Re: [IPsec] draft-pauly-ipsecme-split-dns
Nico Williams <nico@cryptonector.com> Tue, 19 June 2018 23:01 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE72D130E40; Tue, 19 Jun 2018 16:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUwbD-uSl6sr; Tue, 19 Jun 2018 16:01:53 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBB6A130E35; Tue, 19 Jun 2018 16:01:53 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTP id 8F5F830002BA8; Tue, 19 Jun 2018 16:01:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Fx5t8wh8e41ZuE jlpizLDjK5bu8=; b=oRukGID5nFVPo/u6EzpezdHMtr4GG3trI1P0MvJ/UkWEGF 3WAxQiUBQ2B1Tr56an6pH8mRqG6tvFY49JN8BhhOl3KoPQ/qhgV+N+B8IMKmcQ08 hV8Su5iWHlqVi9OUVUSqHe2Sf392/NaJgvqf2jkBDl15M8J+GQFDVpl1Qgi0g=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTPSA id 025FE30002B9D; Tue, 19 Jun 2018 16:01:51 -0700 (PDT)
Date: Tue, 19 Jun 2018 18:01:50 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Message-ID: <20180619230148.GE4218@localhost>
References: <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost> <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/rmzCgOnsBmsv0X_izgGX6HiWyG8>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 23:01:56 -0000
On Tue, Jun 19, 2018 at 03:51:55PM -0700, Eric Rescorla wrote: > On Tue, Jun 19, 2018 at 3:46 PM, Nico Williams <nico@cryptonector.com> wrote: > > On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote: > > > On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams <nico@cryptonector.com> wrote: > > > > The I-D should say that clients MUST allow local configuration of what > > > > domains to accept trust anchors for, and SHOULD allow local policy to > > > > list . as a domain for which to accept trust anchors. > > > > > > The ID can say that, but as a practical matter, any enterprise that has > > > a reasonable number of internal domains is just going to tell people > > > to configure their client to accept any domain name. > > > > And what's the problem with that? > > > > If it's your own device you might balk, so get your employer to provide > > you with theirs. Or just accept it as part of the employment deal. > > Again, right now I'm just trying to establish the facts of the matter. > Do you agree this is going to be a common scenario? I don't know what the antecedent of "this" in your question. If you mean that BYODs will have to accept policies users don't want, well, that's pretty much true anyways (e.g., you have to accept proxy configurations that can and _will_ MITM you). For public VPNs (that the user pays for) the user will want the client to accept TAs for no domain. For private VPNs the user will generally not really have a choice. I don't think there's a question of what is a common scenario, but of what the I-D should say. It should say that with these TAs the SG can MITM DNSSEC and DNSSEC-based security technologies like DANE, and it should say that clients MUST be able to configure a list of domains for which they'll accept TAs. And that should be sufficient to handle your concern. Are you objecting to the I-D altogether -- objecting to the feature it adds -- or asking what the I-D should say about your concern? Objecting to enterprise features would be fair, though I don't think the IETF rejects enterprise features, nor should it. Nico --
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tero Kivinen
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tero Kivinen
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Benjamin Kaduk
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tommy Pauly
- Re: [IPsec] draft-pauly-ipsecme-split-dns Benjamin Kaduk