Re: [IPsec] draft-pauly-ipsecme-split-dns
Paul Wouters <paul@nohats.ca> Wed, 20 June 2018 19:22 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4180131106; Wed, 20 Jun 2018 12:22:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKKyaqhnKrgh; Wed, 20 Jun 2018 12:22:00 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7B701310AB; Wed, 20 Jun 2018 12:21:59 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 419vpW57HkzF3y; Wed, 20 Jun 2018 21:21:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1529522515; bh=bHYn9zr50gS3eCmJnU9BaL8elFlVHI5MDrjRW7VH0PI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=BZPrdez8QlMN57Ud/J6qHKuzYNWHVG5BEVmUkaUaqMnHpgv6KfB3Q/4H/RQaB3yWx sFB3mxSBQVQP4nPlkgzt5zKy1T9XaZkSTxLfCERh0IOwtME01d/kYmPUYKr4smj5V0 oZeSLwYQfyABRFIOx45fkXMByXPvVhVlGEB5lNi0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id eJxRZyH4eoW3; Wed, 20 Jun 2018 21:21:54 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 20 Jun 2018 21:21:53 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 74CCCB8AF; Wed, 20 Jun 2018 15:21:52 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 74CCCB8AF
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6880E407821F; Wed, 20 Jun 2018 15:21:52 -0400 (EDT)
Date: Wed, 20 Jun 2018 15:21:52 -0400
From: Paul Wouters <paul@nohats.ca>
To: Eric Rescorla <ekr@rtfm.com>
cc: IPsecME WG <ipsec@ietf.org>, Nico Williams <nico@cryptonector.com>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <CABcZeBO0FjTWhhqv4s9Jf=+Pb61iGx+n=u0DWjDyM7X=NDm6eg@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1806201511530.31124@bofh.nohats.ca>
References: <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost> <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com> <20180619230148.GE4218@localhost> <CABcZeBNmavpZvzNRZBdOTKQYZ=yW=y2poaoVtsOeESNyRrG15Q@mail.gmail.com> <alpine.LRH.2.21.1806200002340.18235@bofh.nohats.ca> <CABcZeBPbq9ga8oSQ09GLyonPgZLOpFAy9hDJYAagUFz7GSHEoQ@mail.gmail.com> <alpine.LRH.2.21.1806201010490.6077@bofh.nohats.ca> <CABcZeBO0FjTWhhqv4s9Jf=+Pb61iGx+n=u0DWjDyM7X=NDm6eg@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/LAdtvwTaa9h74iJlWgZ0Cmyjozk>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 19:22:02 -0000
On Wed, 20 Jun 2018, Eric Rescorla wrote: > I thought I had made clear what was bothering me, so I suppose we must be talking past each other. I read this text as saying that there are > important cases where in fact the client will not have any reasonable way of knowing which domains to accept from the server, which, it seems > to me, contradicts the claim above that it's practical. You obviously think i'm wrong, so how should I be reading this text? I understand what bothers you. You see browsers getting non-public TLSA answers and you are concerned about webpki bypass and enterprise meddling. I see text restricting and notifying users of the domain names that will be part of the IKE configuration or negotiation allowing them to reject inappropriate domains. You fear the user will just click yes. Then you somehow would like to know how common this new behaviour would be and how reasonable it is for a client to understand what is happening. I cannot answer how common this would be other than stating in the past this wasn't possible at all. And that client understanding could be presented cleanly and I gave an example. To me, the only question is how to change the text so this is all clear to you, but you say you are still gathering facts and you are not ready yet to evaluate any proposed changes. Maybe some other people can chime into this discussion and/or provide text to clarify things to you better than I am able to. Paul
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tero Kivinen
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tero Kivinen
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Benjamin Kaduk
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tommy Pauly
- Re: [IPsec] draft-pauly-ipsecme-split-dns Benjamin Kaduk