IETF Logo Mail Archive

Re: [dtn] Important side issues from ACME Node ID Validation draft

"R. Atkinson" <rja.lists@gmail.com> Wed, 11 August 2021 15:20 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A76763A19FF for <dtn@ietfa.amsl.com>; Wed, 11 Aug 2021 08:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4xlZlTuCkq8 for <dtn@ietfa.amsl.com>; Wed, 11 Aug 2021 08:20:38 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7148A3A19FC for <dtn@ietf.org>; Wed, 11 Aug 2021 08:20:38 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id t66so2808860qkb.0 for <dtn@ietf.org>; Wed, 11 Aug 2021 08:20:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VWzvWnPl6sHzij8JAAFtZJWRiBcPdAm7j8WzysLFo8A=; b=SSEMwc8azQF88nG6VSGoJfZ73aPJQ3n1KWAVfQeO56Bde2jqvXUL6CFIy0AZes941s NmWVQt5tAb9GESVXk4cOmXMX9mMYYEyOZ+z1Nj0g57IzNT9XuuHFNaCXUvQrnJn7n/Fo dSXFBu9uw19j+1b/AhD6I1Wi8BELJ+7hi7e5h1Z+H4ikE3IaFiaQ6h9fJv/poew20hGq ejVHOjk0xk16gQxkpQaH9fIyBImIJjjxGrWANO6HDv6df4jRznhaMp/I5+nir94vpukv 7NCvf7NXeBRY7KzYKNIV4Z74/mlO/CCwzBU5RdkIjvQEQoODk8c43x5kkbbzdMQexJy+ 8MZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VWzvWnPl6sHzij8JAAFtZJWRiBcPdAm7j8WzysLFo8A=; b=LNxB+HLE9vxbYVRUMfTOmQPb76zLPq49tsOExHjeWIWnA3chv/yx0FYBneumfwiak3 WKUxWn9kg3HbpqJytT7MHWszZsdaGju4N/lpgaVaZwYIbqJL/cqxwYv8jbiDVpiCL8Ii Y6WXadutwrBpwV0HEknpCEYp49x826pzOJV6525AWlIgCtS5cfEOB7a3CWDNe6scP0FF F5XzGBhuLVnA/kl4e0HArXCQp3Bt92JY0WmzXvsplE301/39WM5H0NJsKhFJtvMiE/O+ tpcjgA6IaS9e5meo5SobqLz2+TKZEX6gmO/O6I+BLGb/5YIe8izOgSNVsICYh20HZILT uqog==
X-Gm-Message-State: AOAM533uEL7mYBTgjmKp0s//fAPQQ1kMM2i9GKYXk3Onha03lEVe7fBX kmSOc06iGSIiexh/4kipIQZMXiTz9g8=
X-Google-Smtp-Source: ABdhPJxwJwD1CK9KfVGRmTCiekgeYyU8O3DsTdHRPvmWxpqUCE5dgKRroCNGww6As1nhEL0lbxTDmQ==
X-Received: by 2002:a37:9bc3:: with SMTP id d186mr17564291qke.106.1628695235860; Wed, 11 Aug 2021 08:20:35 -0700 (PDT)
Received: from smtpclient.apple (pool-108-28-124-100.washdc.fios.verizon.net. [108.28.124.100]) by smtp.gmail.com with ESMTPSA id 23sm12966612qkh.97.2021.08.11.08.20.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Aug 2021 08:20:35 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: "R. Atkinson" <rja.lists@gmail.com>
In-Reply-To: <CH2PR13MB35583FF57B027B71BCE2FCAB9FE89@CH2PR13MB3558.namprd13.prod.outlook.com>
Date: Wed, 11 Aug 2021 11:20:34 -0400
Cc: "dtn@ietf.org" <dtn@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CD0FA713-E227-4C9B-A691-54E8127ABE41@gmail.com>
References: <CH2PR13MB35583FF57B027B71BCE2FCAB9FE89@CH2PR13MB3558.namprd13.prod.outlook.com>
To: Brian Sipos <BSipos@rkf-eng.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/pbSjpD7385f7C4eZiC_G4nrL_7g>
Subject: Re: [dtn] Important side issues from ACME Node ID Validation draft
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2021 15:20:44 -0000


> On Jul 26, 2021, at 21:04, Brian Sipos <BSipos@rkf-eng.com> wrote:
> 
> The second issue is unfortunately more technical; the "dtn" URI scheme has been set in stone and is already in use, but the PKIX profile in [4] specifically requires that when any SAN URI which includes an authority part (the "dtn" scheme does, it is the node name) that authority is either a DNS name or IP address. And we know that a Node ID is _not_ going to contain a network-level name but some other name. This technically breaks the profile in [5] as well as [2], which both use SAN URI as Node ID authentication. Because neither RFC5280 nor RFC6125 require to dereference the SAN URI and the DTN PKIX profiles explicitly avoid the URI-ID definition of RFC6125, the only risk is really that some application may inadvertently try to DNS probe the node name (or something like that). I don't yet know how much of a blocking issue this will be, and it's unfortunate that it wasn't noticed earlier.

Brian,

DNS Operations folks consider “noise” DNS queries (such as an application trying to use DNS to resolve the node name or something similar) to be a significant operational challenge — because the volume of “noise” DNS queries already is high.

I imagine the DNS Operations folks would be greatly unhappy at the prospect of the DTN URI scheme being the cause of additional “noise” DNS queries.

A prospective change would be to update the PKIX profile in [4] to make clear that a dtn URI is neither a DNS name nor an IP address - ever.

In short, this looks like a real-world operational problem that will need _some_ form of solution, even if different from the prospective change I outlined just above.

Yours,

Ran

v2.23.0 | Report a Bug | By Email