirement?

(D)TLS mutual auth is used, so there is some information available as a
proxy for "same admin domain", like "certificate issued by same private CA
hierarchy" or similar.

-Benjamin

v2.29.0 | Report a Bug | By Email | System Status