IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Paul Wouters <paul@nohats.ca> Tue, 19 June 2018 23:31 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25E11130E4B; Tue, 19 Jun 2018 16:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlysoBMCpRmJ; Tue, 19 Jun 2018 16:31:32 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FA0C130FF5; Tue, 19 Jun 2018 16:31:32 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 419PNx67KTzB0t; Wed, 20 Jun 2018 01:31:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1529451089; bh=Xq59EqcrYl3m2ncSEcFUGDcMx/VwtDY/9Ur2xeejaZI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=j28SyZb/S7h8KtV+m7N/ti71JXwGjYEyrT0RdcuUoJJSoq8tq1kjR7eqO7O1t5uuo zxfJfOV2w52S11OFEy9o1RQOGe2nAnSBMNfTGhRVB8xUWqi3Mci/t3k3r2Z6hW0hvb BjovpMqhqAEHqIeoPz6VMsxtIeGOdH4H+LxSn+h4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id IZGsJA5cJqpH; Wed, 20 Jun 2018 01:31:26 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 20 Jun 2018 01:31:25 +0200 (CEST)
Received: from [193.111.228.72] (unknown [193.111.228.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id A9A5D4FB769; Tue, 19 Jun 2018 19:31:24 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca A9A5D4FB769
Content-Type: multipart/alternative; boundary="Apple-Mail-B1F72DC1-A1BD-4E9C-B731-AB4615A8A547"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (15F79)
In-Reply-To: <20180619224651.GD4218@localhost>
Date: Tue, 19 Jun 2018 19:31:24 -0400
Cc: Eric Rescorla <ekr@rtfm.com>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Content-Transfer-Encoding: 7bit
Message-Id: <3D85F03B-5D1B-4E74-AFA4-FF9419418FE5@nohats.ca>
References: <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost>
To: Nico Williams <nico@cryptonector.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/d24blylUNqXjGWHMTmoJYHe0AKE>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 23:31:39 -0000

> On Jun 19, 2018, at 18:46, Nico Williams <nico@cryptonector.com> wrote:
> 
> 
> Because my VPN clients don't connect promiscuously.  I can't say no
> promiscuous VPN clients exist, but I imagine that none do.  And any
> promiscuous VPN clients get what they deserve.

Opportunistic IPsec exists and are “promiscuously”. And the draft opens the Security Considerations section with:

The use of Split DNS configurations assigned by an IKEv2 responder is predicated on the trust established during IKE SA authentication. However, if IKEv2 is being negotiated with an anonymous or unknown
endpoint (such as for Opportunistic Security [RFC7435]), the initiator MUST ignore Split DNS configurations assigned by the responder.

Paul

v2.23.0 | Report a Bug | By Email