IETF Logo Mail Archive

Re: [homenet] naming drafts

Daniel Migault <mglt.ietf@gmail.com> Tue, 15 June 2021 01:58 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A826D3A19B5 for <homenet@ietfa.amsl.com>; Mon, 14 Jun 2021 18:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtog3X4MFNQb for <homenet@ietfa.amsl.com>; Mon, 14 Jun 2021 18:58:06 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0D83A191C for <homenet@ietf.org>; Mon, 14 Jun 2021 18:58:06 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id o19so10097996qtp.5 for <homenet@ietf.org>; Mon, 14 Jun 2021 18:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gFht6uEjJ7TU66ZHhk0PX2m1yx1jF0Wu3ljdWHYh97A=; b=YwvcVGbdU3uSDUNCMWCevc7p4TvRDtTiLg76NUr2sbAwnsk5dkz2XWKCv+l3TY5pTT Q1ym/irzWBbHHFrvCv6JzcVg+eDFdNQM3TWOoFfvzy+ggW6+D+W7M1FbsClTnsAS6jU7 vMjXsNsEVKjydHLfS+vKN3jmI4ajSWXC+v6hruHP98b3VdTrZ21AZ6BHmX0Fq8dGLe0s h1HVnBFh2K41m+oM9xVJ2440wUm7ey1h//CUWTqtHPAnAqvG/d2ByEleI4Ym4yuicfhq 6UPn18H6RvBYXvD2vIx2LEUjgD9f1/4BgSgfYaus00nSq4t7QpMVI9PXrUqNcM3gFbHP OwOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gFht6uEjJ7TU66ZHhk0PX2m1yx1jF0Wu3ljdWHYh97A=; b=NeK0beOarrVbrk3T/On7wlzOf9SaYBYC+4Aec3bxfp/ztUk51i4rWxKO6RQcNve0FX iMv5jyvhgfe6pivmI9D+YZyWlYtfP2cgaoTqTaMn3FGvA8vcdQYICunGKuLaS1uoao9+ 1KDXgnMaLVLi6w11ktKZjBqQW8OWoY0EGDmyck6M2GDRR9Jp05N4dKgUW1Bje3gJFby/ I+CTDGmFtHEKCMC4WfMVKWGy/zOTKtn5tjjGA9AWgTulwXsZ+DR9s1Fbjkbh2wp6Z3s5 Yu+JouLa7tZGjfaFlfL+cCiAEjK+/AXvCvIL2JrLwFQWf9MOl18OYQIIj64FXpUbjFYK 6xFQ==
X-Gm-Message-State: AOAM531vwgfRmRllKhy4mxCvFPHhwW8H2uDpWCyoRW6W7MnWrQa3BwZb Tpp991uHQF05oiauEswVDSliS/lF5d4Rcf4eKjA=
X-Google-Smtp-Source: ABdhPJx5I0zcizA8rzbdrL4b8JwsztM8ZwT7ORjYKT/mNaII9X+4iyq/BQIW6uMGHhR01M1Xh2SocVmR26yh88s26wM=
X-Received: by 2002:ac8:7418:: with SMTP id p24mr19349837qtq.107.1623722284596; Mon, 14 Jun 2021 18:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR02MB692445CDCA3FD587D20404A2C33B9@DM6PR02MB6924.namprd02.prod.outlook.com> <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com>
In-Reply-To: <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 14 Jun 2021 21:57:53 -0400
Message-ID: <CADZyTknt7Fdc4peauBWPpowd38S_fp4vZcQtBWQTYGgtC9O84w@mail.gmail.com>
To: Chris Box <chris.box.ietf@gmail.com>
Cc: "homenet@ietf.org" <homenet@ietf.org>, "STARK, BARBARA H" <bs7652@att.com>
Content-Type: multipart/alternative; boundary="000000000000fcbf9305c4c44d66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/37Jjy141nukiaDN8OCMkEz9_pFM>
Subject: Re: [homenet] naming drafts
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 01:58:12 -0000

Thank you very much Chris for the review. That was very useful.  I have
updated the two documents according to your reviews. The resulting
architecture document is available here [1] and the resulting DHCP document
is available here [2].

You can also find a more detailed response inline.

Thanks again for the review!

Yours,
Daniel

[1]
https://github.com/ietf-homenet-wg/ietf-homenet-hna/commit/f1cb4c679b8b8f96bdeddcf056cdbe4e80f91c25

[2]
https://github.com/ietf-homenet-wg/front-end-naming-delegation-dhc-options/commit/f4608d0ee2718c7d3747c848b5cbba028653c2e0

On Thu, Jun 10, 2021 at 1:21 PM Chris Box <chris.box.ietf@gmail.com> wrote:

> Hi everyone
>
> I have belatedly reviewed both drafts. I missed the WGLC due to both
> $dayjob and the IETF having a plethora of interesting working groups. But
> still, I hope this feedback is useful
>
> In general, I appreciate the aim of the drafts which I will paraphrase as
> creating a way to automatically and reliably publish a home zone containing
> a number (n) of smart devices. This makes a lot of sense when we know n is
> going to carry on growing, and of course renumbering can be frequent.
>
> My specific feedback is below, organised by section number.
>
> *draft-ietf-homenet-front-end-naming-delegation-15*
> 1 It would be useful if the introductory text in the Abstract also
> appeared here in the Introduction.
>
>

we added the text at the beginning of the introduction


> 1.1 Typos: "humuan" and "addressees "
>

corrected. Thanks.


>
> 3.1 I'd prefer the diagram to be located at the beginning of this section.
>

The figure has been moved at the beginning of the section.


> 4.7 This section should also state, as it does in section 7, that the
> Hidden Primary Server be firewalled such that only the known address range
> of the DMs are permitted to connect to it.
>

Good catch.  Looking at the two sections, it looks these are a little bit
redundant, so rather than repeating the rules I prefered to suggest
firewalling as detailed in section 7.

This basically results by the text below:
"""
Limited exchanges:
: the purpose of the Hidden Primary Server is to synchronize with the DM,
not to serve any zones to end users, or the public Internet.
This results in a limited exchanges (AXFR/IXFR) with a small number of IP
address and such limitations SHOULD be enforced by policies describe din
 {{sec-cpe-sec-policies}}.
"""

>
> 7 I'd prefer not to use the word "packets" when it's really messages that
> we considering. Also in my opinion invalid messages to/from the DM ought to
> be rejected rather than simply dropped.
>
> Here's my suggested version, with changes highlighted in red:
>    The Hidden Primary SHOULD drop any packets arriving on
>    the WAN interface that are not issued from the DM.  The Hidden
>    Primary SHOULD NOT send DNS messages other than DNS NOTIFY query,
>    SOA response, IXFR response or AXFR responses.  The Hidden Primary
>    SHOULD reject any incoming messages other than DNS NOTIFY response, SOA
>    query, IXFR query or AXFR query.  The Hidden Primary SHOULD reject any
>    non protected IXFR or AXFR exchange, depending on how the
>    synchronization is secured.
>
>
My interpretation between drop and reject is that drop does not provide any
response and acts as if the service does not exist while reject allows
responding with an error which in this case indicates the service exists
and has blocked the traffic.

The way we envisioned these policies is enforced by a firewall (as opposed
to the HNA itself) so the intention is to protect the HNA - including
hiding the HNA, in which case dropping seems the most obvious way to
implement these policies.
Now, since the traffic is protected by TLS, the rules associated with the
HNA are more application specific rules, and we can envision that with a
trusted peer, rejection might be more appropriate.

To address your comment I propose to differentiate the DNS rules from what
can be implemented by a firewall and take a large part of the text you
proposed resulting in the following text:

"""
The HNA SHOULD drop any packets arriving on the WAN interface that are not
issued from the DM.

Depending how the communications between the HNA and the DM are secured,
only packets associated to that protocol SHOULD be allowed.



At the DNS level, the HNA SHOULD NOT send DNS messages other than DNS
NOTIFY query, SOA response, IXFR response or AXFR responses.

The HNA SHOULD reject any incoming messages other than DNS NOTIFY response,
SOA query, IXFR query or AXFR query.
"""


> 12 This acknowledges that it's a little risky to publish names of home
> devices publicly, and notes that often it's only the home owner or
> immediate family that ought to be able to query these names. It says that
> limiting ability to query can be done by IP source (IMHO tricky), or VPN.
> To which I think, if the home owner is using a VPN to the home to query the
> public zone, why do we need external publication at all? Some words to
> explain that better might be useful.
>
>
I have added some text to provide some explanations. It is correct that if
all your traffic is redirected in the home network, then there is little
interest in publishing all the names as they will only be accessed
internally. The text was trying to mention that a node may be willing to
set different policies for its traffic. Typically the web traffic is not
tunneled while the traffic to the homenet is tunneled. In this case, the
ability to define which IP address needs to be tunneled and which IP
address does not need to be tunneled requires to have this IP address so to
be able to publicly perform a DNS resolution.   The added text is as
follows:

"""
In such cases, the routing policy is likely to be defined by the
destination IP address.
This IP address potentially results from a DNS resolution over the Internet.
"""
I also added some references to lower the confidence in the security
provided by NSEC3 as well as a reference to draft-ietf-dnsop-nsec3-guidance
to configure appropriately NSEC3.




> *draft-ietf-homenet-naming-architecture-dhc-options-14*
>
> 3 In both American and British English I think the word "collocate" should
> be "colocate" (or alternatively "co-locate").
>
> fixed.

> 3 What exactly is meant by "(eventually by a self signed certificate)"?
>
> I added a reference to the section it is discussed in the architecture
document. The idea is that in some cases such as the reverse zone, TLS is
not necessarily required as the ISP identifies the line. On the other hand,
we wanted to avoid to have different versions of the HNA - let's say a
secure version that uses TLS and a unsecure version that did not use TLS.
As a result, when authentication is not mandatory we prefer the use of a
self signed certificate.


> 4.2 I think the HNA also needs to learn the set of IP addresses that the
> DM might legitimately use in order to contact the HNA, so that these IPs
> can be whitelisted in the CPE's firewall. Simply looking up the FQDN
> doesn't provide that. Should it be added to this DHCP option?
>

This is correct, so the idea is that we could provision a list of IPv4 and
a list of IPv6. However, it seems simpler to only consider the DM FQDN and
let the HNA retrieve the IP addresses from a DNS(SEC) resolution. This is
correct that this provides an additional round trip and a resolution
service to be working. This could be difficult in the case of setting a
resolving service, but in our case, we do not have such issues.


>
>
> Hope that's useful.
>
> Thanks,
> Chris
>
>
> On Fri, 4 Jun 2021 at 20:45, STARK, BARBARA H <bs7652@att.com> wrote:
>
>> Hi homenet WG,
>> Stephen and I have been chatting about the status of the 2 naming drafts
>> (draft-ietf-homenet-front-end-naming-delegation and
>> draft-ietf-homenet-naming-architecture-dhc-options).
>>
>> We started a 3-week WGLC about a month ago (04 May). Both drafts received
>> comprehensive review from Med. Stephen reviewed
>> front-end-naming-delegation. Bernie reviewed the formatting of the DHC
>> option.
>> The authors provided updates to resolve these comments. Bernie
>> acknowledged satisfactory resolution of his comments.
>> Requests to change terminology were satisfactorily resolved -- but that
>> discussion doesn't count as really being part of anyone's review of the
>> drafts.
>> Stephen and Juliusz expressed that they're still not convinced that DDNS
>> isn't a good enough solution for the use case.
>>
>> Stephen and I do not believe these drafts have received enough review or
>> support to put them forward as representing WG consensus.
>>
>> But the authors have spent significant effort in creating these drafts
>> and the associated implementation. We will work with Éric V (as INT area
>> AD) and the authors to determine next steps.
>>
>> Barbara and Stephen
>>
>> _______________________________________________
>> homenet mailing list
>> homenet@ietf.org
>> https://www.ietf.org/mailman/listinfo/homenet
>>
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email