IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Tero Kivinen <kivinen@iki.fi> Wed, 20 June 2018 23:57 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3377130E46; Wed, 20 Jun 2018 16:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4mLJG_p85Mf; Wed, 20 Jun 2018 16:57:05 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E3D3130E3D; Wed, 20 Jun 2018 16:57:05 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w5KNuwFc022764 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 21 Jun 2018 02:56:58 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w5KNuwdx018121; Thu, 21 Jun 2018 02:56:58 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23338.59850.426646.482306@fireball.acr.fi>
Date: Thu, 21 Jun 2018 02:56:58 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Nico Williams <nico@cryptonector.com>
Cc: IPsecME WG <ipsec@ietf.org>, Eric Rescorla <ekr@rtfm.com>, Paul Wouters <paul@nohats.ca>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
In-Reply-To: <20180620220624.GH4218@localhost>
References: <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost> <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com> <20180619230148.GE4218@localhost> <CABcZeBNmavpZvzNRZBdOTKQYZ=yW=y2poaoVtsOeESNyRrG15Q@mail.gmail.com> <alpine.LRH.2.21.1806200002340.18235@bofh.nohats.ca> <23338.46863.5452.257270@fireball.acr.fi> <20180620220624.GH4218@localhost>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 25 min
X-Total-Time: 38 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Hm3pf0UpfgX5gEQSFr-KQpKEB2A>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 23:57:08 -0000

Nico Williams writes:
> On Wed, Jun 20, 2018 at 11:20:31PM +0300, Tero Kivinen wrote:
> > Reading this thread now, I have few comments.
> > 
> > [...]
> > 
> > So I think the feature that we can use TLSA records in the split-dns
> > is very important. I agree that it would be VERY BAD for the client to
> > just accept whatever domains server sends, and it SHOULD always verify
> > it against its local configuration.
> 
> Agreed.
> 
> But I also think that a REQUIREMENT that the client support and check
> local policy as to which domains to accept TAs for is sufficient to
> address the concern.  Isn't it?

Yes and no.

Yes, I think that is best we can do.

No, I do not think it will necessarely solve the problem, as there
will be implementations where they might have the local policy checks,
but there is no way to edit that list (or even see that list), because
this list comes and is managed by the management system or profile.

I.e., the feature might be there, but it is useless as it is filled up
by the enterprise. Of course there is trust relationship between the
VPN client and the enterprise. All this information is transmitted
inside the IKEv2 SA which is authenticated, thus client is able to
trust the information it gets from the SGW. Then client simply needs
to decide whether it trusts the enterprise enough to allow it do the
things it tries to do.

Asking user does not really help, as if there is popups the users will
simply click them away. Very often this already happened for some
internal servers already for TLS. Some people did not install the
Enterprise Root CA, or the certificate used for the service expired
and nobody bothered to update it, or the service used actually
self-signed certificates, or the service used different internal
domain name than the user tried to use etc. More often than not the
intranet sites gives all kind of certificate errors when you are
connecting to them, thus in enterprise environments people ignore the
warnings always...

Hopefully with this we might actually be able to use TLSA records for
those internal sites, and that might fix some issues (or at least
break them in different ways :-)
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email