IETF Logo Mail Archive

Re: [Dots] Call for adoption on draft-boucadair-dots-server-discovery

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 14 December 2018 11:04 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C948712D84D for <dots@ietfa.amsl.com>; Fri, 14 Dec 2018 03:04:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.76
X-Spam-Level:
X-Spam-Status: No, score=-5.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGRm4haKdrLk for <dots@ietfa.amsl.com>; Fri, 14 Dec 2018 03:04:07 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0120127AC2 for <dots@ietf.org>; Fri, 14 Dec 2018 03:04:06 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1544785464; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=yIsEL9PPxULHKzhScLQmxVa8T9sZ7mfI8Ux292 CL7c8=; b=JuT/mjCJi046PdvtxhM039SuM3kuR5jgw4x8tok7 gLc5wP01nRarK0A3gYbqijn56ldWWKVpfZoFEYVl34O6ZACfzO rhjiPy7YXEVGhIEUG+WMPJEAm/4TZpxjDxAY8QGJrWI4EMYeeS hOCKvi7Vl1Nd12nU0VTJkw12myLsJcQ=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 309b_79c4_8f760f26_ff88_4570_9c7b_15600b3a8d11; Fri, 14 Dec 2018 05:04:23 -0600
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 14 Dec 2018 04:04:04 -0700
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 14 Dec 2018 04:04:02 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 14 Dec 2018 04:04:02 -0700
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 14 Dec 2018 04:04:01 -0700
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1843.namprd16.prod.outlook.com (10.172.29.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.18; Fri, 14 Dec 2018 11:04:00 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::b8de:7bb:cfa3:22ee]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::b8de:7bb:cfa3:22ee%8]) with mapi id 15.20.1404.028; Fri, 14 Dec 2018 11:04:00 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Dan Wing <danwing@gmail.com>
CC: Roman Danyliw <rdd@cert.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Call for adoption on draft-boucadair-dots-server-discovery
Thread-Index: AdSI+mzom/yrMKu/SJm1ohZrl+sYtAJmLD8AAAu72ZAAFdprAAAXgC2w
Date: Fri, 14 Dec 2018 11:04:00 +0000
Message-ID: <BN6PR16MB142548AA1E1AA66716C637E4EAA10@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <359EC4B99E040048A7131E0F4E113AFC0184C52F1B@marathon> <6C0138CB-2B3C-4A9D-A013-2232879A72AD@gmail.com> <BN6PR16MB14256E2AB18E6BB60CE26630EAA00@BN6PR16MB1425.namprd16.prod.outlook.com> <7467FE4F-2C66-49D9-8EFE-367E93F7A5C9@gmail.com>
In-Reply-To: <7467FE4F-2C66-49D9-8EFE-367E93F7A5C9@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.0.61
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1843; 6:9uNPWLcA0yFNyRemJ31zwnMpM8CUSdW7CyFP4vsDgQNZ9zEWi9wO2CTvwqqX0gR00PK78tUaJ3ylVAhrImEtfTPqNRZ+2pgvpQZZCB0sDtmwCFk7bDiJES3VGx/1PBVDCCCETMfiaA1mgznCEBe1RIw0U+mWOqM0UmAk7A+PQ2PqI2fklA8+csIljfV8ygqnQ/bx0h5wwC5SqBXCC7KACMIJmv+ZfQQt972pax2ckggnnOs0hv2dHsmewwpI9LhI4bpyHvKr0tQOD11pGACleqG4zsicAGlNXvvGDsh36trGYawEPjNHwN7C1H9KkMboNDGXZs7kXFez912S8+v5QMOGxj89bazyu77JVfMGq2/RpwioIMAUivVn0qMGw6F4UTfcK3WfB9E/jW8bD0iPcWP3SWeLaR6Q85TwcWt0wyYI5YpBSIb83XvUgtG4j9xwGLgoENqoXJehWAr1zMbnLA==; 5:4X7+Thm19CrJVAYyC5c8pIkrdOPjzp5uA5pWYG7ZY4IHlk0zY+VnQTX0NSQjaLFfm/oB4Kg8ehFYuioTx4HZwndZBYGRTJNtcR3tvy8ahMcDwkN1S5gTVBJmBQ3ckkQMpCk9j33nE5O8JRwMFHZWQHT9XgH78aQqIws9CNiJM+k=; 7:DAdDG4phGq8kspPo+V94oC0Y36OctMnSgx5ZM14if9gOrCgr7xPwv4V+ElqARdDyxjLn1lv1MKyEL1xEYxPBJvpGLTPKQfpmO7n59FIhTdg8g+0CkuuJekMRDkE1ve35uSTAkzonEod+VBBVK0zwDA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bd8d49d5-a19a-4b32-e85e-08d661b3da2b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1843;
x-ms-traffictypediagnostic: BN6PR16MB1843:
x-microsoft-antispam-prvs: <BN6PR16MB184356D57D591B541F884F57EAA10@BN6PR16MB1843.namprd16.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231475)(944501520)(52105112)(3002001)(148016)(149066)(150057)(6041310)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:BN6PR16MB1843; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1843;
x-forefront-prvs: 08864C38AC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(136003)(366004)(396003)(39860400002)(199004)(189003)(13464003)(32952001)(1411001)(68736007)(71200400001)(71190400001)(80792005)(8676002)(33656002)(66066001)(81156014)(186003)(81166006)(53546011)(93886005)(7736002)(8936002)(99286004)(102836004)(76176011)(316002)(6506007)(54906003)(26005)(5660300001)(9686003)(4326008)(7696005)(25786009)(55016002)(6116002)(5024004)(14444005)(256004)(14454004)(476003)(11346002)(105586002)(486006)(3846002)(446003)(6436002)(229853002)(106356001)(74316002)(6246003)(305945005)(6916009)(53936002)(39060400002)(6306002)(2906002)(966005)(72206003)(478600001)(97736004)(86362001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1843; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: yhqMrdQylBxHnP8p8H6nTwEzk/PlHEpppkKWdp2epxz2iXV3JEZ/sqt4yTDYt3q/OibJZLj26mo5o0GyUDGn5tkWXmJtfXPbx6F/D2RfsSHudfyyiuiVaXS2j7tCYFHwnZLBn7kOi4EIm4Y9QdJXuqAlCad1v4Y6o1r/BxndU/4Q9t6ALr5CVXY2CjyIqCiSxVHq/+X7wGk6vZNxqWMlbuz+Op3qSBnQgfPytVlFhYzoIDG6eAjyV4lb/vnSwi4AkcmI6jJES8Zlut55fnIGAdWqYzn8/smnpDOzJOl1YUydeYIbXnzrZ9EEwUI35asD
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bd8d49d5-a19a-4b32-e85e-08d661b3da2b
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2018 11:04:00.6174 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1843
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6438> : inlines <6985> : streams <1807095> : uri <2764659>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/gtNjSVrX9_gu9HycORnWfibWD-E>
Subject: Re: [Dots] Call for adoption on draft-boucadair-dots-server-discovery
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 11:04:10 -0000

Hi Dan,

The problem after auto-discovery is for the DOTS client to authenticate the DOTS server and vice-versa. If the DOTS agents cannot mutually authenticate each other, the discovery mechanism is of no use.  It means client has to be configured with DOTS server name and DOTS server domain's trust anchor certificate. 

>From my understanding listing the discovery mechanisms required 

[1] S-NAPTR lookup happens after the client is statically (or manually) configured with the DOTS server domain name, and uses PKIX based authentication of the server. 
[2] Static configuration of DOTS server domain name and its anycast IP address. PKIX is used to authenticate the DOTS server.
[3] Static configuration of SPKI + IP address. SPKI is used to authenticate the DOTS server. 
[4] The only way to automate the discovery of DOTS server and automatically configure the explicit trust anchor store for the attached domain is to use BRSKI, using BRSKI the device (co-located with DOTS client) would have already learned and validated the network domain name, and can use DNS-SD/mDNS to discover the DOTS server. DNSSEC validation also becomes possible, and even if the client does not support DNSSEC it will validate the DOTS server certificate using the installed explicit trust store.

Cheers,
-Tiru

> -----Original Message-----
> From: Dan Wing <danwing@gmail.com>
> Sent: Friday, December 14, 2018 12:54 AM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> Cc: Roman Danyliw <rdd@cert.org>; dots@ietf.org
> Subject: Re: [Dots] Call for adoption on draft-boucadair-dots-server-discovery
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> On Dec 13, 2018, at 1:41 AM, Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com> wrote:
> > Hi Dan,
> >
> > Good point. DHCP to learn the DOTS sever information does not look
> suitable, the DHCP client will not have a secure trusted relationship with the
> DHCP server to learn the DOTS server information (see the challenges we
> faced in DNS over TLS https://tools.ietf.org/html/rfc8310#section-7.3.1 for
> using DHCP).
> 
> DHCP is not solely inadequate because of the insecurity of DHCP, because
> other DOTS server discovery techniques suffer the same problem that a
> bogus DOTS server might be used by the DOTS client; the specification
> mentions that risk for the gratuitous multicasted DNS for mDNS, but the
> same issue exists with anycast.  
> Of all of them, N-SAPTR is most robust, but
> still suffers from the problem of how one might select or configure the
> domain name; if via DHCP (rather than user-configured or user-confirmed),
> we're back to trusting DHCP.  I would step back and see how we want to
> solve authentication overall for reliable and trustable time servers (NTP or
> TLS date/time or Google's Roughtime
> (https://roughtime.googlesource.com/roughtime).  Specific example, if I can
> authenticate the anycast DOTS server, but I can't authenticate or can't
> authorize with one of the higher-priority Discovery servers (e.g., NAPTR) the
> client should continue using the anycast server.
> 
> The document could be improved by separating how to find servers
> (currently 4 techniques) from how those are authenticated and what
> happens when authentication expires (e.g., server certificate has expired),
> and if existing server should be abandoned if a higher-priority Server
> Discovery happens to learn of a new server.  Are implementations expected
> to re-run their server discovery all the time, or only when a connection dies
> or only when server certificate expires, or .. never?  This stuff is partially
> discussed in Security Considerations, and maybe expanding that would be
> sufficient, but it seems the overall model needs to be discussed earlier --
> that model being that the client is (somehow) given a trust anchor prior to
> joining a network and prior to trying to authenticate its discovered DOTS
> server.
> 
> 
> > For auto discovery the DOTS client can try mDNS or anycast or both to
> reach the DOTS gateway, and the DOTS gateway can try both DNS-SD or
> anycast or both to reach the DOTS server in the ISP network.
> 
> Yeah, a discussion on when or why to re-run discovery seems important for
> the document, at some point -- probably too early now but worth some
> discussion and analysis.
> 
> -d
> 
> 
> 
> >
> > Cheers,
> > -Tiru
> >
> >> -----Original Message-----
> >> From: Dots <dots-bounces@ietf.org> On Behalf Of Dan Wing
> >> Sent: Thursday, December 13, 2018 8:53 AM
> >> To: Roman Danyliw <rdd@cert.org>
> >> Cc: dots@ietf.org
> >> Subject: Re: [Dots] Call for adoption on
> >> draft-boucadair-dots-server-discovery
> >>
> >> This email originated from outside of the organization. Do not click
> >> links or open attachments unless you recognize the sender and know
> >> the content is safe.
> >>
> >> I support adoption of this draft.
> >>
> >> However, I would really encourage the working group to analyze if all
> >> 4 discovery methods are really necessary.  4 mechanisms causes a
> >> bifurcation of products.  It complicates the features of a DOTS
> >> gateway, and raises questions such as "is quality implementation of a
> >> DOTS gateway expected to interoperate amongst the 4 DOTS discovery
> >> mechanisms."  Such interoperation becomes necessary when, say, some
> >> devices won't support
> >> DHCPv6 (Android) but an ISP only supports DHCPv4 & DHCPv6 DOTS
> >> discovery, for example.  There are other examples of incompatible
> >> discovery and how a vendor or an open-source DOTS gateway might try
> >> to overcome such issues with a Discovery Interoperability Feature ...
> >>
> >> -d
> >>
> >>
> >>> On Nov 30, 2018, at 2:21 PM, Roman Danyliw <rdd@cert.org> wrote:
> >>>
> >>> Hello!
> >>>
> >>> This is the start of a two week call for input on the WG adoption of
> >>> the
> >> document:
> >>>
> >>> draft-boucadair-dots-server-discovery
> >>> https://tools.ietf.org/html/draft-boucadair-dots-server-discovery-05
> >>>
> >>> The document has been presented and discussed at IETF 103, IETF 100
> >>> and
> >> IETF 99;  and revisions have been made based on WG feedback.
> >> Discussion of adoption of this draft was previously deferred pending
> >> submission of the signal draft for publication (which occurred in
> September 2018).
> >>>
> >>> At the IETF 103 meeting, there were not many participants who had
> >>> read
> >> the draft.
> >>>
> >>> Please provide feedback to the list/chairs if you believe that this
> >>> document
> >> should be adopted as a WG document.  The adoption call will end on
> >> December 14 2018.
> >>>
> >>> Regards,
> >>> Roman and Frank
> >>>
> >>> _______________________________________________
> >>> Dots mailing list
> >>> Dots@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/dots
> >>
> >> _______________________________________________
> >> Dots mailing list
> >> Dots@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email