IETF Logo Mail Archive

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

Ted Lemon <mellon@fugue.com> Fri, 25 May 2018 17:34 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB04C12E741 for <homenet@ietfa.amsl.com>; Fri, 25 May 2018 10:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IOJVIhpd3AL for <homenet@ietfa.amsl.com>; Fri, 25 May 2018 10:34:13 -0700 (PDT)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E388712E036 for <homenet@ietf.org>; Fri, 25 May 2018 10:34:12 -0700 (PDT)
Received: by mail-it0-x230.google.com with SMTP id n64-v6so7744687itb.3 for <homenet@ietf.org>; Fri, 25 May 2018 10:34:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=LT7dNUORTwm57D4yTFs0eIhRbkcezRP4DSTLObcCcqE=; b=QyK4nBLIkUa30pg/JOcEjJ3YfyR9at/7R51rRqmZhRW3vtKT8WIip1C8tY0MKzpud6 7Pa08jZYLDkWUfjzlQhnoT5U/Nw4h886X7473f7DK+2WcyEu4Pf6X+c2MWZl9yohEKR9 P7/uHFLt6i84x+7fGsm9Fab98oK+jdBs1zhi5JgyfeHsYAt5YaDye4ANKy5hzUBajBFr 0lOeJQNLQAU2UklOwU/sK2KY24azFY2KJwPF8DjzvgPNK/9lse1O/4DF5Aji57raJTP8 gVNK3801uVI0Qk3hbLIVagtEs+0imRIqAoVDD/iVQgTn0HCXdk1+I8CDNxpxIH0SPjr1 O89g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=LT7dNUORTwm57D4yTFs0eIhRbkcezRP4DSTLObcCcqE=; b=RoQaCUjW5arrS9uR4X819aZC6kjDOZ6XJX+9Oy7oKeznECc2WbMKySkaUrHBXnJkst B081VZY1QKf3vFGAcMVSAnKvE3mGZ133ealBbu3Kj1oQxa02OFY5bIBsVfPYPsYTs9Ax jDiM01zMI7l/y/LqvZoRp6u/X3TFxYY5VMXIJDWIYUaadEyFcxrQ0qzXBCkuW56i1ewr cwJ2U/lTwcfNWldYwkmULQGST61/WAJ0tZVYGijr2fND7lGqN8BT9XUeZW8lotUNFyVc 3EDWYisL+wspx8IFmX8Qo1A3h3RwaEq+w8SPw27B8jpo1CKV+S4GkwxTSVyJqyHyMfEO L6Nw==
X-Gm-Message-State: ALKqPwc5u7H8+SJ8GZ5o/xm3H2VRErKrvHYZAX3SttDScML5TSE1nTXE wqtjJpZifOy04eAuJwAaKNq6R19zKjQ=
X-Google-Smtp-Source: ADUXVKINu/gV5dJCJ/FhZ1FcjRGWzXioABrC2EWrBxNipJl8fKWEXLhQvsM69mL4ZHwg+FuWNHPTAw==
X-Received: by 2002:a24:61ce:: with SMTP id s197-v6mr3182700itc.10.1527269651925; Fri, 25 May 2018 10:34:11 -0700 (PDT)
Received: from [172.19.131.123] ([12.130.117.65]) by smtp.gmail.com with ESMTPSA id d199-v6sm625548ioe.51.2018.05.25.10.34.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 May 2018 10:34:11 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <1D99A968-513F-47D4-A208-9D401E58415A@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D5A90ED3-4990-4671-886A-34BEE20CD347"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Fri, 25 May 2018 12:34:03 -0500
In-Reply-To: <29946.1527267593@localhost>
Cc: HOMENET <homenet@ietf.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <CAPt1N1kcuDBxK1=RN=_Q4YM7L_-YDNaEt4WS-sh2YDeJgvMgRw@mail.gmail.com> <29946.1527267593@localhost>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/i-M6ZOcbk6ACOrYbUWvENH0QUoY>
Subject: Re: [homenet] Introduction to draft-ietf-homenet-simple-naming
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 17:34:17 -0000

Thanks for the review, Michael!

On May 25, 2018, at 11:59 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>> wrote:
>> The homenet naming architecture consists of two parts: the simple
>> naming architecture, and the advanced naming architecture.  The
>> advanced architecture provides approximate parity of features with a
>> managed network, including the ability to publish services on the
>> internet.
> 
> I hate to ask this, but it seems like we ought to have a definition for a
> managed network... :-(
> I think that the section 2.1 provides contrasts, but maybe we should instead
> say what aspects of the Managed LAN we care about.

Good point.  The "including the ability to publish services on the Internet" seems like a reasonable first attempt at specifying that, but I agree that it's insufficient.   Do you have a theory to offer?   What I think I meant by this was:

- Has a globally-scoped delegation for publishing names (a forward tree)
- Optionally with DNSSEC
- Has one or more globally-scoped delegations for publishing records referring to globally-scoped IP addresses on the network (a reverse tree)
- Optionally with DNSSEC
- Ability to specify which services are visible from outside, either manually or automatically (e.g. with mud).
- Ability to acquire ACME certs?   This is probably out of scope-ish, but ACME does interact with the naming system.   This is one of my primary motivations for caring about the advanced naming architecture, TBH—it makes it possible to secure the gateway web UI.

There's probably other stuff I forgot, which is in the old version of the homenet naming architecture.   That said, I don't think this needs to be covered exhaustively here.   The point is "
> 
>> o  Authority: a name server that is authoritative for at least a
>> forward and one or two reverse domains that are applicable to that
>> network
> 
> s/forward/forward domain/ ?

An X (B, implicitly) and 2 Y Bs is a pretty normal english construction, but maybe it would be better to be explicit, so I'll make this change.

>> o  Resolution: a full-service caching DNS resolver
> 
> s/caching DNS resolver/caching DNSSEC resolver/ ?

That would be nice for avoiding cache poisoning, but I don't think it's required.   If you don't validate at the host, you might as well not bother.   That said, this point is worth making clear later on when these bullet points are expanded upon.

>> *  manages the lifetime of such information, so that it persists
>> long enough to prevent spoofing, but protects end users from
>> seeing stale information
> 
> Should the naming architecture consider that some devices are guests?
> For instance, should such devices be marked in some way when they publish
> names, and how would they be upgraded?  The upgrade must be simple, but
> intentional, otherwise well have flashing 12:00 VCR syndrome in most home
> networks.

Can you articulate a meaningful distinction between a "guest" service and a regular service?   The only thing I can think of is that you might want a shorter default lifetime on the service registration, but I don't think it's actually very important.  Part of the way the DNSSD registration protocol is intended to work is that names are reserved for longer than they are visible as services, so if you come along an hour after a guest device has left the network, you won't see a service record published for it, but you won't be able to claim its name.   Do you think we need to do more than that?

Are guest devices identified on the basis of connecting to a "guest" network?

(This is a good observation, BTW, and I'm not disagreeing that we should consider it, just not sure what to write).

>> In many managed LANs, establishment of trust for service discovery is
>> simply on the basis of a belief that the local resolver will give a
>> correct answer.  Once the service has been discovered and chosen,
>> there may be some security (e.g., TLS) that protects the connection
>> to the service, but the trust model is often just "you're connected
>> to a network you trust, so you can trust the printer that you
>> discovered on this network."
> 
> I'd be curious to know how many printers on corporate/enterprise/campus
> environments get TLS certificates?   I suspect that in such environments, the
> majority of printing is via a printer server, and the security is via
> ActiveDirectory or equivalent.  But I don't know, I haven't lived in such an
> environment for a long time, and my printers either don't support TLS,
> or they have a self-signed certificate because CUPS doesn't make it easy for
> me to care.
> 
> In essence, I wonder if you are raising the bar for the Homenet higher than
> for real Managed LANs.  I'm okay with that, btw, but I think we should be
> clear that we are doing it because it's easy.

Yes.  That's precisely what I'm hoping to do.   Active Directory obviously isn't going to work in this situation, and since it's not an IETF standard, there's no reason to attempt to replicate that model.   Although if we can hack a TLS cert into a printer on a homenet by claiming it in an active directory domain somehow, I'm all for doing that as a shim.  Another way that someone from the NIST proposed is to just take a $25 Raspberry Pi-ish device (maybe with better I/O, like the NanoPi Neo Plus2) and just interpose it between the printer and the network to prevent the printer from presenting a non-encrypted API.   But that's definitely out of scope.

>> 2.2.  Homenet-specific considerations
> 
>> A naming architecture for homenets therefore adds the following
>> considerations:
> 
>> o  All of the operations mentioned here must reliably function
>> automatically, without any user intervention or debugging.
> 
> I'd like to add some kind of visible auditing here.
> I'm thinking about something like multicasted syslog about things that are
> occuring automatically. (Still funny that evil rcmd and syslog both live on
> port 514...)

I agree, but I think that's out of scope.

>> o  Homenets must address the problem of multiple provisioning
>> domains, in the sense that the DNS may give a different answer
>> depending on whether caching resolvers at one ISP or another are
>> queried.
> 
>> An additional requirement from the Homenet Architecture [9] is that
>> hosts are not required to implement any homenet-specific capabilities
>> in order to discover and access services on the homenet.  This
>> architecture may define optional homenet-specific features, but hosts
>> that do not implement these features must work on homenets.
> 
> Is it acceptable that it only works if the host uses the DNS server that DHCP
> supplied?
> I think it's unacceptable if the host has to rely on search path, and I think
> we all agree on that. (But major captive portal suppliers still haven't
> figured that out)

If the host is doing DoH to bypass the local DNS server, it won't be able to access local services.   This is probably the right outcome.   Anything we do to finesse this is going to require changes on the host.   I suspect that this is out of scope for the simple naming architecture, but am eager to hear arguments to the contrary.   :)

v2.23.0 | Report a Bug | By Email