IETF Logo Mail Archive

Re: [homenet] naming drafts

Chris Box <chris.box.ietf@gmail.com> Tue, 15 June 2021 17:10 UTC

Return-Path: <chris.box.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7165C3A3713 for <homenet@ietfa.amsl.com>; Tue, 15 Jun 2021 10:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysQT6hkBD-s6 for <homenet@ietfa.amsl.com>; Tue, 15 Jun 2021 10:10:54 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61B013A36F9 for <homenet@ietf.org>; Tue, 15 Jun 2021 10:10:54 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id j62so28932073qke.10 for <homenet@ietf.org>; Tue, 15 Jun 2021 10:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zl8usU13PRXbmHS4MCz/vpQRnAkLAKjzTZf6i3Z+Xvk=; b=n3T5839qM9IbmMghPLb55+KdY0kBANtP9vlgG/f/SvQK44TViNapFYxo5MnHE/aNUz ChkVJUsOmaAS0/5ihlLjvVKcWbnipUojcA3APvIKmvz6J/v90VAwoklRNobe6I+bTy5L a7jJi02YLtFa9i3hKuW4dfIqm3gZ1KI88Ir6PB//a+T49WonCaizI3F0zOejguL8AKS3 Ljc6evgdMR+qCgOni/jVUD8o0jbZPJMaFRyklJsWqCHCgwNu+U/cuP2oNG2SQEM/NNND XIHpKh4NX7II3pVpdIZH1z/1X6FSUWFBzcjA/xQeMsmZT8yRTPu6lYvyrXmGCH6qehNN BXow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zl8usU13PRXbmHS4MCz/vpQRnAkLAKjzTZf6i3Z+Xvk=; b=h+vOehZ5iBGJ7WbuPO6iHv1HU1TstrMHtt73Ymv30hjmPs6vBwlxodwelN7ELnSwUg 0XIEd4WgSD4OeKloorzE9yDJvPyvfMKnl1L9oEScH9h1xn8nnKVtDmfL75buOcR5O6Nq V/EofY0PXzigt5Qx5R4XAMNU5HzvqQENMWzVYC3uovLcRcQyl2zPxrneSe1kan4Y9Mga AbnGipJYY51E5leX3sfVtWlqADoH8EJQnBbyNXR459isUhxPyehqWyl1In5c/MosZeTK Eq+l3aC17fKs5YBplvsSzZ+gDF3b2XPUYkZgaggAlLZXhynqv8EfsJIkvpQ6aSTpGg03 cDMg==
X-Gm-Message-State: AOAM532cd1o1vnDzeOtx1I5ngJ65AOIsGQamCgktdysVvx7+Q5mNo6De xb0RRwlBm2aVaGwwa6kFg9Wb8i2niPokfjkgxnwot9W5yDY=
X-Google-Smtp-Source: ABdhPJwi6W4fHMb/973LaE5OVdp/C6h/VhJskamSlATJ0VhUazSjGeLMil4x5SyjilJJLpwTo4sL/KttsLGIDwLaR6Q=
X-Received: by 2002:a37:a115:: with SMTP id k21mr655251qke.255.1623777052208; Tue, 15 Jun 2021 10:10:52 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR02MB692445CDCA3FD587D20404A2C33B9@DM6PR02MB6924.namprd02.prod.outlook.com> <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com> <CADZyTknt7Fdc4peauBWPpowd38S_fp4vZcQtBWQTYGgtC9O84w@mail.gmail.com>
In-Reply-To: <CADZyTknt7Fdc4peauBWPpowd38S_fp4vZcQtBWQTYGgtC9O84w@mail.gmail.com>
From: Chris Box <chris.box.ietf@gmail.com>
Date: Tue, 15 Jun 2021 18:10:40 +0100
Message-ID: <CACJ6M14Um0FJSGU80WQ-EcTp4UuU3V_eU=LqAeT_hxUhREia=A@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: "homenet@ietf.org" <homenet@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064329305c4d10ed8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/Dikz4uyVf79RkFm00-x9gOgXC6o>
Subject: Re: [homenet] naming drafts
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 17:11:04 -0000

Hi Daniel.  Responses inline below.

On Tue, 15 Jun 2021 at 02:58, Daniel Migault <mglt.ietf@gmail.com> wrote:

>
>>
> """
> Limited exchanges:
> : the purpose of the Hidden Primary Server is to synchronize with the DM,
> not to serve any zones to end users, or the public Internet.
> This results in a limited exchanges (AXFR/IXFR) with a small number of IP
> address and such limitations SHOULD be enforced by policies describe din
>  {{sec-cpe-sec-policies}}.
> """
>

I'm happy with that.


> 7 I'd prefer not to use the word "packets" when it's really messages that
>> we considering. Also in my opinion invalid messages to/from the DM ought to
>> be rejected rather than simply dropped.
>>
>> Here's my suggested version, with changes highlighted in red:
>>    The Hidden Primary SHOULD drop any packets arriving on
>>    the WAN interface that are not issued from the DM.  The Hidden
>>    Primary SHOULD NOT send DNS messages other than DNS NOTIFY query,
>>    SOA response, IXFR response or AXFR responses.  The Hidden Primary
>>    SHOULD reject any incoming messages other than DNS NOTIFY response,
>> SOA
>>    query, IXFR query or AXFR query.  The Hidden Primary SHOULD reject any
>>    non protected IXFR or AXFR exchange, depending on how the
>>    synchronization is secured.
>>
>>
> My interpretation between drop and reject is that drop does not provide
> any response and acts as if the service does not exist while reject allows
> responding with an error which in this case indicates the service exists
> and has blocked the traffic.
>

I have the same interpretation.


> The way we envisioned these policies is enforced by a firewall (as opposed
> to the HNA itself) so the intention is to protect the HNA - including
> hiding the HNA, in which case dropping seems the most obvious way to
> implement these policies.
> Now, since the traffic is protected by TLS, the rules associated with the
> HNA are more application specific rules, and we can envision that with a
> trusted peer, rejection might be more appropriate.
>

Agree, rejection is better when the trusted peer sends an invalid message.


>
> To address your comment I propose to differentiate the DNS rules from what
> can be implemented by a firewall and take a large part of the text you
> proposed resulting in the following text:
>
> """
> The HNA SHOULD drop any packets arriving on the WAN interface that are
> not issued from the DM.
>
> Depending how the communications between the HNA and the DM are secured,
> only packets associated to that protocol SHOULD be allowed.
>
>
>
>
> At the DNS level, the HNA SHOULD NOT send DNS messages other than DNS
> NOTIFY query, SOA response, IXFR response or AXFR responses.
>
> The HNA SHOULD reject any incoming messages other than DNS NOTIFY
> response, SOA query, IXFR query or AXFR query.
> """
>

The separation looks good, but I'd like to tweak the second paragraph. By
"only packets associated to that protocol" do you mean destination port
filtering?

12 This acknowledges that it's a little risky to publish names of home
>> devices publicly, and notes that often it's only the home owner or
>> immediate family that ought to be able to query these names. It says that
>> limiting ability to query can be done by IP source (IMHO tricky), or VPN.
>> To which I think, if the home owner is using a VPN to the home to query the
>> public zone, why do we need external publication at all? Some words to
>> explain that better might be useful.
>>
>>
> I have added some text to provide some explanations. It is correct that if
> all your traffic is redirected in the home network, then there is little
> interest in publishing all the names as they will only be accessed
> internally. The text was trying to mention that a node may be willing to
> set different policies for its traffic. Typically the web traffic is not
> tunneled while the traffic to the homenet is tunneled. In this case, the
> ability to define which IP address needs to be tunneled and which IP
> address does not need to be tunneled requires to have this IP address so to
> be able to publicly perform a DNS resolution.   The added text is as
> follows:
>
> """
> In such cases, the routing policy is likely to be defined by the
> destination IP address.
> This IP address potentially results from a DNS resolution over the
> Internet.
> """
>

So let's consider this use case where access to homenet devices is required
to be via VPN to the home. In theory, only one address needs to be
published externally. This is the current WAN IP of the home's VPN
termination point. Then the steps to access a particular smart device would
be:
1. Look up address of the home's VPN server.
2. Establish VPN.
3. From the VPN, the client learns the set of home-specific routes, and the
address of the Homenet Resolver that it should use.
4. Client queries the Homenet Resolver (over the VPN) for the address of
the smart device.
5. Client establishes connection to the smart device, over the VPN.

For this use case, there is no need to publish more than one name to the
DOI. Do you agree?

However I think the aim of this draft is to enable more than just that
case, so I can see that non-VPN cases are also useful.



> 3 What exactly is meant by "(eventually by a self signed certificate)"?
>>
>> I added a reference to the section it is discussed in the architecture
> document. The idea is that in some cases such as the reverse zone, TLS is
> not necessarily required as the ISP identifies the line. On the other hand,
> we wanted to avoid to have different versions of the HNA - let's say a
> secure version that uses TLS and a unsecure version that did not use TLS.
> As a result, when authentication is not mandatory we prefer the use of a
> self signed certificate.
>

The reference helps, thank you. But section 4.6 does not say that
self-signed is the target. It's given as one option, and that's probably
the right language. Hence I think the sentence here should be simplified to:

3. The HNA is authenticated (see Section 4.6 of
{{!I-D.ietf-homenet-front-end-naming-delegation}}) by the DM and the
RDM.



> 4.2 I think the HNA also needs to learn the set of IP addresses that the
>> DM might legitimately use in order to contact the HNA, so that these IPs
>> can be whitelisted in the CPE's firewall. Simply looking up the FQDN
>> doesn't provide that. Should it be added to this DHCP option?
>>
>
> This is correct, so the idea is that we could provision a list of IPv4 and
> a list of IPv6. However, it seems simpler to only consider the DM FQDN and
> let the HNA retrieve the IP addresses from a DNS(SEC) resolution. This is
> correct that this provides an additional round trip and a resolution
> service to be working. This could be difficult in the case of setting a
> resolving service, but in our case, we do not have such issues.
>

I'm not concerned about the additional round trip. I was more concerned
that the DM could be implemented as a frontend/backend architecture. The
FQDN would resolve to the front end, and this is likely to be a small list
of addresses, or even a single address. But the backend servers would have
distinct, different addresses. Connections from the DM to the HNA might be
initiated from the backend. If the HNA only looked up the FQDN, it would
drop legitimate connections. This suggests we need a way to inform the HNA
of the set of legitimate source addresses.

Chris

>

v2.23.0 | Report a Bug | By Email