Re: [homenet] naming drafts
Daniel Migault <mglt.ietf@gmail.com> Tue, 15 June 2021 01:58 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A826D3A19B5 for <homenet@ietfa.amsl.com>; Mon, 14 Jun 2021 18:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtog3X4MFNQb for <homenet@ietfa.amsl.com>; Mon, 14 Jun 2021 18:58:06 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0D83A191C for <homenet@ietf.org>; Mon, 14 Jun 2021 18:58:06 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id o19so10097996qtp.5 for <homenet@ietf.org>; Mon, 14 Jun 2021 18:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gFht6uEjJ7TU66ZHhk0PX2m1yx1jF0Wu3ljdWHYh97A=; b=YwvcVGbdU3uSDUNCMWCevc7p4TvRDtTiLg76NUr2sbAwnsk5dkz2XWKCv+l3TY5pTT Q1ym/irzWBbHHFrvCv6JzcVg+eDFdNQM3TWOoFfvzy+ggW6+D+W7M1FbsClTnsAS6jU7 vMjXsNsEVKjydHLfS+vKN3jmI4ajSWXC+v6hruHP98b3VdTrZ21AZ6BHmX0Fq8dGLe0s h1HVnBFh2K41m+oM9xVJ2440wUm7ey1h//CUWTqtHPAnAqvG/d2ByEleI4Ym4yuicfhq 6UPn18H6RvBYXvD2vIx2LEUjgD9f1/4BgSgfYaus00nSq4t7QpMVI9PXrUqNcM3gFbHP OwOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gFht6uEjJ7TU66ZHhk0PX2m1yx1jF0Wu3ljdWHYh97A=; b=NeK0beOarrVbrk3T/On7wlzOf9SaYBYC+4Aec3bxfp/ztUk51i4rWxKO6RQcNve0FX iMv5jyvhgfe6pivmI9D+YZyWlYtfP2cgaoTqTaMn3FGvA8vcdQYICunGKuLaS1uoao9+ 1KDXgnMaLVLi6w11ktKZjBqQW8OWoY0EGDmyck6M2GDRR9Jp05N4dKgUW1Bje3gJFby/ I+CTDGmFtHEKCMC4WfMVKWGy/zOTKtn5tjjGA9AWgTulwXsZ+DR9s1Fbjkbh2wp6Z3s5 Yu+JouLa7tZGjfaFlfL+cCiAEjK+/AXvCvIL2JrLwFQWf9MOl18OYQIIj64FXpUbjFYK 6xFQ==
X-Gm-Message-State: AOAM531vwgfRmRllKhy4mxCvFPHhwW8H2uDpWCyoRW6W7MnWrQa3BwZb Tpp991uHQF05oiauEswVDSliS/lF5d4Rcf4eKjA=
X-Google-Smtp-Source: ABdhPJx5I0zcizA8rzbdrL4b8JwsztM8ZwT7ORjYKT/mNaII9X+4iyq/BQIW6uMGHhR01M1Xh2SocVmR26yh88s26wM=
X-Received: by 2002:ac8:7418:: with SMTP id p24mr19349837qtq.107.1623722284596; Mon, 14 Jun 2021 18:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR02MB692445CDCA3FD587D20404A2C33B9@DM6PR02MB6924.namprd02.prod.outlook.com> <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com>
In-Reply-To: <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 14 Jun 2021 21:57:53 -0400
Message-ID: <CADZyTknt7Fdc4peauBWPpowd38S_fp4vZcQtBWQTYGgtC9O84w@mail.gmail.com>
To: Chris Box <chris.box.ietf@gmail.com>
Cc: "homenet@ietf.org" <homenet@ietf.org>, "STARK, BARBARA H" <bs7652@att.com>
Content-Type: multipart/alternative; boundary="000000000000fcbf9305c4c44d66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/37Jjy141nukiaDN8OCMkEz9_pFM>
Subject: Re: [homenet] naming drafts
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 01:58:12 -0000
Thank you very much Chris for the review. That was very useful. I have updated the two documents according to your reviews. The resulting architecture document is available here [1] and the resulting DHCP document is available here [2]. You can also find a more detailed response inline. Thanks again for the review! Yours, Daniel [1] https://github.com/ietf-homenet-wg/ietf-homenet-hna/commit/f1cb4c679b8b8f96bdeddcf056cdbe4e80f91c25 [2] https://github.com/ietf-homenet-wg/front-end-naming-delegation-dhc-options/commit/f4608d0ee2718c7d3747c848b5cbba028653c2e0 On Thu, Jun 10, 2021 at 1:21 PM Chris Box <chris.box.ietf@gmail.com> wrote: > Hi everyone > > I have belatedly reviewed both drafts. I missed the WGLC due to both > $dayjob and the IETF having a plethora of interesting working groups. But > still, I hope this feedback is useful > > In general, I appreciate the aim of the drafts which I will paraphrase as > creating a way to automatically and reliably publish a home zone containing > a number (n) of smart devices. This makes a lot of sense when we know n is > going to carry on growing, and of course renumbering can be frequent. > > My specific feedback is below, organised by section number. > > *draft-ietf-homenet-front-end-naming-delegation-15* > 1 It would be useful if the introductory text in the Abstract also > appeared here in the Introduction. > > we added the text at the beginning of the introduction > 1.1 Typos: "humuan" and "addressees " > corrected. Thanks. > > 3.1 I'd prefer the diagram to be located at the beginning of this section. > The figure has been moved at the beginning of the section. > 4.7 This section should also state, as it does in section 7, that the > Hidden Primary Server be firewalled such that only the known address range > of the DMs are permitted to connect to it. > Good catch. Looking at the two sections, it looks these are a little bit redundant, so rather than repeating the rules I prefered to suggest firewalling as detailed in section 7. This basically results by the text below: """ Limited exchanges: : the purpose of the Hidden Primary Server is to synchronize with the DM, not to serve any zones to end users, or the public Internet. This results in a limited exchanges (AXFR/IXFR) with a small number of IP address and such limitations SHOULD be enforced by policies describe din {{sec-cpe-sec-policies}}. """ > > 7 I'd prefer not to use the word "packets" when it's really messages that > we considering. Also in my opinion invalid messages to/from the DM ought to > be rejected rather than simply dropped. > > Here's my suggested version, with changes highlighted in red: > The Hidden Primary SHOULD drop any packets arriving on > the WAN interface that are not issued from the DM. The Hidden > Primary SHOULD NOT send DNS messages other than DNS NOTIFY query, > SOA response, IXFR response or AXFR responses. The Hidden Primary > SHOULD reject any incoming messages other than DNS NOTIFY response, SOA > query, IXFR query or AXFR query. The Hidden Primary SHOULD reject any > non protected IXFR or AXFR exchange, depending on how the > synchronization is secured. > > My interpretation between drop and reject is that drop does not provide any response and acts as if the service does not exist while reject allows responding with an error which in this case indicates the service exists and has blocked the traffic. The way we envisioned these policies is enforced by a firewall (as opposed to the HNA itself) so the intention is to protect the HNA - including hiding the HNA, in which case dropping seems the most obvious way to implement these policies. Now, since the traffic is protected by TLS, the rules associated with the HNA are more application specific rules, and we can envision that with a trusted peer, rejection might be more appropriate. To address your comment I propose to differentiate the DNS rules from what can be implemented by a firewall and take a large part of the text you proposed resulting in the following text: """ The HNA SHOULD drop any packets arriving on the WAN interface that are not issued from the DM. Depending how the communications between the HNA and the DM are secured, only packets associated to that protocol SHOULD be allowed. At the DNS level, the HNA SHOULD NOT send DNS messages other than DNS NOTIFY query, SOA response, IXFR response or AXFR responses. The HNA SHOULD reject any incoming messages other than DNS NOTIFY response, SOA query, IXFR query or AXFR query. """ > 12 This acknowledges that it's a little risky to publish names of home > devices publicly, and notes that often it's only the home owner or > immediate family that ought to be able to query these names. It says that > limiting ability to query can be done by IP source (IMHO tricky), or VPN. > To which I think, if the home owner is using a VPN to the home to query the > public zone, why do we need external publication at all? Some words to > explain that better might be useful. > > I have added some text to provide some explanations. It is correct that if all your traffic is redirected in the home network, then there is little interest in publishing all the names as they will only be accessed internally. The text was trying to mention that a node may be willing to set different policies for its traffic. Typically the web traffic is not tunneled while the traffic to the homenet is tunneled. In this case, the ability to define which IP address needs to be tunneled and which IP address does not need to be tunneled requires to have this IP address so to be able to publicly perform a DNS resolution. The added text is as follows: """ In such cases, the routing policy is likely to be defined by the destination IP address. This IP address potentially results from a DNS resolution over the Internet. """ I also added some references to lower the confidence in the security provided by NSEC3 as well as a reference to draft-ietf-dnsop-nsec3-guidance to configure appropriately NSEC3. > *draft-ietf-homenet-naming-architecture-dhc-options-14* > > 3 In both American and British English I think the word "collocate" should > be "colocate" (or alternatively "co-locate"). > > fixed. > 3 What exactly is meant by "(eventually by a self signed certificate)"? > > I added a reference to the section it is discussed in the architecture document. The idea is that in some cases such as the reverse zone, TLS is not necessarily required as the ISP identifies the line. On the other hand, we wanted to avoid to have different versions of the HNA - let's say a secure version that uses TLS and a unsecure version that did not use TLS. As a result, when authentication is not mandatory we prefer the use of a self signed certificate. > 4.2 I think the HNA also needs to learn the set of IP addresses that the > DM might legitimately use in order to contact the HNA, so that these IPs > can be whitelisted in the CPE's firewall. Simply looking up the FQDN > doesn't provide that. Should it be added to this DHCP option? > This is correct, so the idea is that we could provision a list of IPv4 and a list of IPv6. However, it seems simpler to only consider the DM FQDN and let the HNA retrieve the IP addresses from a DNS(SEC) resolution. This is correct that this provides an additional round trip and a resolution service to be working. This could be difficult in the case of setting a resolving service, but in our case, we do not have such issues. > > > Hope that's useful. > > Thanks, > Chris > > > On Fri, 4 Jun 2021 at 20:45, STARK, BARBARA H <bs7652@att.com> wrote: > >> Hi homenet WG, >> Stephen and I have been chatting about the status of the 2 naming drafts >> (draft-ietf-homenet-front-end-naming-delegation and >> draft-ietf-homenet-naming-architecture-dhc-options). >> >> We started a 3-week WGLC about a month ago (04 May). Both drafts received >> comprehensive review from Med. Stephen reviewed >> front-end-naming-delegation. Bernie reviewed the formatting of the DHC >> option. >> The authors provided updates to resolve these comments. Bernie >> acknowledged satisfactory resolution of his comments. >> Requests to change terminology were satisfactorily resolved -- but that >> discussion doesn't count as really being part of anyone's review of the >> drafts. >> Stephen and Juliusz expressed that they're still not convinced that DDNS >> isn't a good enough solution for the use case. >> >> Stephen and I do not believe these drafts have received enough review or >> support to put them forward as representing WG consensus. >> >> But the authors have spent significant effort in creating these drafts >> and the associated implementation. We will work with Éric V (as INT area >> AD) and the authors to determine next steps. >> >> Barbara and Stephen >> >> _______________________________________________ >> homenet mailing list >> homenet@ietf.org >> https://www.ietf.org/mailman/listinfo/homenet >> > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet > -- Daniel Migault Ericsson
- [homenet] naming drafts STARK, BARBARA H
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Juliusz Chroboczek
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Stephen Farrell
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Ray Hunter (v6ops)
- Re: [homenet] naming drafts Stephen Farrell
- Re: [homenet] naming drafts Juliusz Chroboczek
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Stephen Farrell
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Chris Box
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Chris Box
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Chris Box
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Eric Vyncke (evyncke)
- Re: [homenet] naming drafts Eric Vyncke (evyncke)
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Kiran M
- Re: [homenet] naming drafts Daniel Migault