Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
Valery Smyslov <smyslov.ietf@gmail.com> Fri, 18 September 2020 12:51 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9C6C3A08AF; Fri, 18 Sep 2020 05:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DAK83lbFQZRh; Fri, 18 Sep 2020 05:51:13 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C7C3A08B2; Fri, 18 Sep 2020 05:51:13 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id n25so5007276ljj.4; Fri, 18 Sep 2020 05:51:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=JFFa45A3vQdoWB9KyCV35NZLqfVpjtOM7Eo5BgCuhr8=; b=K+iHtB2l0hhvCu6TK93+LFFofIWzJSg7bcsQ6qej8eidebM+IfBao/Y86wnpEnQ4Tr 3fL97HXG3W5Fc9A0tB56Z2b3dmIYN0xV2bMmN14WmGM06yWmjSN6rDEmWsHz9paQD/4H IzdimLa0oWILipf0xBK33261euq11EuiiyXNogu6U4O/U3y2c7e2tAGScyTyfTO1I8hy Ra4/1bqaMAAwHRYWyvINTlJtu3LO453iCykjh6tSZgLmhjYvfCzW/10109TnhY9fyg7u lb1rhAEi6/vlEtfoUvg8B54Wv8QYmsEtzyT3Vg3vRuN8hGW4hPk1ssvd/KaBMselRiY9 mm5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=JFFa45A3vQdoWB9KyCV35NZLqfVpjtOM7Eo5BgCuhr8=; b=fP5qIf5Lk11Lzz/j6DMvmweg2YimEFf6xJdoPHdu3un8h4ulZXwCVjJoWP9VQS7uYU 9mE1FuqU97NMgqYm3kW2AOo8zruf+yTIbsXXvTzU4bsjI1daoSuD4zg0yI9QKTHXI0bl lhsI1mOOM3uKrE5w8AWxkV3QyuUkaWvqprRM5r/ahHVTpa+Z9kQ7/JSeLEBJROJUZVI1 BaWJngw7s1RIBDEqtxa3wzdMl5+liX+a6YbtAMDSCb3RqwogTlowd6flJpqQIiCSiL6F U0KdcLk+SGRwRAyKiGm00bokPFR7bUCokzm4A4RTOvqbuhj2uUEZJYhAN/VNQIwSJpPI b0tw==
X-Gm-Message-State: AOAM531JqCSw96n3USVmKM0G/RS9tMm5GtHWfUztVUCMaMyS8AJgQPZx Q55RBIZJmGIxeQXVFFAtUU00TYT39wk=
X-Google-Smtp-Source: ABdhPJy0G0L+ty/7DUiMcRHTGqyrQEPecEqzQf9oiG1+b/xbCvwwBWG+QpKtFoyDht0r/hVNtMMIyQ==
X-Received: by 2002:a2e:b4ca:: with SMTP id r10mr11973337ljm.452.1600433471035; Fri, 18 Sep 2020 05:51:11 -0700 (PDT)
Received: from buildpc ([82.138.51.3]) by smtp.gmail.com with ESMTPSA id l188sm568885lfd.127.2020.09.18.05.51.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Sep 2020 05:51:10 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>, mohamed.boucadair@orange.com
Cc: ipsec@ietf.org, draft-btw-add-ipsecme-ike@ietf.org
References: <159965296544.28196.15433560776696094354@ietfa.amsl.com> <24155_1599723204_5F59D6C4_24155_339_53_787AE7BB302AE849A7480A190F8B93303153E1B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.23.451.2009101023040.1041967@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.23.451.2009101023040.1041967@bofh.nohats.ca>
Date: Fri, 18 Sep 2020 15:51:11 +0300
Message-ID: <087501d68dba$63522690$29f673b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMPpE7MyCZTOOcf6YMBeeCfdJsZvgIZFiwOAj9vIcSm2V4DMA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/6RYuQ8DrQr9nNXwCeSpz90NpG1o>
Subject: Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 12:51:16 -0000
Hi Paul, > Why is this using a seperate CP payload type per encrypted DNS type? > This means that for a DNS server supporting DoT, DoH and DoQ, it needs > to send 3 separate payloads. Why not send 1 CP payload that contains a > bitmask specifying which services it supports? Well, from my understanding of ADD (I'm not an expert), there must not be substantial difference between different types of encrypted DNS servers in terms of provided service (ADD folks use term "equivalent" reolvers, emphasizing that no matter which resolver the client reaches the response will be the same). If my understanding is correct, then I see little sense in configuring all types of encrypted DNS servers. So, DoT, DoH, DoQ is more a capability negotiation: the client asks for those types of encrypted DNS it supports and the server returns server(s) of one type, based on its configuration. In this case there is no difference in message size if we use separate attributes or a single attribute with bitmask. And several simple attributes are a bit easier to process... > The only reason I can think of for this choice is because these might > be running on non-standard ports, but I think that reason is rather > weak. DoT and DoQ will run on standard defines ports and DoH's protocol > aims at blending in as web traffic so it really is only getting deployed > on port 443. > > So if I build a single server that can do unencrypted and all encrypted > flavours, I'd prefer to send and receive just 1 CP payload covering > everything. Please, see above. > We _could_ leave the port there for non-standard ports, but then we > should add a specific port attribute for each bitmask entry. But honestly, > the whole non-default port part seems like overengineering. > > For those who care a lot about minimizing bytes exchanged over IKE, > my above proposal would save a lot of bytes. Again, see above. > I would also like to see more clarification about split-DNS and how a > list of domains is conveyed via IKE as the only domains to be resolved > via the given encrypted DNS servers. What problems are with the current text? I believe almost all from RFC8598 remains valid, we only replace Do53 servers IP addresses with Encrypted DNS ones. > I would like to see something in the Security Considerations about handing > out well known non-VPN reachable encrypted DNS servers. Eg I'd like to > avoid that this document can instruct VPN users to use DoT at 8.8.8.8 if > it is not going to offer a VPN that covers 8.8.8.8. If we don't do this, > then VPN profiles might end up abusing/redirecting users without offering > any actual VPN service - like overriding the system or application > specific configuration without offering actual VPN servers to the user. What is your proposal? Restrict DNS servers IP addresses to always be within Tri/TSr ranges? > I'm also considered about possive abuse by the specification of the > authentication domain name. Eg a VPN provider setting up a tunnel > covering 1.1.1.1 (dns.cloudflare.com) with an authentication name of > "dns.google.com" and basically redirecting all 1.1.1.1 traffic over the > VPN to 8.8.8.8. How can you prevent it? Regards, Valery. > Paul > > > > > > Please review and share your comments. > > > > Thank you. > > > > Cheers, > > Med > > > > -----Message d'origine----- > > De : internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > > Envoyé : mercredi 9 septembre 2020 14:03 > > À : Dan Wing <dwing-ietf@fuggles.com>; Valery Smyslov <svan@elvis.ru>; BOUCADAIR Mohamed TGI/OLN > <mohamed.boucadair@orange.com>; Tirumaleswar Reddy.K <tirumaleswarreddy_konda@mcafee.com>; > Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > > Objet : New Version Notification for draft-btw-add-ipsecme-ike-01.txt > > > > > > A new version of I-D, draft-btw-add-ipsecme-ike-01.txt has been successfully submitted by Mohamed > Boucadair and posted to the IETF repository. > > > > Name: draft-btw-add-ipsecme-ike > > Revision: 01 > > Title: Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for Encrypted DNS > > Document date: 2020-09-09 > > Group: Individual Submission > > Pages: 11 > > URL: https://www.ietf.org/id/draft-btw-add-ipsecme-ike-01.txt > > Status: https://datatracker.ietf.org/doc/draft-btw-add-ipsecme-ike/ > > Htmlized: https://datatracker.ietf.org/doc/html/draft-btw-add-ipsecme-ike > > Htmlized: https://tools.ietf.org/html/draft-btw-add-ipsecme-ike-01 > > Diff: https://www.ietf.org/rfcdiff?url2=draft-btw-add-ipsecme-ike-01 > > > > Abstract: > > This document specifies a new Internet Key Exchange Protocol Version > > 2 (IKEv2) Configuration Payload Attribute Types for encrypted DNS > > with a focus on DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS- > > over-QUIC (DoQ). > > > > > > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and > diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > > > > > ____________________________________________________________________________________________ > _____________________________ > > > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne > doivent donc > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le > signaler > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles > d'alteration, > > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > > > This message and its attachments may contain confidential or privileged information that may be protected > by law; > > they should not be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and delete this message and its > attachments. > > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > > Thank you. > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] TR: New Version Notification for draft-bt… mohamed.boucadair
- Re: [IPsec] TR: New Version Notification for draf… Paul Wouters
- Re: [IPsec] TR: New Version Notification for draf… mohamed.boucadair
- Re: [IPsec] TR: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] TR: New Version Notification for draf… Benjamin Kaduk
- Re: [IPsec] TR: New Version Notification for draf… Paul Wouters
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Valery Smyslov
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Paul Wouters
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Tero Kivinen