IETF Logo Mail Archive

Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)

Paul Wouters <pwouters@redhat.com> Mon, 26 November 2018 06:56 UTC

Return-Path: <pwouters@redhat.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F7D1294D7; Sun, 25 Nov 2018 22:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Frc77s4vjf7A; Sun, 25 Nov 2018 22:56:24 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3EA8128CB7; Sun, 25 Nov 2018 22:56:24 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 10C4430841DE; Mon, 26 Nov 2018 06:56:24 +0000 (UTC)
Received: from thinkpad.nohats.ca (ovpn-204-27.brq.redhat.com [10.40.204.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FC355D9C6; Mon, 26 Nov 2018 06:56:19 +0000 (UTC)
To: Tero Kivinen <kivinen@iki.fi>, Paul Wouters <paul@nohats.ca>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, The IESG <iesg@ietf.org>
References: <154275031487.29795.6995020474049388117.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210026410.29140@bofh.nohats.ca> <alpine.LRH.2.21.1811210944410.24767@bofh.nohats.ca> <23545.49026.588213.633610@fireball.acr.fi>
From: Paul Wouters <pwouters@redhat.com>
Message-ID: <6cf92ec6-0ffd-9864-0793-bbf30fb638ae@redhat.com>
Date: Mon, 26 Nov 2018 13:56:17 +0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <23545.49026.588213.633610@fireball.acr.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 26 Nov 2018 06:56:24 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MKm7KIVyFn9HR6XMYCY4InCByGg>
Subject: Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 06:56:27 -0000

On 2018-11-25 4:15 a.m., Tero Kivinen wrote:
> Paul Wouters writes:
>> So I suggest instead:
>>
>>      A client using these configuration payloads will be able to request
>>      and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
>>      and INTERNAL_DNSSEC_TA configuration attributes.  These attributes
>>      MUST be accompanied by one or more INTERNAL_IP4_DNS or
>>      INTERNAL_IP6_DNS configuration attributes.  The client device can
>>      then use the internal DNS server(s) for any DNS queries within the
>>      assigned domains.  DNS queries for other domains MUST be sent to the
>>      regular DNS service of the client.
> So the meaning of the INTERNAL_IP*_DNS changs meaning depending
> whether you have INTERNAL_DNS_DOMAIN or not. You might want to be bit
> more text explaining that in this paragraph.

I did not really want to do that. It would also require updating RFC 
7296. So instead, I just pushed a change with:

-   assigned domains.  DNS queries for other domains MUST be sent to the
-   regular DNS service of the client.
+   assigned domains.  DNS queries for other domains SHOULD be sent to
+   the regular DNS service of the client unless it prefers to use the
+   IPsec tunnel for all its DNS queries.  For example, the client could
+   trust the IPsec provided DNS servers more than the locally provided
+   DNS servers especially in the case of connecting to unknown or
+   untrusted networks (eg coffee shops or hotel networks).  Or the
+   client could prefer the IPsec based DNS servers because those provide
+   additional features over the local DNS servers.

> Anyways I think changing that to say "SHOULD be sent" could work
> better, i.e., depending on the policy clients could either send
> requests to normal DNS server or to the server provided in IKE.


Yes, done. see above.


>
> Note, that the original configuration payload was supposed to provide
> similar information than what DHCP does, so client does not need to
> have anything preconfigured, but can get the whole network
> configuration from the server. This included addresses, dns servers,
> etc, and even DHCP server address that it can use to get attributes
> not included in the configuration payload. Usually the configuration
> parameters received from configuration payload replaced the parameters
> they had before.


Yes, but with split-tunnel, the client is clearly stepping in with one 
foot while keeping the other foot dry :)


Paul

v2.23.0 | Report a Bug | By Email