IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Eric Rescorla <ekr@rtfm.com> Tue, 19 June 2018 23:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B325130FF9 for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 16:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qd-1LYEbaYcK for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 16:11:55 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F06130FF5 for <ipsec@ietf.org>; Tue, 19 Jun 2018 16:11:55 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id 14-v6so1339558oie.3 for <ipsec@ietf.org>; Tue, 19 Jun 2018 16:11:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pHZUiM6gkAwF2YV7reDec+Jq1DR895YPQx52UZg+8FQ=; b=jLrLntAZPq35go/jj+qb8jswTK4yo5dm7Gz/yZxbpoUBqTonzY/J455yvDV4/RYmQd IzawmYI6frixfj/H2jptnnSiOxtIEUkF+tAkTChBK7BDkRlD+n/6emRjY6V+vZeMa62/ EozJXI/U/MtlfhH8GppBhw/pBGnTc6xzH0XCs7txPxgal52IEN/cVfEQBab7/I6b0SsH HKKJDdMiQBdeHH5DyHvHkvnvKnCOFTF3PvHYpVQN5CqTq9wi4sgzDCJ8mHqBxolv3Imp 7th79/JqfGQKgvhOK+2Qecwv97Ngee4EnczeVDm83l8BRfON3su7Q9BgLqGIjAcadkOr +XGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pHZUiM6gkAwF2YV7reDec+Jq1DR895YPQx52UZg+8FQ=; b=LZ8RuEs01/+11EzwskzsYqOdXkQZRNpepcyzKLh6aZa/AT1LbcoHmTFm39OSFBdAH1 HETBPx4/W3WmghHj6dGfk+79tY9qqLtAHAR3Fzkm1mzhF6ncBn+axz7hM/fQPlUEdiD5 MCqf+spi6y9Nzau7mcR0cATFZSAujyTqN90ZKGotXkz2h3uKD/kVe/LT3HrpTOFw1MpJ eqG4uTLXxNMekZ1E/cqKvpFQ4OnS4IYjAhQEGv9knZNCUghYtVA+TWoPnrJnfTojtjEW NoGxscuojsI8hmjycG+yieATFci5g0LqfBPlaRGsV658I6C/AvfmN625XeVI0xPP8sBc ZSCQ==
X-Gm-Message-State: APt69E2MltUTY4K1PzHNIcP2OoEUbEEW7eE8hhGrOrS35IVSenmTgmMk 3mizjCktnd36y7YJ472K7NDTdm6LZGlRMHU11/RZCw==
X-Google-Smtp-Source: ADUXVKJjnNU40KaZtqplpKlBwgMzNHadvapjBHPyFdqGDHm/mKc81boNosziBdYPnm87rbh+x1fLjcHWjaXa0e/yFQY=
X-Received: by 2002:aca:e2d3:: with SMTP id z202-v6mr8562397oig.262.1529449914298; Tue, 19 Jun 2018 16:11:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:3a8a:0:0:0:0:0 with HTTP; Tue, 19 Jun 2018 16:11:13 -0700 (PDT)
In-Reply-To: <20180619230148.GE4218@localhost>
References: <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost> <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com> <20180619230148.GE4218@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 19 Jun 2018 16:11:13 -0700
Message-ID: <CABcZeBNmavpZvzNRZBdOTKQYZ=yW=y2poaoVtsOeESNyRrG15Q@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Paul Wouters <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="000000000000d80b52056f06ce1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/62oYY7uQ__NXqlMhqHWSpUQQ-kY>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 23:11:59 -0000

On Tue, Jun 19, 2018 at 4:01 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Tue, Jun 19, 2018 at 03:51:55PM -0700, Eric Rescorla wrote:
> > On Tue, Jun 19, 2018 at 3:46 PM, Nico Williams <nico@cryptonector.com>
> wrote:
> > > On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote:
> > > > On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams <
> nico@cryptonector.com> wrote:
> > > > > The I-D should say that clients MUST allow local configuration of
> what
> > > > > domains to accept trust anchors for, and SHOULD allow local policy
> to
> > > > > list . as a domain for which to accept trust anchors.
> > > >
> > > > The ID can say that, but as a practical matter, any enterprise that
> has
> > > > a reasonable number of internal domains is just going to tell people
> > > > to configure their client to accept any domain name.
> > >
> > > And what's the problem with that?
> > >
> > > If it's your own device you might balk, so get your employer to provide
> > > you with theirs.  Or just accept it as part of the employment deal.
> >
> > Again, right now I'm just trying to establish the facts of the matter.
> > Do you agree this is going to be a common scenario?
>
> I don't know what the antecedent of "this" in your question.  If you
> mean that BYODs will have to accept policies users don't want, well,
> that's pretty much true anyways (e.g., you have to accept proxy
> configurations that can and _will_ MITM you).
>

I'm asking if a common scenario will be that users of enterprise
VPNs who implement this feature will end up in a situation where the
VPN can impose TAs for any domain.

As a followup question, I claim that that's not presently true with
existing VPNs. In some cases, the VPN requires you to install
a new trust anchor in order to accept its cert, but that's not an
inherently necessary practice. Separately, an enterprise may
require you to accept an MITM cert, but these are conceptually
distinct. Do you disagree with that?


Are you objecting to the I-D altogether -- objecting to the feature it
> adds -- or asking what the I-D should say about your concern?
>

Again, right now I'm trying to establish the facts of the matter. I'd prefer
to do that prior to discussing what is good or bad.

-Ekr

v2.23.0 | Report a Bug | By Email