Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 16:53 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3533128AFB for <ipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 08:53:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7fJDUq_jC3C for <ipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 08:53:30 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61FD5123FFD for <ipsec@ietf.org>; Wed, 21 Nov 2018 08:53:30 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430TD80N7KzLDW; Wed, 21 Nov 2018 17:53:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542819208; bh=g01GHFTAB4LqEEPOCz/PGiwBkq/di/i3UQTENRBA1Ls=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=P3MBG4Pl/r6cZv57UdVmufM2Xd78M2pTUf++294EKe1nlOFRNOXmEkvVws5XPYsjZ hJvMH048eTJS1KZptai28dHnlEBRECBU922Mhb0buZ6RQfyNjpnlniM1oGGOKdlHXP LZX70ZIvbpbZ7SmpnwBneXoWGncHK2qMw5tYbNSg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id pCse9QxKzVJL; Wed, 21 Nov 2018 17:53:26 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 17:53:25 +0100 (CET)
Received: from [192.168.1.10] (node-11u3.pool-118-173.dynamic.totbb.net [118.173.191.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 5D1AC49ED70; Wed, 21 Nov 2018 11:53:24 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5D1AC49ED70
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16A405)
In-Reply-To: <alpine.LFD.2.21.1811211125050.8764@redeye.mimosa.com>
Date: Wed, 21 Nov 2018 23:53:20 +0700
Cc: ipsec@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4AC115F8-50E1-48D7-84FA-0177F7B06A45@nohats.ca>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <25704.1542816043@localhost> <alpine.LFD.2.21.1811211125050.8764@redeye.mimosa.com>
To: "D. Hugh Redelmeier" <hugh@mimosa.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/X_c_s7b1v9bRtQXh7ci0J81w1Dc>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 16:53:32 -0000


> On Nov 21, 2018, at 23:40, D. Hugh Redelmeier <hugh@mimosa.com>; wrote:
> 
> VPN providers should not provide software to their clients.  That's a
> bug and should not be encouraged by the committee.

And you can see the security nightmare it causes in the Android Play Store with zillions of (un?)modified openvpn code that no one knows what it exactly does.

Where as with Apple, the VPN apps provide a custom UI to the user but it is all using the systems IKE/IPsec stack and the standard VPN was information tools of the OS can be used to see what the VPN configuration is (currently not for the DNS settings but a bug report has been verbally submitted for this a while ago :) 


> The point of a standard is that any IPSec implementation should be
> able to connect with any other IPsec implementation.  The default
> provider of VPN software ought to be the provider of the OS for the
> client's machine.

+1

>  The client should be able to choose any conformant 
> implementation.

For opensource based solutions, sure. For proprietary devices I would hope they just ship with only one implementation.

> I admit that we have failed to make interop easy
> and normal, but that's where we should be heading.

It is getting much better compared to what we had for IKEv1 (with PFS and rekey issues being the main thing I see going wrong)

Paul