Re: [Dots] Magnus Westerlund's No Objection on draft-ietf-dots-server-discovery-14: (with COMMENT)
Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 06 November 2020 10:42 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B9B3A1092; Fri, 6 Nov 2020 02:42:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7bX6b-WK_Hp; Fri, 6 Nov 2020 02:41:59 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2059.outbound.protection.outlook.com [40.107.20.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D206E3A1090; Fri, 6 Nov 2020 02:41:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GvNhAO3Wr9NiE0HbWWBlqj1RaJfDZL4AHfnXdP/B6Od93BtV+vNB3oPx/uFW9aa0zHaVJSyRAGY71qpNAjaqCrDybnL/zf5j9l7c+FFv1IRjZq9BRntNvxqUxTEMv1WKbo98MdXog99RmRD5y9jBdvVx6h5oMqyJlcXIopUyyn3GFqUqR48rQVkKBjIO7WtQnYvrPE8ajykGE2hGzWWtpCwrOZwqUTUR/lZa32xQyCJnVaEe2kiZUxe3+AxSQ+L9HpKpj/VKfbWJi1U9tgGP1lViy7mnpimUf4zKUQJyvZGmtGS9uh29Q5uYADT5Ne+W5uQt9p1KV40WL4PlARcG/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iPkvhrhkPWo+xggHv0KfsJ870AJA8Rmzq90o9CkPuJk=; b=ipKE0iDBW0ElNPveIWyz2yQTysZhVfTVX6HXN8h2pnM8ZMB4B4YYTCVrRaG3VELVtAjXxQEk1PztjqkcRK1CJ0uaG4QVEUsff/5UN38EYljQIdAf94Fh6TE+LmTcljlTAXT9fzIhKyhZbJiKD5j5inM5LIm//pUzan65H83hu7vzu4QCBhmfdQJ4wu8zGe01nGyoUSxxlOclmvbRxfzDha9XTtqNjUwoTyxjiD+zo2+0hCI4nWvx8X1BWGkhYduocNjF2t/jd7hLQ6j5wjuwalPXmKRACW34LMzZCVYXZPzER8ptq11inZzR7jLBsi3ap3uZ1YqtzzeQmmTFNiWEWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iPkvhrhkPWo+xggHv0KfsJ870AJA8Rmzq90o9CkPuJk=; b=jA+uR2dv6kOLz9VRe5RPLJ5UM2ZzPIr6GPapmj+wHhtGStYksR+qoG1D5J8YfVsrZ9qJKDejHY2Fv0XN+Yl/lSUZIAkhjm0vLT55E45tq0wSMS6+rWLyzMhbPuHjacL6VztdUEGBhFuW4BSaf6XdpDpVFb379OQ3wPgO1tqtQm4=
Received: from VI1PR0702MB3775.eurprd07.prod.outlook.com (2603:10a6:803:10::30) by VI1PR07MB3920.eurprd07.prod.outlook.com (2603:10a6:803:37::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.10; Fri, 6 Nov 2020 10:41:55 +0000
Received: from VI1PR0702MB3775.eurprd07.prod.outlook.com ([fe80::d52d:d42e:9828:8f35]) by VI1PR0702MB3775.eurprd07.prod.outlook.com ([fe80::d52d:d42e:9828:8f35%3]) with mapi id 15.20.3541.010; Fri, 6 Nov 2020 10:41:55 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "TirumaleswarReddy_Konda@McAfee.com" <TirumaleswarReddy_Konda@McAfee.com>
CC: "dots@ietf.org" <dots@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>, "draft-ietf-dots-server-discovery@ietf.org" <draft-ietf-dots-server-discovery@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Thread-Topic: Magnus Westerlund's No Objection on draft-ietf-dots-server-discovery-14: (with COMMENT)
Thread-Index: AQHWs3t/6irInHCcMUmk/UHGnrpPRqm6ujkAgAAxqoA=
Date: Fri, 06 Nov 2020 10:41:55 +0000
Message-ID: <0372e8d7a906dca1041212e6ed989b58304d633b.camel@ericsson.com>
References: <160458459549.15207.15947838166522017934@ietfa.amsl.com> <DM6PR16MB3402A32E4756607C1F7F46C9EAED0@DM6PR16MB3402.namprd16.prod.outlook.com>
In-Reply-To: <DM6PR16MB3402A32E4756607C1F7F46C9EAED0@DM6PR16MB3402.namprd16.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.83]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7d49c380-cbb7-4085-a8ae-08d8824094c7
x-ms-traffictypediagnostic: VI1PR07MB3920:
x-microsoft-antispam-prvs: <VI1PR07MB39209602BC2A4CE05681555295ED0@VI1PR07MB3920.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +CPaJ9sowV27QIjD9+ttA9U3rQiEXH3h/Q/q+8pf9mY+cVu7NWIe1Ma/Kf9AzmXgJf8grqyeysQLaIiP8AJ7eiIrLTSwGYvV2TYj0Xhg3Dyyv82wwcfaEbc1HiJ0JAYkkeIPM+WSnqyHYnctWoo6adfcxPW2G7tzqkQV4a2WJ/97Pnrld7Rc37uvA/2/O24tmhLax9mRPadU6gR6sqrym0iYkCwI/e/QgEW3KuNad7b3bLO0z18tlIjaw/yaf5eM9k0T2ihb/TRKHYRcrGsVS7tW4/cUeIZyH6T4Q6CNDhyZWlLNbtmaZFNSrc40cI6/5cwWd2CY07v+D7hG25nB48N8cz2nQlX7AH55bGjuHNw/pyPSkDrdp1dOCecfuHWlIzx+p2RXaXXcuJGFMMsI+kzuvtcvGPHI57pfSecf0uZm/RS3wrztCepInHXeXC7GrE8fb7n6l0rVKGSj5twyGQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR0702MB3775.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(39860400002)(366004)(376002)(346002)(2616005)(26005)(186003)(966005)(99936003)(54906003)(66616009)(83380400001)(110136005)(316002)(5660300002)(8936002)(8676002)(6506007)(91956017)(66946007)(86362001)(44832011)(2906002)(76116006)(6486002)(64756008)(71200400001)(36756003)(66556008)(66446008)(66476007)(4326008)(6512007)(53546011)(478600001)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: SsbydqduvFoyni3DlbL/3HAGXVCGDm0qrUqx8etA5V+Uc/9aV+/CeCe2JozmbRye7nQLYfWlAmtfdT8Xs2f3C/8lq+vh4O26CSl7oISShMWoSIXoiR+xvYZH2pSHwrPLjCa3pw3pqWgsQg+Bej1/3l9OGZrxM1He3OyqCp3hNnDNzxEjuTfiIW5i2SCKUZmaEdCwwqYSfWlS/T3M3hoSM7V/cyAUXNe3kIrh5abXma1LCsD5Tp5fu50ZNJS4oC7+0t5lMfR8aIdFH6Mjf6bippcTkIef7fGNseXCJG9snW/HxSr2SREhouGpZRFxIVqoZ/uqY9LwTq04FGERL4cJ7jrSlJnJQAKGQdZZxf3heM5PFPOp7CVXvjWVnuSmTh5koMfi+syjPaWPE9avwyC3Zg1/g6posa+nsV8PgVITKJQspIdvDk3Wwm1sdOKJl2E0DUPKbxk/cxnjb2kgBsnJB7Ws+3J2VJRe8O6q3RBok3nkbUZad4yeAvZniY/3q1XEVXBqXjK1akihZPgCfa8lbpi1zKe3Uxn/E5z8gCv4AiPzNRY1JfXdz56Bs4ZLou2eqKgqWeQw/z2/Ua4FXyy5O2p9LRAwUHNuJ0dBvU0kKLboR9Wr0fOUhp4rDooK7eeKVEm6ioMZGbzvzZPP34m6xx2ixdqWRW2cqUmfsaznhU14If1yA94PuvHdBmvpj71qE5C9Jt1BYA324gy4fOw5vBY+6H0kwSTCsEwwBGkVN0FcO0XoUnzKcPfdl6lhvdvUyyOL2KBRdeIHGhX4JMbdFGW6BIfj1TvAX63v340+zRg/0M6AJf4yUT2N+w6eHPFpsLSNVgFf1KcWB7YDLwTzX8ef1cmfvAcjDukJiywSHlc19sL9S4uwi8xZ6InzMdCvcgwwp8Wn0UBiHZ4jhsg0LQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-5mGFjgpwK25NmPFHBShe"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR0702MB3775.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d49c380-cbb7-4085-a8ae-08d8824094c7
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2020 10:41:55.6816 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q+BuUWJ7sdljDknQwoU9VkmbmwEppIpFNgxJQCOQCTz0E8wnI7qwlgbPcdMSmHUxilr+Ol9p8Uq89UqBWiFnI6gNUEYD2F0rEPfwnnrtQ+U=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3920
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/cXlj8Hr1SrZc8ctP-U_DVdgm92E>
Subject: Re: [Dots] Magnus Westerlund's No Objection on draft-ietf-dots-server-discovery-14: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 10:42:01 -0000
On Fri, 2020-11-06 at 07:44 +0000, Konda, Tirumaleswar Reddy wrote: > > -----Original Message----- > > From: Magnus Westerlund via Datatracker <noreply@ietf.org> > > Sent: Thursday, November 5, 2020 7:27 PM > > To: The IESG <iesg@ietf.org> > > Cc: draft-ietf-dots-server-discovery@ietf.org; dots-chairs@ietf.org; > > dots@ietf.org; Valery Smyslov <valery@smyslov.net>; valery@smyslov.net > > Subject: Magnus Westerlund's No Objection on draft-ietf-dots-server- > > discovery-14: (with COMMENT) > > > > CAUTION: External email. Do not click links or open attachments unless you > > recognize the sender and know the content is safe. > > > > Magnus Westerlund has entered the following ballot position for > > draft-ietf-dots-server-discovery-14: No Objection > > > > When responding, please keep the subject line intact and reply to all email > > addresses included in the To and CC lines. (Feel free to cut this > > introductory > > paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-dots-server-discovery/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Shouldn't the security consideration section 8.2 ave some additional > > warnings > > about the ease of affecting the dns lookup when .local is used. This as mDNS > > more easily can be gamed? > > Yes, but the discovery uses global names and not ".local". DNSSEC can be used > to validate the response. Ok, that is better, sorry for missing that part. Still as mDNS results that that nodes on the network segment or multicast domain used easily can inject answers. So it enlarges the attack surface, but DNS without DNSSEC appears quite sensitive to targeted attacks on the name resolution of the DOTS servers. I think comparing sections 8.3 and 8.2 is interesting. In 8.2 you are explicit about the attackers interest in compromising the S-NAPTR resolution. But the same attack potential in DNS-SD is not mentioned. Is redirects allowed here when doing the lookup and does that affect what domain name one will use in SNI in DTLS when connecting to the DOTS agent? Just trying to understand if the DTLS connection step is a second line of defence for the DNSSD step? In other words that an attacker can inject or modify DNS response to ensure that the DOTS client connects to the attacks server, but that it isn't fooled that this is the intended one? Cheers Magnus
- [Dots] Magnus Westerlund's No Objection on draft-… Magnus Westerlund via Datatracker
- Re: [Dots] Magnus Westerlund's No Objection on dr… Konda, Tirumaleswar Reddy
- Re: [Dots] Magnus Westerlund's No Objection on dr… Magnus Westerlund
- Re: [Dots] Magnus Westerlund's No Objection on dr… Konda, Tirumaleswar Reddy