IETF Logo Mail Archive

Re: [IPsec] Review of draft-pauly-ipsecme-split-dns-02

Paul Wouters <paul@nohats.ca> Thu, 23 March 2017 18:55 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1B5129BC8 for <ipsec@ietfa.amsl.com>; Thu, 23 Mar 2017 11:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxUByxnE2AeQ for <ipsec@ietfa.amsl.com>; Thu, 23 Mar 2017 11:55:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07F6F129BAB for <ipsec@ietf.org>; Thu, 23 Mar 2017 11:55:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3vpwjl17pXzD49; Thu, 23 Mar 2017 19:55:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1490295339; bh=tK9UhjDi+cZhlcAYqGCzO1fq3e6NmFLxFf8jkJenoeU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=C+IcJWgrfqY9auqrWITufWG7gRdWHFkHyKfeR6PGTuqnCH+5dHnGAS39c4J/KA5Sg KvlfN9Ks+2wClnnhZay9SpkACz4Y7bG5NfkqLq6F/h+yKLkluMTq/Emvo33pRu4sbM fCIhRrY8qz9Cbn92clc+93/nlnpdVAAZrfElrmC8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id xhZ140gkCyer; Thu, 23 Mar 2017 19:55:37 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 23 Mar 2017 19:55:37 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 64D8F4CA350; Thu, 23 Mar 2017 14:55:36 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 64D8F4CA350
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5C7E84000880; Thu, 23 Mar 2017 14:55:36 -0400 (EDT)
Date: Thu, 23 Mar 2017 14:55:36 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: ipsec@ietf.org
In-Reply-To: <22739.37370.402945.800855@fireball.acr.fi>
Message-ID: <alpine.LRH.2.20.999.1703231451520.4405@bofh.nohats.ca>
References: <22644.61072.705632.343770@fireball.acr.fi> <alpine.LRH.2.20.999.1703130903040.20456@bofh.nohats.ca> <22739.37370.402945.800855@fireball.acr.fi>
User-Agent: Alpine 2.20.999 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/ON7w4lNSWaYNGCi59Bwv0mHg_ww>
Subject: Re: [IPsec] Review of draft-pauly-ipsecme-split-dns-02
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 18:55:43 -0000

On Thu, 23 Mar 2017, Tero Kivinen wrote:

>>> then someone manages to tear down the VPN connection, and suddenly all
>>> these mappings go away, the next time your mail client tries to fetch
>>> email, it does mail.example.com lookup using external DNS servers, and
>>> will get IP-address of 1.1.1.1 from ns.evil.org, then then it will
>>> connect to wrong mail server...
>>
>> If you are afraid of this attack, deploy DNSSEC on your domain.
>
> I most likely would have configfured my internal domain with DNSSEC,
> bu tthe DNSSEC trust anchors got deleted when tunnel went down, and
> when it revers to external DNS that might or might not be signed
> depending whether the top level domain or service provider you are
> using supports DNSSEC.

If you are in a split view, we can't really retain DNS cache. When the
split goes away you would not be able to reach these. For example,
bugzilla.redhat.com has an internal and external IP. If DNS cache is
retaining, when my VPN goes down, I can no longer connect to bugzilla.

So I think my use case trumps your use case because you should just
sign your external DNS too :P

>>> Perhaps we should keep the mappings for some time, just in case the
>>> connection comes back few seconds later when the vpn reconnects...
>>
>> I switch regularly from redhat.com to public, and that would really
>> cause me problems. It is really important to wipe all the now
>> unreachable cached DNS data.
>>
>> If you wish to stall for a few seconds, I'd recommend you would be
>> dropping the DNS packets instead of lingering old state, and I would
>> say that is a pure local implementation issue and shouldn't go into
>> the RFC.
>
> But the MUST delete DNS forwarding etc will not allow me to do that.

That's semantics :P

If you linger the Child SA, you haven't torn it down yet, so you can
also leave your DNS entries.

Paul

v2.23.0 | Report a Bug | By Email