Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
Paul Wouters <paul@nohats.ca> Thu, 10 September 2020 14:36 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA03B3A0B91; Thu, 10 Sep 2020 07:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcgHs-XOv4AP; Thu, 10 Sep 2020 07:36:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D2E43A0B90; Thu, 10 Sep 2020 07:36:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BnM085kMrzF1G; Thu, 10 Sep 2020 16:36:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1599748600; bh=0KeTUfUQSFcQG5Ns4OdK05Pt5LROs62ixoSUbd9Vf5Y=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=P7hye8pwg6aSUxrKh+CHjx4DPimn9S44/RxlbD/ORKcXOIwmijTlqKiozeyqIJpyd 7PGN6AJE9zatJqRiTzC30lKLn+rYn0YxXV8joCPhh5hmehSQjDSHCTwM5l//2gODW4 eooP70tI39hdXlpeE1crhpvl9q+985dSjORVzWvg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id hb-1EkXIJB10; Thu, 10 Sep 2020 16:36:38 +0200 (CEST)
Received: from bofh.nohats.ca (unknown [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 10 Sep 2020 16:36:38 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 343216020F63; Thu, 10 Sep 2020 10:36:36 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 32E22669F1; Thu, 10 Sep 2020 10:36:36 -0400 (EDT)
Date: Thu, 10 Sep 2020 10:36:36 -0400
From: Paul Wouters <paul@nohats.ca>
To: mohamed.boucadair@orange.com
cc: "ipsec@ietf.org" <ipsec@ietf.org>, "draft-btw-add-ipsecme-ike@ietf.org" <draft-btw-add-ipsecme-ike@ietf.org>
In-Reply-To: <24155_1599723204_5F59D6C4_24155_339_53_787AE7BB302AE849A7480A190F8B93303153E1B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Message-ID: <alpine.LRH.2.23.451.2009101023040.1041967@bofh.nohats.ca>
References: <159965296544.28196.15433560776696094354@ietfa.amsl.com> <24155_1599723204_5F59D6C4_24155_339_53_787AE7BB302AE849A7480A190F8B93303153E1B7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/WNXxhZdPnZTPKI02fftNcW8P7gg>
Subject: Re: [IPsec] TR: New Version Notification for draft-btw-add-ipsecme-ike-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 14:36:45 -0000
On Thu, 10 Sep 2020, mohamed.boucadair@orange.com wrote: > We updated the draft to take into account the comments raised during the last IETF meeting. Instead of multiplexing the attributes, we simplified the design so that types are assigned to each encrypted DNS type (DoT, DoH, DoQ). Why is this using a seperate CP payload type per encrypted DNS type? This means that for a DNS server supporting DoT, DoH and DoQ, it needs to send 3 separate payloads. Why not send 1 CP payload that contains a bitmask specifying which services it supports? The only reason I can think of for this choice is because these might be running on non-standard ports, but I think that reason is rather weak. DoT and DoQ will run on standard defines ports and DoH's protocol aims at blending in as web traffic so it really is only getting deployed on port 443. So if I build a single server that can do unencrypted and all encrypted flavours, I'd prefer to send and receive just 1 CP payload covering everything. We _could_ leave the port there for non-standard ports, but then we should add a specific port attribute for each bitmask entry. But honestly, the whole non-default port part seems like overengineering. For those who care a lot about minimizing bytes exchanged over IKE, my above proposal would save a lot of bytes. I would also like to see more clarification about split-DNS and how a list of domains is conveyed via IKE as the only domains to be resolved via the given encrypted DNS servers. I would like to see something in the Security Considerations about handing out well known non-VPN reachable encrypted DNS servers. Eg I'd like to avoid that this document can instruct VPN users to use DoT at 8.8.8.8 if it is not going to offer a VPN that covers 8.8.8.8. If we don't do this, then VPN profiles might end up abusing/redirecting users without offering any actual VPN service - like overriding the system or application specific configuration without offering actual VPN servers to the user. I'm also considered about possive abuse by the specification of the authentication domain name. Eg a VPN provider setting up a tunnel covering 1.1.1.1 (dns.cloudflare.com) with an authentication name of "dns.google.com" and basically redirecting all 1.1.1.1 traffic over the VPN to 8.8.8.8. Paul > Please review and share your comments. > > Thank you. > > Cheers, > Med > > -----Message d'origine----- > De : internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > Envoyé : mercredi 9 septembre 2020 14:03 > À : Dan Wing <dwing-ietf@fuggles.com>; Valery Smyslov <svan@elvis.ru>; BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>; Tirumaleswar Reddy.K <tirumaleswarreddy_konda@mcafee.com>; Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > Objet : New Version Notification for draft-btw-add-ipsecme-ike-01.txt > > > A new version of I-D, draft-btw-add-ipsecme-ike-01.txt has been successfully submitted by Mohamed Boucadair and posted to the IETF repository. > > Name: draft-btw-add-ipsecme-ike > Revision: 01 > Title: Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for Encrypted DNS > Document date: 2020-09-09 > Group: Individual Submission > Pages: 11 > URL: https://www.ietf.org/id/draft-btw-add-ipsecme-ike-01.txt > Status: https://datatracker.ietf.org/doc/draft-btw-add-ipsecme-ike/ > Htmlized: https://datatracker.ietf.org/doc/html/draft-btw-add-ipsecme-ike > Htmlized: https://tools.ietf.org/html/draft-btw-add-ipsecme-ike-01 > Diff: https://www.ietf.org/rfcdiff?url2=draft-btw-add-ipsecme-ike-01 > > Abstract: > This document specifies a new Internet Key Exchange Protocol Version > 2 (IKEv2) Configuration Payload Attribute Types for encrypted DNS > with a focus on DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS- > over-QUIC (DoQ). > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] TR: New Version Notification for draft-bt… mohamed.boucadair
- Re: [IPsec] TR: New Version Notification for draf… Paul Wouters
- Re: [IPsec] TR: New Version Notification for draf… mohamed.boucadair
- Re: [IPsec] TR: New Version Notification for draf… Valery Smyslov
- Re: [IPsec] TR: New Version Notification for draf… Benjamin Kaduk
- Re: [IPsec] TR: New Version Notification for draf… Paul Wouters
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Valery Smyslov
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Paul Wouters
- Re: [IPsec] [***SPAM***] Re: TR: New Version Noti… Tero Kivinen