IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Nico Williams <nico@cryptonector.com> Tue, 19 June 2018 17:04 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B105F13115A; Tue, 19 Jun 2018 10:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZgFBN23P9Aw; Tue, 19 Jun 2018 10:04:37 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91489130DE3; Tue, 19 Jun 2018 10:04:37 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTP id 0B00330002BA8; Tue, 19 Jun 2018 10:04:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=jgLm6oP6n6xWg6 5zN+qv29xkuQE=; b=iGmVZsKE0ZTDyC7CjAJ+2rYEdKRJSPISQGnfpbf8zf1TJe VLEwcoC2TgsZQTYKmXwnyWk6zM7uieNQpogeiVTjQyBlRQuFqW30cbGMh/xalr8V UHalEoSP6/uayA1n1fVUmVUfYc7gOkVMx4g+Fqk3+vcNqXRZVcUsTjIi6zD+M=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTPSA id 5673330002BA9; Tue, 19 Jun 2018 10:04:35 -0700 (PDT)
Date: Tue, 19 Jun 2018 12:04:33 -0500
From: Nico Williams <nico@cryptonector.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Eric Rescorla <ekr@rtfm.com>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Message-ID: <20180619170432.GB4218@localhost>
References: <CABcZeBOi6BoBFdkq9iz6GPLR+f5SJ8uR68GFS0Lsd+1UvHcCvQ@mail.gmail.com> <alpine.LRH.2.21.1806181637240.22748@bofh.nohats.ca> <CABcZeBPZFswnn6zoK6h-Oiy8P1o5u-BVVExQSO48fxGWy1cwXQ@mail.gmail.com> <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/oxi1zObY0lAxV2g8MdiHqGfPO_8>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 17:04:40 -0000

On Tue, Jun 19, 2018 at 12:40:55PM -0400, Paul Wouters wrote:
> On Tue, 19 Jun 2018, Eric Rescorla wrote:
> 
> >      Yes. You are the Enterprise customer. It's a feature.
> >
> >Not all enterprises who use VPNs want to run a MITM proxy.
> 
> So only specify INTERNAL_DNS_DOMAIN with "internal.example.com"
> and all TA's outside that domain would not be accepted by the client.

What the I-D has to say is that the VPN client MUST support local policy
for what domains it will accept TAs for from the SG.  This is far
simpler for the client than having to have local DNS configuration
including TAs for split-DNS.

A perfectly valid configuration would have the SG MITM all external DNS
too, thus sending the client only TAs for . [and possibly internal
domains if the client only wants those, but then the client will not be
able to use DNSSEC for external domains].  If the client doesn't want
this, then it mustn't use that SG.  In practice, for enterprises, the
client gets no choice, and may even be built, configured, maintained,
and provided by the enterprise.  This I-D would be useful if the
enterprise provides and maintains the VPN client: it makes it easier to
maintain clients by reducing the amount of configuration to update as
keys are rotated or policy changed.

This is just a matter of Security Considerations wordsmithing.

Nico
--

v2.23.0 | Report a Bug | By Email