IETF Logo Mail Archive

Re: [IPsec] Benjamin Kaduk's Yes on draft-ietf-ipsecme-split-dns-14: (with COMMENT)

Paul Wouters <paul@nohats.ca> Tue, 20 November 2018 15:06 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4268C130DCB; Tue, 20 Nov 2018 07:06:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAy6WSvQmIi5; Tue, 20 Nov 2018 07:06:12 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0F1212D4F2; Tue, 20 Nov 2018 07:06:11 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42zptk4zRvzL8f; Tue, 20 Nov 2018 16:06:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542726366; bh=yqXBzgqG6jBwJxETVXZG4IRUnm48Y/ucOwMetk7tRvo=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JdVeFiwpP48zHNj3Gzj8Ns90pzhrvqbqrz3sVYIX6XmS133r+G2x8Rwqrm6TRgpv+ 5gCLi1r5mqYWAfEJHW3K/Se5qBR6DQagtQL8pT8/gD7IZV7LkIpCCH3pmoDRkPpS6d iXLLMmL/Wde5mwWChw5KDyE+xTB4BHIJ4314o7Qs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 6XVFXg7350hY; Tue, 20 Nov 2018 16:06:02 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 20 Nov 2018 16:06:01 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 780374AA4C6; Tue, 20 Nov 2018 10:06:00 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 780374AA4C6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6D2A241C3B2D; Tue, 20 Nov 2018 10:06:00 -0500 (EST)
Date: Tue, 20 Nov 2018 10:06:00 -0500
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: Paul Wouters <pwouters@redhat.com>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire=40nist.gov@dmarc.ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ipsecme-split-dns@ietf.org" <draft-ietf-ipsecme-split-dns@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
In-Reply-To: <23539.58882.139191.731005@fireball.acr.fi>
Message-ID: <alpine.LRH.2.21.1811200947280.7962@bofh.nohats.ca>
References: <154233104861.10051.7593212496190352066.idtracker@ietfa.amsl.com> <SN6PR09MB326474D2688D48194948243BF0DD0@SN6PR09MB3264.namprd09.prod.outlook.com> <alpine.LRH.2.21.1811170111570.1682@bofh.nohats.ca> <23537.18848.15817.35029@fireball.acr.fi> <ef541bed-5ffa-36f8-8539-1b8ff6f3a509@redhat.com> <23539.58882.139191.731005@fireball.acr.fi>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IjXpTKYOnIMArwPWJ7iEI12ZO70>
Subject: Re: [IPsec] Benjamin Kaduk's Yes on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 15:06:13 -0000

On Tue, 20 Nov 2018, Tero Kivinen wrote:

> Yes, as I have seen so many times that people pass strings for
> configuration directly from the remote end to the configuration file,
> either because of it is easy, or by accident (shellshock, all kind of
> CGI issues etc).

That's why we have the Security Considerations:

    The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
    passed to another (DNS) program for processing.  As with any network
    input, the content SHOULD be considered untrusted and handled
    accordingly.

> Using wireformat and forcing IKE library to do one line of code to
> convert wireformat to restricted presentation format removes that kind
> of issues:

Sure, but it would add two conversions that shouldn't be needed at all.

> On the other hand generating the wire format from the values coming
> from configuration is similarly very easy (provided it comes from
> normal config file not from dns configuration file):

Most likely, when automating this, it would be coming from live DNS
output, eg the dig command. And not some new config file syntax for
this. If I wouldnt use files as in my previous email's example, I
would still want to be able to configure it like:

 	modecfgdns-ds="example.com. IN DS 12345 8 1 BLOB"

But pointing to a file with just DNS RRTYPEs is much easier, especially
if you have 20 internal domains, as most universities seem to have :P
Then you don't have to have duplicate keywords and/or ordening issues,
and you wouldn't have large blobs in your config file. It is just much
easier to create and maintain this in dig command output, so DNS
presentation format.

> Presentation format includes things like comments, newlines,
> whitespace etc.

> That is the reason I do not like to have presentation format inside
> the binary wire formats like IKE. We do not need to do string parsing,
> or regex processing in IKE library, but to properly parse presentation
> format you need to do that.

I think you can do this without regexp Tero :)

> going to be in the presentation format. I think most people do use
> configuration formats like:
>
> modecfgdns1=1.2.3.4
> modecfgdns2=8.8.8.8
> modecfgdomain1=example.com
> modecfgtadnsseckeytag1=1270
> modecfgtadnssecalg1=8
> modecfgtadigesttype1=1
> modecfgtadigestdata1=506AD3A656...

This would be terrible to generate from live DNS output. Much harder
than "dig ds example.com @internalDNS > dns.txt"

> Yes. This is needed. I would actually also would like to have text
> explaining can you have comments whitespace, newlines etc inside the
> Digest Data or not too, while we are at it. I would expect that most
> of the implementations would not necessarely like those and sending
> those over the wire is just wasting bytes.

I'm confused what you are suggesting here. You say it should support the
crazy stuff but then suggest implementations will just not support the
crazy stuff?

>>> and so on, instead of:
>>>
>>>       INTERNAL_DNSSEC_TA(1270,8,1,0x506AD3A656D14D924655877628FFD6A98D7A847E)

It would be:

        INTERNAL_DNSSEC_TA("1270 8 1 0x506AD3A656D14D924655877628FFD6A98D7A847E")

Note that here the domain name is not even part of the data. If you were
sending presentation format, it would be nicer:

        INTERNAL_DNSSEC_TA("example.com. IN DS 1270 8 1 0x506AD3A656D14D924655877628FFD6A98D7A847E")

And there would be no ordering constraints for INTERNAL_DNSSEC_TA()
needing to immediately follow INTERNAL_DOMAIN()

Paul

v2.23.0 | Report a Bug | By Email