IETF Logo Mail Archive

Re: [Dots] Call for adoption on draft-boucadair-dots-server-discovery

Dan Wing <danwing@gmail.com> Thu, 13 December 2018 19:24 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42325130E34 for <dots@ietfa.amsl.com>; Thu, 13 Dec 2018 11:24:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 340-AKESKXQm for <dots@ietfa.amsl.com>; Thu, 13 Dec 2018 11:24:32 -0800 (PST)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69B5D130E2E for <dots@ietf.org>; Thu, 13 Dec 2018 11:24:32 -0800 (PST)
Received: by mail-pg1-x532.google.com with SMTP id z11so1509350pgu.0 for <dots@ietf.org>; Thu, 13 Dec 2018 11:24:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=uXP0vC61yujfIBcJnADBGmUNRiwxwMmTOaLimlwt6B8=; b=Evbic4JJKvsvJgQPnlanl++ADOPlejGxXUpS1cMNa9tGlbFNYIan0/YOlYZ2LNjb24 y10GbIY3Ar45cBTjxHW6ICqjpeHBKWJfedCK7FmUryRGL5bOzza3E+oBg3FvZBvCNXu4 7RuymW0nTcrOuB19SIIfQVTU+XcBqrh16U0QAjJ+Lzb8ikjKxUerZ37ZpwtRj6CjnlUW +598BbXmnCm3E6LgAavrOP7tZWkgMZRk2G3QBtUPIUo6xXo+aTqq38ukKTpKAPy5EuKu YQbSVMhZYu5Zw/lTW/7tgy+KDkHGpXgJt9g93/+FjvttoAE0XxB+aOea+AbqbEaq8vK9 g38Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=uXP0vC61yujfIBcJnADBGmUNRiwxwMmTOaLimlwt6B8=; b=eK2MNoddhzZUS+rjIIYW8MDFENETevbTIXQI8OwXUHfnG+djUcbCEP3KJqiumBNXvU RWtSubKdjgX4D+KKjeDShH6uFxV68+FU7BGAyG4L6Z7YA2yokeg317oIJohIyz8DtiNw iTaVULmXe7rIHWLhc1u1MGaoAi5zbkxGIL/yFGo9PZtZKdhib54EX1nOlNgL0WT1txd3 LtdNbYDPrpccXo4ey4BOwaQYCUzhOiq1htizFikYoS+wZmeFfY9sNIo7nYzr1LvaFVTT c3yfOLuL1u8uuL9TKWRertMoMlphlnX+sukYhfHwPbjp+OWcNSyWxey3QA995sljXP7O H0pw==
X-Gm-Message-State: AA+aEWZ3sbbemDXcEc1HgTPCeSH0ycsEykV5RsHLesFPseaC9oSpWTvL PrMiGH1ckCeuNPx6g6K37wF8E2kd4dg=
X-Google-Smtp-Source: AFSGD/V3STyMsCV1KqgTA/PmX4T2h1h3D93jencC6SGJrgoBOATmQ6C+hjn0eywnm/oagomf9/VWTA==
X-Received: by 2002:a63:bd1a:: with SMTP id a26mr32275pgf.121.1544729070401; Thu, 13 Dec 2018 11:24:30 -0800 (PST)
Received: from [192.168.86.180] ([75.111.77.103]) by smtp.gmail.com with ESMTPSA id o66sm8387653pgo.75.2018.12.13.11.24.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Dec 2018 11:24:29 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <BN6PR16MB14256E2AB18E6BB60CE26630EAA00@BN6PR16MB1425.namprd16.prod.outlook.com>
Date: Thu, 13 Dec 2018 11:24:28 -0800
Cc: Roman Danyliw <rdd@cert.org>, "dots@ietf.org" <dots@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7467FE4F-2C66-49D9-8EFE-367E93F7A5C9@gmail.com>
References: <359EC4B99E040048A7131E0F4E113AFC0184C52F1B@marathon> <6C0138CB-2B3C-4A9D-A013-2232879A72AD@gmail.com> <BN6PR16MB14256E2AB18E6BB60CE26630EAA00@BN6PR16MB1425.namprd16.prod.outlook.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Wc7Q14GWZEtT7xuC8vWQGZO0Omw>
Subject: Re: [Dots] Call for adoption on draft-boucadair-dots-server-discovery
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 19:24:35 -0000

On Dec 13, 2018, at 1:41 AM, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> wrote:
> Hi Dan,
> 
> Good point. DHCP to learn the DOTS sever information does not look suitable, the DHCP client will not have a secure trusted relationship with the DHCP server to learn the DOTS server information (see the challenges we faced in DNS over TLS https://tools.ietf.org/html/rfc8310#section-7.3.1 for using DHCP).

DHCP is not solely inadequate because of the insecurity of DHCP, because other DOTS server discovery techniques suffer the same problem that a bogus DOTS server might be used by the DOTS client; the specification mentions that risk for the gratuitous multicasted DNS for mDNS, but the same issue exists with anycast.  Of all of them, N-SAPTR is most robust, but still suffers from the problem of how one might select or configure the domain name; if via DHCP (rather than user-configured or user-confirmed), we're back to trusting DHCP.  I would step back and see how we want to solve authentication overall for reliable and trustable time servers (NTP or TLS date/time or Google's Roughtime (https://roughtime.googlesource.com/roughtime).  Specific example, if I can authenticate the anycast DOTS server, but I can't authenticate or can't authorize with one of the higher-priority Discovery servers (e.g., NAPTR) the client should continue using the anycast server.

The document could be improved by separating how to find servers (currently 4 techniques) from how those are authenticated and what happens when authentication expires (e.g., server certificate has expired), and if existing server should be abandoned if a higher-priority Server Discovery happens to learn of a new server.  Are implementations expected to re-run their server discovery all the time, or only when a connection dies or only when server certificate expires, or .. never?  This stuff is partially discussed in Security Considerations, and maybe expanding that would be sufficient, but it seems the overall model needs to be discussed earlier -- that model being that the client is (somehow) given a trust anchor prior to joining a network and prior to trying to authenticate its discovered DOTS server.


> For auto discovery the DOTS client can try mDNS or anycast or both to reach the DOTS gateway, and the DOTS gateway can try both DNS-SD or anycast or both to reach the DOTS server in the ISP network.

Yeah, a discussion on when or why to re-run discovery seems important for the document, at some point -- probably too early now but worth some discussion and analysis.

-d



> 
> Cheers,
> -Tiru
> 
>> -----Original Message-----
>> From: Dots <dots-bounces@ietf.org> On Behalf Of Dan Wing
>> Sent: Thursday, December 13, 2018 8:53 AM
>> To: Roman Danyliw <rdd@cert.org>
>> Cc: dots@ietf.org
>> Subject: Re: [Dots] Call for adoption on draft-boucadair-dots-server-discovery
>> 
>> This email originated from outside of the organization. Do not click links or
>> open attachments unless you recognize the sender and know the content is
>> safe.
>> 
>> I support adoption of this draft.
>> 
>> However, I would really encourage the working group to analyze if all 4
>> discovery methods are really necessary.  4 mechanisms causes a bifurcation
>> of products.  It complicates the features of a DOTS gateway, and raises
>> questions such as "is quality implementation of a DOTS gateway expected to
>> interoperate amongst the 4 DOTS discovery mechanisms."  Such
>> interoperation becomes necessary when, say, some devices won't support
>> DHCPv6 (Android) but an ISP only supports DHCPv4 & DHCPv6 DOTS
>> discovery, for example.  There are other examples of incompatible discovery
>> and how a vendor or an open-source DOTS gateway might try to overcome
>> such issues with a Discovery Interoperability Feature ...
>> 
>> -d
>> 
>> 
>>> On Nov 30, 2018, at 2:21 PM, Roman Danyliw <rdd@cert.org> wrote:
>>> 
>>> Hello!
>>> 
>>> This is the start of a two week call for input on the WG adoption of the
>> document:
>>> 
>>> draft-boucadair-dots-server-discovery
>>> https://tools.ietf.org/html/draft-boucadair-dots-server-discovery-05
>>> 
>>> The document has been presented and discussed at IETF 103, IETF 100 and
>> IETF 99;  and revisions have been made based on WG feedback.  Discussion
>> of adoption of this draft was previously deferred pending submission of the
>> signal draft for publication (which occurred in September 2018).
>>> 
>>> At the IETF 103 meeting, there were not many participants who had read
>> the draft.
>>> 
>>> Please provide feedback to the list/chairs if you believe that this document
>> should be adopted as a WG document.  The adoption call will end on
>> December 14 2018.
>>> 
>>> Regards,
>>> Roman and Frank
>>> 
>>> _______________________________________________
>>> Dots mailing list
>>> Dots@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dots
>> 
>> _______________________________________________
>> Dots mailing list
>> Dots@ietf.org
>> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email