IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Nico Williams <nico@cryptonector.com> Tue, 19 June 2018 23:42 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A488A1311CB; Tue, 19 Jun 2018 16:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YzEyFloBi8Me; Tue, 19 Jun 2018 16:41:58 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9A461311EA; Tue, 19 Jun 2018 16:41:56 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTP id 9D0CE30002BAC; Tue, 19 Jun 2018 16:41:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=JmgLtOKBSgdZsA QRJyBHJdcEyMQ=; b=D4bQifgsIShtpT490P2JOpO6nso1zxghCWj7HJMm7XAOys jzhLzLkgksuvKufZbIvqm8o/E3wBJh/CueY5t7EfVNYpD0zmpkIs2t0mj0beF7ei lZAKRrYZy5Q7IWXRazcRc+Xs/Vgt16dO4EyaPnxwASLgTPP9ZXSjJbzn2RQeE=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTPSA id 24B9130002BA9; Tue, 19 Jun 2018 16:41:55 -0700 (PDT)
Date: Tue, 19 Jun 2018 18:41:53 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Message-ID: <20180619234151.GF4218@localhost>
References: <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost> <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com> <20180619230148.GE4218@localhost> <CABcZeBNmavpZvzNRZBdOTKQYZ=yW=y2poaoVtsOeESNyRrG15Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBNmavpZvzNRZBdOTKQYZ=yW=y2poaoVtsOeESNyRrG15Q@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/JflifB3IWgQ_oULRevFZSASAFJ8>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 23:42:05 -0000

On Tue, Jun 19, 2018 at 04:11:13PM -0700, Eric Rescorla wrote:
> On Tue, Jun 19, 2018 at 4:01 PM, Nico Williams <nico@cryptonector.com>
> wrote:
> > I don't know what the antecedent of "this" in your question.  If you
> > mean that BYODs will have to accept policies users don't want, well,
> > that's pretty much true anyways (e.g., you have to accept proxy
> > configurations that can and _will_ MITM you).
> 
> I'm asking if a common scenario will be that users of enterprise
> VPNs who implement this feature will end up in a situation where the
> VPN can impose TAs for any domain.

I think that will be (and probably already is) common in enterprises,
but not for public VPNs.

> As a followup question, I claim that that's not presently true with
> existing VPNs. In some cases, the VPN requires you to install
> a new trust anchor in order to accept its cert, but that's not an
> inherently necessary practice. Separately, an enterprise may
> require you to accept an MITM cert, but these are conceptually
> distinct. Do you disagree with that?

Requiring that the client accept arbitrary trust anchors in this
protocol is "not an inherently necessary practice" practice either.

Do you disagree?

The protocol's purpose is to enable split-dns, not to enable MITM for
all domains, though it does also do the latter if the client accepts it.

> > Are you objecting to the I-D altogether -- objecting to the feature it
> > adds -- or asking what the I-D should say about your concern?
> 
> Again, right now I'm trying to establish the facts of the matter. I'd
> prefer to do that prior to discussing what is good or bad.

My prediction of which configurations will be common is hardly a fact :)

v2.23.0 | Report a Bug | By Email