IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Eric Rescorla <ekr@rtfm.com> Tue, 19 June 2018 20:27 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBCB130E18 for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 13:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDUDZ1uvLU8s for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 13:27:05 -0700 (PDT)
Received: from mail-ot0-x242.google.com (mail-ot0-x242.google.com [IPv6:2607:f8b0:4003:c0f::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DB1C130ECA for <ipsec@ietf.org>; Tue, 19 Jun 2018 13:20:56 -0700 (PDT)
Received: by mail-ot0-x242.google.com with SMTP id w9-v6so1151133otj.7 for <ipsec@ietf.org>; Tue, 19 Jun 2018 13:20:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jMOUz8CcbqUDYee+HTjYLcjJl3LyqkIs9TB4C2vRzS0=; b=ZauJFhVDvWAbRMKPZSuOQ11YrQwtncmFAs06tXA9cmNecfxYts3EPzXtI7g3EumTTT zsADBc2/IYGELpnbYjuAf466cWbfOVQ2bjNbEeAutFwHfQdGJqvnJegy2mpShI5nKuoM a0DL9cxrVfSUITwLUgBTMuhhnuozuKELdaqMNdyeaR24LTElAg5Pb1FrnUNvcOTPaLPF WxMN/5zj3b73RzkBGiftfPJ9SUYKg3fkWBKk/d/l5epCvlCkBVmAcAmUE4SpzwghmkXU /eBebW0Oq5oVM3V6hRPVIICgkyQw0s2L+hPjBJVJidC/bY65Ii21yiHktKy17FFy6xhL 4FKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jMOUz8CcbqUDYee+HTjYLcjJl3LyqkIs9TB4C2vRzS0=; b=Ry8fNZyr10v9ZhIolemFukTOxTh7iHpbpHK51RuzDoiFt2HpfXUfkHNf/OfX35TQ2k lStLCCpOq/hwUPSNKxEiGnF3lQghQfKMhiUBCy/+1FpR6y/tECjZM48hQm0I3l4RhP+e 6bTQawQMImHIg3pgAHKNYYqVyYvwqLwkD8ZLMXoghT01AvVM+HR0Jqk9r/wkWgTwkDdr TrWvIWVzCntxLbRFbe2OeL9ZS5CPYmWJ7RE2R1ldgA5G+Lg1H4zyWx9fqFypGN/XxtuN dv5l6b3uPeYL8yXMEOtl10l754ZfcFyUDWyges8PD4QEtBv0qb0659BjEeNj5/Hd7V5h EckA==
X-Gm-Message-State: APt69E2caqHa8/MiiKkFVEg/p3tHG2mVRuHe+ASM1yyca8qm2OSeyR4d u1ryhlP9ge8tNL2j6MWM3LHkG3jjIv3mjDk3JclkckAYLAEb6w==
X-Google-Smtp-Source: ADUXVKJwL0noabfB9lMxGeBQ6n6bGL9MvQ7/wKOcx/CBlKq7dNKuI8eEZtkDwE56168CNImXZYyBJ086PD3nnARAdbg=
X-Received: by 2002:a9d:5912:: with SMTP id t18-v6mr11715238oth.217.1529439655687; Tue, 19 Jun 2018 13:20:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:3a8a:0:0:0:0:0 with HTTP; Tue, 19 Jun 2018 13:20:15 -0700 (PDT)
In-Reply-To: <alpine.LRH.2.21.1806191550040.21058@bofh.nohats.ca>
References: <alpine.LRH.2.21.1806181637240.22748@bofh.nohats.ca> <CABcZeBPZFswnn6zoK6h-Oiy8P1o5u-BVVExQSO48fxGWy1cwXQ@mail.gmail.com> <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <alpine.LRH.2.21.1806191550040.21058@bofh.nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 19 Jun 2018 13:20:15 -0700
Message-ID: <CABcZeBNh83mLD5E3VU6TGJ9dCxWLxbMEbOY9aG95MhOjoGLABg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Nico Williams <nico@cryptonector.com>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="00000000000062070b056f046bbd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/88HSNi1NOD5JrfI1Cu_3imU2jrE>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 20:27:07 -0000

On Tue, Jun 19, 2018 at 1:00 PM, Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 19 Jun 2018, Eric Rescorla wrote:
>
> The ID can say that, but as a practical matter, any enterprise that has
>> a reasonable number of internal domains is just going to tell people
>> to configure their client to accept any domain name.
>>
>
> Which is the equivalent of an enterprise that requires you to accept the
> TLS middleware box and its additional webpki CAs. Except we made it more
> restrained to prevent abuse.
>

I'd prefer to establish the facts of the matter before we debate what
ought to happen.

My contention here is that as a practical matter, many clients will be
required
to accept any domain name that the VPN server asserts is internal. As far
as I can tell, this is what the document itself says:

   In most deployment scenario's, the IKE client has an expectation that
   it is connecting, using a split-network setup, to a specific
   organisation or enterprise.  A recommended policy would be to only
   accept INTERNAL_DNSSEC_TA directives from that organization's DNS
   names.  However, this might not be possible in all deployment
   scenarios, such as one where the IKE server is handing out a number
   of domains that are not within one parent domain.

What am I misunderstanding?


All that is needed is to be able to authenticate the VPN server itself.
>>
>
> This draft has nothing to do with authentication of the VPN server. That
> is all done in IKE, possibly with certificates, but nothing related to
> DNS whatsoever. This draft is about using a split-DNS setup where the
> VPN client can keep using its own validating DNSSEC capable recursive
> server, while allowing a cryptographic acception for mutually agreed
> enterprise domains while still supporting DNSSEC for those enterprise
> domains to protect against inside attackers.
>

Yes, I appreciate that point. I was responding to Nico's comment that
"Generally the client must already have a trust anchor for the
SG to begin with. " And it's not correct that in order to have a VPN
gateway, you need to give it a full TA.

-Ekr

v2.23.0 | Report a Bug | By Email