IETF Logo Mail Archive

Re: [homenet] naming drafts

Daniel Migault <mglt.ietf@gmail.com> Tue, 13 July 2021 21:27 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61FEE3A1118 for <homenet@ietfa.amsl.com>; Tue, 13 Jul 2021 14:27:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBAv75KmLlwG for <homenet@ietfa.amsl.com>; Tue, 13 Jul 2021 14:27:08 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B90603A1116 for <homenet@ietf.org>; Tue, 13 Jul 2021 14:27:08 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id p202so6747469qka.12 for <homenet@ietf.org>; Tue, 13 Jul 2021 14:27:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N3C3m3XhE5QiMNx85qzWW8IbkVsUcz+vOA3qDGUhnBw=; b=i3bdSmEFaBBaHhWwhJWbQpCfxWTy+dNGf7Re1x+9eV9PSHdLGtMZUTPs8UPY/gSLcX Wt/doIAlkJ+VsMBIhU2sRxETeYMKU951cBlWpQz9X7dI7LoybTdCwLcfLGQCEcLrTpD1 4N/c7HWdCB0nbJK114/a43FKQr5IyCMtc1h1/iyvmvotmVG09+gsaBru+y763V3qYjJo uk2nbsQaoHQX4TMGW5mm4zQrj/vdWDZd7S8L+MEhVy1ZROrNCQtd+vgRqHa2WtheeNeU 3cEs/igkqj8zT9x6SGI2UROWyaYrqZ0+d0V5xxMgL2pWugv6ePrUM1O0JBPs1buzPi/N EaFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N3C3m3XhE5QiMNx85qzWW8IbkVsUcz+vOA3qDGUhnBw=; b=QMbWnYwH0B0xlSyZkNGLK4lMg74OyrxwLZzXejOF+zt7/xPKIrxJEQ6a8GfnwJghim tF6/oE/bjnQ8VR5C/DsckvNIjQlrYDYlGfDYcrAmCHbJJ7TspS46OpruNi8a+JDG11da 3gAkslhEnE1yj5KJFhjnI0dp8djuiXUxdKEHCdo6cr+lLw3cBsUDXQBSkYNih0V42ooO uBA/FoRkAGtSowK0DkBv+DYdPN9Oj0Qm1QyLkKMyTQcEWptQVzLq8TN/++BYVPAdJm2e c5qvRLKpwPh7sCxVzG2NvT3ioqkoOZT+MZK4nCirq7+YUZK3Y7XACJs3I7JhnNkP/D1e wmUA==
X-Gm-Message-State: AOAM533fdi0pOL8Q3HGhw0hv5Ds8nt2u3M95+6M1tCmLxpRGymCbu2VB HaT+OSVDYc6x2LNflAVaj1R2rdQsmBfvfwlJ35E=
X-Google-Smtp-Source: ABdhPJxgEYdfqfLDTFpA4pnuqvp3MUXN1ms19oZfxgHplwAKLbwszjFzYOwivPDYTvcNPtNUbq5w+MI7Q/7UTzFI518=
X-Received: by 2002:a05:620a:4110:: with SMTP id j16mr6166073qko.37.1626211626219; Tue, 13 Jul 2021 14:27:06 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR02MB692445CDCA3FD587D20404A2C33B9@DM6PR02MB6924.namprd02.prod.outlook.com> <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com> <CADZyTknt7Fdc4peauBWPpowd38S_fp4vZcQtBWQTYGgtC9O84w@mail.gmail.com> <CACJ6M14Um0FJSGU80WQ-EcTp4UuU3V_eU=LqAeT_hxUhREia=A@mail.gmail.com> <CADZyTk=MR=xJBvNxJkHAvQTjxtd6=23c0_Eph0w5CjeJ=OpsPg@mail.gmail.com> <CACJ6M14ur1y_3mD0ohubcO+fHv=A0HoPVzmnpx8=HRF1iR=sGQ@mail.gmail.com>
In-Reply-To: <CACJ6M14ur1y_3mD0ohubcO+fHv=A0HoPVzmnpx8=HRF1iR=sGQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 13 Jul 2021 17:26:54 -0400
Message-ID: <CADZyTknvfbL6=JhQMH0pFYgp=ub_ejvhXAZEcjFS=d_aLu4GWw@mail.gmail.com>
To: Chris Box <chris.box.ietf@gmail.com>
Cc: "homenet@ietf.org" <homenet@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004f7dfb05c707e6bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/5h8eNF2WQVZbvhpCbc7OHuIzeRo>
Subject: Re: [homenet] naming drafts
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 21:27:12 -0000

Hi,

Thanks for the follow up Chris. I apologize for the delay.

Yours,
Daniel

On Tue, Jun 22, 2021 at 12:31 PM Chris Box <chris.box.ietf@gmail.com> wrote:

> Daniel,
>
> On Wed, 16 Jun 2021 at 01:27, Daniel Migault <mglt.ietf@gmail.com> wrote:
>
>>
>>> The HNA SHOULD drop any packets arriving on the WAN interface that are
>>>> not issued from the DM.
>>>>
>>>>
>>>> Depending how the communications between the HNA and the DM are
>>>> secured, only packets associated to that protocol SHOULD be allowed.
>>>>
>>>>
>>> The separation looks good, but I'd like to tweak the second paragraph.
>>> By "only packets associated to that protocol" do you mean destination port
>>> filtering?
>>>
>>
>> To me IP and port filtering are implemented by the previous line. "only
>> packets associated with that protocol" to me means that only TLS packets
>> are allowed.   The reason we are not mentioning TLS explicitly is that
>> other protocols may be used.
>>
>
> Ah, I see, so this is about the payload of the packets. But surely
> intelligent validation of the incoming packets is always going to happen?
> This is a key property of any security protocol.
> If the DM is listening on TCP 443, and the incoming packet is not a TLS
> Client Hello that it is happy with, it'll get ignored.
> If the DM is listening on UDP 500, and the incoming packet is not an
> IKE_SA_INIT that it is happy with, it'll get ignored.
>
> So I'm not disagreeing with you, I'm just questioning whether the sentence
> is needed. I don't really mind if it stays.
>
This may not be necessary, but the reason I would prefer to keep it is to
head up that additional checks - when possible - may be performed in
addition to port filtering. So unless you have a strong preference, I would
prefer to keep this additional check that could be performed by the
terminating node or a firewall.

>
>
>>
>>> I'm not concerned about the additional round trip. I was more concerned
>>> that the DM could be implemented as a frontend/backend architecture. The
>>> FQDN would resolve to the front end, and this is likely to be a small list
>>> of addresses, or even a single address. But the backend servers would have
>>> distinct, different addresses. Connections from the DM to the HNA might be
>>> initiated from the backend. If the HNA only looked up the FQDN, it would
>>> drop legitimate connections. This suggests we need a way to inform the HNA
>>> of the set of legitimate source addresses.
>>>
>>>
> What did you think of this last point?
>

I see your point.   The architecture document envisioned this case by
specifying the dm_acl parameter in the informative section 14.
We did not include it into the DHCP option as we were requested to
implement the simplest use case that is envisioned. My understanding was
that DHCP Options had some history where complex options had been designed
but hardly used.
That said, if that is something you believe is really needed, we may bring
this discussion and add this parameter to the current DHCP Options. It
still represents a minor change as already considered in the architecture
document.

Another alternative may also consider adding an extension so the acl may be
negotiated through the control channel, which I see more scalable than
designing large DHCP options. At that point, I would rather keep the
architecture as it is a let such option for future work - though fairly
easy to set.




> Chris
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email