IETF Logo Mail Archive

Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt

Benjamin Kaduk <kaduk@mit.edu> Sat, 19 September 2020 05:09 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90AB3A0B60; Fri, 18 Sep 2020 22:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCOVvLCSHe4s; Fri, 18 Sep 2020 22:09:41 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465B13A09C3; Fri, 18 Sep 2020 22:09:41 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08J59YLo002724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 19 Sep 2020 01:09:36 -0400
Date: Fri, 18 Sep 2020 22:09:34 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'Paul Wouters' <paul@nohats.ca>, mohamed.boucadair@orange.com, ipsec@ietf.org, draft-btw-add-ipsecme-ike@ietf.org
Message-ID: <20200919050934.GN89563@kduck.mit.edu>
References: <159965296544.28196.15433560776696094354@ietfa.amsl.com> <24155_1599723204_5F59D6C4_24155_339_53_787AE7BB302AE849A7480A190F8B93303153E1B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <alpine.LRH.2.23.451.2009101023040.1041967@bofh.nohats.ca> <087501d68dba$63522690$29f673b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <087501d68dba$63522690$29f673b0$@gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Dd1stpTZZuEJH6tFaKNcMBOonCc>
Subject: Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 05:09:44 -0000

On Fri, Sep 18, 2020 at 03:51:11PM +0300, Valery Smyslov wrote:
> Hi Paul,
> 
> > Why is this using a seperate CP payload type per encrypted DNS type?
> > This means that for a DNS server supporting DoT, DoH and DoQ, it needs
> > to send 3 separate payloads. Why not send 1 CP payload that contains a
> > bitmask specifying which services it supports?
> 
> Well, from my understanding of ADD (I'm not an expert),
> there must not be substantial difference between different
> types of encrypted DNS servers in terms of provided service
> (ADD folks use term "equivalent" reolvers, emphasizing 
> that no matter which resolver the client reaches the 
> response will be the same). 
> 
> If my understanding is correct, then I see little sense in 
> configuring all types of encrypted DNS servers.
> So, DoT, DoH, DoQ is more a capability negotiation:
> the client asks for those types of encrypted DNS
> it supports and the server returns server(s) of one type,
> based on its configuration.

I would expect there to be some people pushing to have this be a capability
negotiation that honors the client's preference, not the server's; the
scenario you describe is one where the server's preference is used.
(To be fair, I'm not following ADD much at all, though, so I could be
wrong.)

-Ben

> In this case there is no difference in message size if we use 
> separate attributes or a single attribute with bitmask.
> And several simple attributes are a bit easier to process...
> 
> > The only reason I can think of for this choice is because these might
> > be running on non-standard ports, but I think that reason is rather
> > weak. DoT and DoQ will run on standard defines ports and DoH's protocol
> > aims at blending in as web traffic so it really is only getting deployed
> > on port 443.
> > 
> > So if I build a single server that can do unencrypted and all encrypted
> > flavours, I'd prefer to send and receive just 1 CP payload covering
> > everything.
> 
> Please, see above.
> 
> > We _could_ leave the port there for non-standard ports, but then we
> > should add a specific port attribute for each bitmask entry. But honestly,
> > the whole non-default port part seems like overengineering.
> > 
> > For those who care a lot about minimizing bytes exchanged over IKE,
> > my above proposal would save a lot of bytes.
> 
> Again, see above.
> 
> > I would also like to see more clarification about split-DNS and how a
> > list of domains is conveyed via IKE as the only domains to be resolved
> > via the given encrypted DNS servers.
> 
> What problems are with the current text? I believe almost all from RFC8598
> remains valid, we only replace Do53 servers IP addresses with Encrypted 
> DNS ones.
> 
> > I would like to see something in the Security Considerations about handing
> > out well known non-VPN reachable encrypted DNS servers.  Eg I'd like to
> > avoid that this document can instruct VPN users to use DoT at 8.8.8.8 if
> > it is not going to offer a VPN that covers 8.8.8.8. If we don't do this,
> > then VPN profiles might end up abusing/redirecting users without offering
> > any actual VPN service - like overriding the system or application
> > specific configuration without offering actual VPN servers to the user.
> 
> What is your proposal? Restrict DNS servers IP addresses 
> to always be within Tri/TSr ranges?
> 
> > I'm also considered about possive abuse by the specification of the
> > authentication domain name. Eg a VPN provider setting up a tunnel
> > covering 1.1.1.1 (dns.cloudflare.com) with an authentication name of
> > "dns.google.com" and basically redirecting all 1.1.1.1 traffic over the
> > VPN to 8.8.8.8.
> 
> How can you prevent it?
> 
> Regards,
> Valery.
> 
> > Paul
> > 
> > 
> > 
> > 
> > > Please review and share your comments.
> > >
> > > Thank you.
> > >
> > > Cheers,
> > > Med
> > >
> > > -----Message d'origine-----
> > > De : internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > > Envoyé : mercredi 9 septembre 2020 14:03
> > > À : Dan Wing <dwing-ietf@fuggles.com>; Valery Smyslov <svan@elvis.ru>; BOUCADAIR Mohamed TGI/OLN
> > <mohamed.boucadair@orange.com>; Tirumaleswar Reddy.K <tirumaleswarreddy_konda@mcafee.com>;
> > Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> > > Objet : New Version Notification for draft-btw-add-ipsecme-ike-01.txt
> > >
> > >
> > > A new version of I-D, draft-btw-add-ipsecme-ike-01.txt has been successfully submitted by Mohamed
> > Boucadair and posted to the IETF repository.
> > >
> > > Name:		draft-btw-add-ipsecme-ike
> > > Revision:	01
> > > Title:		Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for Encrypted DNS
> > > Document date:	2020-09-09
> > > Group:		Individual Submission
> > > Pages:		11
> > > URL:            https://www.ietf.org/id/draft-btw-add-ipsecme-ike-01.txt
> > > Status:         https://datatracker.ietf.org/doc/draft-btw-add-ipsecme-ike/
> > > Htmlized:       https://datatracker.ietf.org/doc/html/draft-btw-add-ipsecme-ike
> > > Htmlized:       https://tools.ietf.org/html/draft-btw-add-ipsecme-ike-01
> > > Diff:           https://www.ietf.org/rfcdiff?url2=draft-btw-add-ipsecme-ike-01
> > >
> > > Abstract:
> > >   This document specifies a new Internet Key Exchange Protocol Version
> > >   2 (IKEv2) Configuration Payload Attribute Types for encrypted DNS
> > >   with a focus on DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-
> > >   over-QUIC (DoQ).
> > >
> > >
> > >
> > >
> > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and
> > diff are available at tools.ietf.org.
> > >
> > > The IETF Secretariat
> > >
> > >
> > >
> > >
> > ____________________________________________________________________________________________
> > _____________________________
> > >
> > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne
> > doivent donc
> > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le
> > signaler
> > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles
> > d'alteration,
> > > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> > >
> > > This message and its attachments may contain confidential or privileged information that may be protected
> > by law;
> > > they should not be distributed, used or copied without authorisation.
> > > If you have received this email in error, please notify the sender and delete this message and its
> > attachments.
> > > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> > > Thank you.
> > >
> > > _______________________________________________
> > > IPsec mailing list
> > > IPsec@ietf.org
> > > https://www.ietf.org/mailman/listinfo/ipsec
> > 
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email