IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Eric Rescorla <ekr@rtfm.com> Tue, 19 June 2018 22:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FEE130FCD for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 15:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uv9oLEvMcGfj for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 15:52:36 -0700 (PDT)
Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C90CE130FA6 for <ipsec@ietf.org>; Tue, 19 Jun 2018 15:52:36 -0700 (PDT)
Received: by mail-ot0-x22f.google.com with SMTP id q17-v6so1598527otg.2 for <ipsec@ietf.org>; Tue, 19 Jun 2018 15:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Q5E0JtkLE3OutxmwP0p6q4cN7/IfB8JdYsHQX3GgQRU=; b=imMc62JHNoj494IDub+vwqIdCr6eFpjs1c74DwDpWvh0ITr98/7YfPvPjja3wTPP/e mz+/mWj2eGl7cOzhk6wIc2w41APUyKw0epDuejXFd25myv5Wb7sSfDs0ISKXfYFC7YiW c8bIr/ary6hO5Su3J0DmsdPkoqSm9uyFy/SxOf++LZGjNPgYRXxLfolfZ8ald3SVXrru qDnfAzX/JZBJOvYBpIMeT7vSw35cdiydPFVN+10YntOThfHLvOnLEHd28GgMwm8Ul+n/ JPl9w8lVyYOM/H9IrdvOhqyGigwwvtxWuT2Yy4tHMa0ATGpG2jUpp3IpL8CAprn6/hF3 XT4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Q5E0JtkLE3OutxmwP0p6q4cN7/IfB8JdYsHQX3GgQRU=; b=uBy/zyDkkGqxWoZLrC15c1y4bXqpmtI21PmfNDnMnvaTpc0qpSCU/LsSjyzc7hKX4t VPpoJR5p+4Ll0hIriuU+U8kmuMUICMAvhR7KLlfTM1QeGsDBvY6ChCb3kcGSv1lBa7Wy VA0ffFSJ8kklm+OEwcgnBWf/tFGZcjJtjtfESX2ZEwelWrI4JaKMxGUoolq/hPdz2UNf AEzvEXjRsnRJYObQ2SjZQ9Tp1qIUc0pWLjddQpITcHdHesCmzxVMAOVoY0nU4HZhZWco TeZEEVNGgQU8IC1k0QfwnyX3knczw+HgzS5fB0zFEeoOb33ph7hV1/+gjO2zKMZNqgUK EgnQ==
X-Gm-Message-State: APt69E0ccbH4UlYdKC9IAj1UGNu0xioZAFYGKqzq/7x3Ous/veV1+FH+ 6QOHT5W9f0t8eIJg7wtU6Ij02Y5PAgK5NFaUykhKH9Oi
X-Google-Smtp-Source: ADUXVKLKBH4r++eJAD0jW/vXjdZZUQn7Z+CH8Yd9DxZhiZ8j0P9VGmdl9i0lDUwGtE3O7r9odp/qliVR+JR5ihgJw3E=
X-Received: by 2002:a9d:55d0:: with SMTP id z16-v6mr12339695oti.176.1529448756151; Tue, 19 Jun 2018 15:52:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:3a8a:0:0:0:0:0 with HTTP; Tue, 19 Jun 2018 15:51:55 -0700 (PDT)
In-Reply-To: <20180619224651.GD4218@localhost>
References: <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 19 Jun 2018 15:51:55 -0700
Message-ID: <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Paul Wouters <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="000000000000d01713056f0689ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/eqE3HN05z1AOgccrhURGu7yxFWg>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 22:52:41 -0000

On Tue, Jun 19, 2018 at 3:46 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote:
> > On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams <nico@cryptonector.com>
> > wrote:
> > > The I-D should say that clients MUST allow local configuration of what
> > > domains to accept trust anchors for, and SHOULD allow local policy to
> > > list . as a domain for which to accept trust anchors.
> > >
> > > This local configuration should be per-SG.
> > >
> >
> > The ID can say that, but as a practical matter, any enterprise that has
> > a reasonable number of internal domains is just going to tell people
> > to configure their client to accept any domain name.
>
> And what's the problem with that?
>
> If it's your own device you might balk, so get your employer to provide
> you with theirs.  Or just accept it as part of the employment deal.
>

Again, right now I'm just trying to establish the facts of the matter. Do
you agree
this is going to be a common scenario?

-Ekr

v2.23.0 | Report a Bug | By Email