Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
Benjamin Kaduk <kaduk@mit.edu> Sat, 19 September 2020 05:09 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90AB3A0B60; Fri, 18 Sep 2020 22:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCOVvLCSHe4s; Fri, 18 Sep 2020 22:09:41 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465B13A09C3; Fri, 18 Sep 2020 22:09:41 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08J59YLo002724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 19 Sep 2020 01:09:36 -0400
Date: Fri, 18 Sep 2020 22:09:34 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'Paul Wouters' <paul@nohats.ca>, mohamed.boucadair@orange.com, ipsec@ietf.org, draft-btw-add-ipsecme-ike@ietf.org
Message-ID: <20200919050934.GN89563@kduck.mit.edu>
References: <159965296544.28196.15433560776696094354@ietfa.amsl.com> <24155_1599723204_5F59D6C4_24155_339_53_787AE7BB302AE849A7480A190F8B93303153E1B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.23.451.2009101023040.1041967@bofh.nohats.ca> <087501d68dba$63522690$29f673b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <087501d68dba$63522690$29f673b0$@gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Dd1stpTZZuEJH6tFaKNcMBOonCc>
Subject: Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 05:09:44 -0000
On Fri, Sep 18, 2020 at 03:51:11PM +0300, Valery Smyslov wrote: > Hi Paul, > > > Why is this using a seperate CP payload type per encrypted DNS type? > > This means that for a DNS server supporting DoT, DoH and DoQ, it needs > > to send 3 separate payloads. Why not send 1 CP payload that contains a > > bitmask specifying which services it supports? > > Well, from my understanding of ADD (I'm not an expert), > there must not be substantial difference between different > types of encrypted DNS servers in terms of provided service > (ADD folks use term "equivalent" reolvers, emphasizing > that no matter which resolver the client reaches the > response will be the same). > > If my understanding is correct, then I see little sense in > configuring all types of encrypted DNS servers. > So, DoT, DoH, DoQ is more a capability negotiation: > the client asks for those types of encrypted DNS > it supports and the server returns server(s) of one type, > based on its configuration. I would expect there to be some people pushing to have this be a capability negotiation that honors the client's preference, not the server's; the scenario you describe is one where the server's preference is used. (To be fair, I'm not following ADD much at all, though, so I could be wrong.) -Ben > In this case there is no difference in message size if we use > separate attributes or a single attribute with bitmask. > And several simple attributes are a bit easier to process... > > > The only reason I can think of for this choice is because these might > > be running on non-standard ports, but I think that reason is rather > > weak. DoT and DoQ will run on standard defines ports and DoH's protocol > > aims at blending in as web traffic so it really is only getting deployed > > on port 443. > > > > So if I build a single server that can do unencrypted and all encrypted > > flavours, I'd prefer to send and receive just 1 CP payload covering > > everything. > > Please, see above. > > > We _could_ leave the port there for non-standard ports, but then we > > should add a specific port attribute for each bitmask entry. But honestly, > > the whole non-default port part seems like overengineering. > > > > For those who care a lot about minimizing bytes exchanged over IKE, > > my above proposal would save a lot of bytes. > > Again, see above. > > > I would also like to see more clarification about split-DNS and how a > > list of domains is conveyed via IKE as the only domains to be resolved > > via the given encrypted DNS servers. > > What problems are with the current text? I believe almost all from RFC8598 > remains valid, we only replace Do53 servers IP addresses with Encrypted > DNS ones. > > > I would like to see something in the Security Considerations about handing > > out well known non-VPN reachable encrypted DNS servers. Eg I'd like to > > avoid that this document can instruct VPN users to use DoT at 8.8.8.8 if > > it is not going to offer a VPN that covers 8.8.8.8. If we don't do this, > > then VPN profiles might end up abusing/redirecting users without offering > > any actual VPN service - like overriding the system or application > > specific configuration without offering actual VPN servers to the user. > > What is your proposal? Restrict DNS servers IP addresses > to always be within Tri/TSr ranges? > > > I'm also considered about possive abuse by the specification of the > > authentication domain name. Eg a VPN provider setting up a tunnel > > covering 1.1.1.1 (dns.cloudflare.com) with an authentication name of > > "dns.google.com" and basically redirecting all 1.1.1.1 traffic over the > > VPN to 8.8.8.8. > > How can you prevent it? > > Regards, > Valery. > > > Paul > > > > > > > > > > > Please review and share your comments. > > > > > > Thank you. > > > > > > Cheers, > > > Med > > > > > > -----Message d'origine----- > > > De : internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > > > Envoyé : mercredi 9 septembre 2020 14:03 > > > À : Dan Wing <dwing-ietf@fuggles.com>; Valery Smyslov <svan@elvis.ru>; BOUCADAIR Mohamed TGI/OLN > > <mohamed.boucadair@orange.com>; Tirumaleswar Reddy.K <tirumaleswarreddy_konda@mcafee.com>; > > Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > > > Objet : New Version Notification for draft-btw-add-ipsecme-ike-01.txt > > > > > > > > > A new version of I-D, draft-btw-add-ipsecme-ike-01.txt has been successfully submitted by Mohamed > > Boucadair and posted to the IETF repository. > > > > > > Name: draft-btw-add-ipsecme-ike > > > Revision: 01 > > > Title: Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for Encrypted DNS > > > Document date: 2020-09-09 > > > Group: Individual Submission > > > Pages: 11 > > > URL: https://www.ietf.org/id/draft-btw-add-ipsecme-ike-01.txt > > > Status: https://datatracker.ietf.org/doc/draft-btw-add-ipsecme-ike/ > > > Htmlized: https://datatracker.ietf.org/doc/html/draft-btw-add-ipsecme-ike > > > Htmlized: https://tools.ietf.org/html/draft-btw-add-ipsecme-ike-01 > > > Diff: https://www.ietf.org/rfcdiff?url2=draft-btw-add-ipsecme-ike-01 > > > > > > Abstract: > > > This document specifies a new Internet Key Exchange Protocol Version > > > 2 (IKEv2) Configuration Payload Attribute Types for encrypted DNS > > > with a focus on DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS- > > > over-QUIC (DoQ). > > > > > > > > > > > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and > > diff are available at tools.ietf.org. > > > > > > The IETF Secretariat > > > > > > > > > > > > > > ____________________________________________________________________________________________ > > _____________________________ > > > > > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne > > doivent donc > > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le > > signaler > > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles > > d'alteration, > > > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > > > > > This message and its attachments may contain confidential or privileged information that may be protected > > by law; > > > they should not be distributed, used or copied without authorisation. > > > If you have received this email in error, please notify the sender and delete this message and its > > attachments. > > > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > > > Thank you. > > > > > > _______________________________________________ > > > IPsec mailing list > > > IPsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] TR: New Version Notification for draft-bt… mohamed.boucadair
- Re: [IPsec] TR: New Version Notification for draf… Paul Wouters
- Re: [IPsec] TR: New Version Notification for draf… mohamed.boucadair
- Re: [IPsec] TR: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] TR: New Version Notification for draf… Benjamin Kaduk
- Re: [IPsec] TR: New Version Notification for draf… Paul Wouters
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Valery Smyslov
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Paul Wouters
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Tero Kivinen