IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Paul Wouters <paul@nohats.ca> Tue, 19 June 2018 20:00 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5E4F130EC6; Tue, 19 Jun 2018 13:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXBs4SCDkQU5; Tue, 19 Jun 2018 13:00:54 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E92F130ECD; Tue, 19 Jun 2018 13:00:43 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 419Jjg3jW7zF8N; Tue, 19 Jun 2018 22:00:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1529438439; bh=f0TdvRBMRD5zX/sMvEwn/onTdBdx0DCZX6s+D9E/jIQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=FnrOeY1iBW0E6TeZ4/cCiocqh5Ten4qAYpX+R6ZhQCkagW1Ja+YSyfginkfHGO56R IJN97tEQka2OaPG4oWuqMFHJN/j3DZ/7vTuzKh3DKYzYSiSa1m1BsVDK5Ar5X3jn/1 TM+DBJqF3cxHanjIfV5+GgDi1kSGS4WS08P7mKpo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id XHBFy0jc_2-H; Tue, 19 Jun 2018 22:00:38 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 19 Jun 2018 22:00:37 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9567F4FB769; Tue, 19 Jun 2018 16:00:36 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 9567F4FB769
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8CD874023307; Tue, 19 Jun 2018 16:00:36 -0400 (EDT)
Date: Tue, 19 Jun 2018 16:00:36 -0400
From: Paul Wouters <paul@nohats.ca>
To: Eric Rescorla <ekr@rtfm.com>
cc: Nico Williams <nico@cryptonector.com>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1806191550040.21058@bofh.nohats.ca>
References: <alpine.LRH.2.21.1806181637240.22748@bofh.nohats.ca> <CABcZeBPZFswnn6zoK6h-Oiy8P1o5u-BVVExQSO48fxGWy1cwXQ@mail.gmail.com> <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ACOikNa2eGPRFYHAFwNX6UCUH5Q>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 20:00:56 -0000

On Tue, 19 Jun 2018, Eric Rescorla wrote:

> The ID can say that, but as a practical matter, any enterprise that has
> a reasonable number of internal domains is just going to tell people
> to configure their client to accept any domain name.

Which is the equivalent of an enterprise that requires you to accept the
TLS middleware box and its additional webpki CAs. Except we made it more
restrained to prevent abuse.

>       Sure, but it's not like clients will be choosing to connect to any VPN
>       servers.  Generally the client must already have a trust anchor for the
>       SG to begin with. 
> 
> Why? That trust anchor doesn't need to allow the creation of arbitrary
> WebPKI certs.

It doesn't allow creation of _arbitrary_ webpki certs, only webpki certs
under mutually agreed domain names.

> All that is needed is to be able to authenticate the VPN server itself.

This draft has nothing to do with authentication of the VPN server. That
is all done in IKE, possibly with certificates, but nothing related to
DNS whatsoever. This draft is about using a split-DNS setup where the
VPN client can keep using its own validating DNSSEC capable recursive
server, while allowing a cryptographic acception for mutually agreed
enterprise domains while still supporting DNSSEC for those enterprise
domains to protect against inside attackers.

Paul

v2.23.0 | Report a Bug | By Email