Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 16:42 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81220128AFB; Wed, 21 Nov 2018 08:42:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pqlcdW_BaGJ7; Wed, 21 Nov 2018 08:42:09 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B58BD1274D0; Wed, 21 Nov 2018 08:42:08 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430Sz32qPkzLFN; Wed, 21 Nov 2018 17:42:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542818527; bh=48g0hU2ObrH61V8uyDmgzEm9nI1X39smCgS+TqpbSk0=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Y/UIZaybw7h5UwoQzCLZ8xHB51YfxHXQCiw4s3n+qyi6GJ4rsOqdOapkaiklcEDh2 btvJik2kgct80R58YBYajV48XinSc+Hy3AWDYrVmXNeJ3DogKCN9HUvKhZCK4Hl+yO wDqnVTh39PHikqOaLabo2l6sNec2d/nWjxp6hI+A=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id pujYeHcUHddL; Wed, 21 Nov 2018 17:42:04 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 17:42:03 +0100 (CET)
Received: from [192.168.1.10] (node-11u3.pool-118-173.dynamic.totbb.net [118.173.191.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 5BBA449ED70; Wed, 21 Nov 2018 11:42:01 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5BBA449ED70
Content-Type: multipart/alternative; boundary=Apple-Mail-64362AB2-0BF5-4399-A64B-B3A7054980AF
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16A405)
In-Reply-To: <CAHw9_i+j92j4-DZHrL21CNkUFdheOO6z5+wfsG8Lrq1WorwnCw@mail.gmail.com>
Date: Wed, 21 Nov 2018 23:41:55 +0700
Cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, "Waltermire, David A." <david.waltermire@nist.gov>
Content-Transfer-Encoding: 7bit
Message-Id: <3734030E-4394-4C1A-9FE7-493FF5EC7FED@nohats.ca>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca> <CAHw9_iKyBpOa1ktYvDDvuHnN+nLN7GnP49PwdT6-FWqNzDrUgg@mail.gmail.com> <alpine.LRH.2.21.1811211012160.24767@bofh.nohats.ca> <CAHw9_i+j92j4-DZHrL21CNkUFdheOO6z5+wfsG8Lrq1WorwnCw@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/72alFEKM0tew0t6_szE1bcbrYlw>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 16:42:10 -0000

On Nov 21, 2018, at 23:04, Warren Kumari <warren@kumari.net>; wrote:
> 
>> 
> 
> Well, if you removed the DNSSEC_TA bit, and expected enterprise tools to do this through "normal" enterprise tools methods this would work.

That is basically what we did with the mandatory white list, except now the internal zones can still do rollovers without locking out all VPN clients that haven’t recently done some (automatic or manual) provisioning update that isn’t standardized.

And in the end, if a user treats/trusts a generic VPN service provider the same as an enterprise provisioning system, then we cannot define them to be different. That is, whatever you define as out of band, non-ike enterprise provisioning with be equally weak to this attack if provided by the generic VPN provider. Kittens all the way down.

Paul



> (It started writing that the zone could also be unsigned, but that obviously doesn't work in the case of non-delegated "TLDs"...)
> 
> W
> 
>  
>> But in the end, it all depends on
>> how badly you want your VPN service to see cute kittens.
>> 
>> Paul
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
>    ---maf