[hiprg] comments on draft-irtf-hiprg-proxies-02

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Mon, 28 March 2011 18:39 UTC

Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hiprg@core3.amsl.com
Delivered-To: hiprg@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 1031A3A68E0 for <hiprg@core3.amsl.com>; Mon, 28 Mar 2011 11:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.07
X-Spam-Status: No, score=-106.07 tagged_above=-999 required=5 tests=[AWL=-0.270, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yUrDSJ26cl3h for <hiprg@core3.amsl.com>; Mon, 28 Mar 2011 11:39:05 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com []) by core3.amsl.com (Postfix) with ESMTP id 4F7873A67D6 for <hiprg@irtf.org>; Mon, 28 Mar 2011 11:39:05 -0700 (PDT)
Received: from blv-av-01.boeing.com (blv-av-01.boeing.com []) by blv-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id p2SIeYPm011703 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 28 Mar 2011 11:40:34 -0700 (PDT)
Received: from blv-av-01.boeing.com (localhost []) by blv-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id p2SIeYn3004014; Mon, 28 Mar 2011 11:40:34 -0700 (PDT)
Received: from XCH-NWHT-03.nw.nos.boeing.com (xch-nwht-03.nw.nos.boeing.com []) by blv-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id p2SIeYkt004007 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Mon, 28 Mar 2011 11:40:34 -0700 (PDT)
Received: from XCH-NW-10V.nw.nos.boeing.com ([]) by XCH-NWHT-03.nw.nos.boeing.com ([]) with mapi; Mon, 28 Mar 2011 11:40:33 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "'Dacheng Zhang'" <zhangdacheng@huawei.com>, "'???'" <xuxh@huawei.com>, "shenshuo@cnnic.cn" <shenshuo@cnnic.cn>
Date: Mon, 28 Mar 2011 11:40:33 -0700
Thread-Topic: comments on draft-irtf-hiprg-proxies-02
Thread-Index: Acvtd50Td7prmPSyR3KTVBFI/v+ZBg==
Message-ID: <7CC566635CFE364D87DC5803D4712A6C4CED25B07C@XCH-NW-10V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "hiprg@irtf.org" <hiprg@irtf.org>
Subject: [hiprg] comments on draft-irtf-hiprg-proxies-02
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 18:39:06 -0000

Dacheng and all,
I reviewed this draft and I believe the presentation and terminology is much improved from the previous version.  I can provide editorial comments separately.  The terminology section in Section 2 needs to be completed more fully.  Another term that is used frequently in the draft but is not completely clear to me is "DNS lookup inspector" (is this a resolver?).  

I do not have a specific text suggestion for this but I would suggest also in the security considerations section to talk about considerations for DI-proxy types in the DNS intercepting aspects of the configuration.  Earlier in the draft, you brought up the problems with DNSSEC, but are there also security concerns introduced by having a DNS intercepting proxy involved in general (is a host more exposed to DNS-related attacks)?

- Tom