IETF Logo Mail Archive

Re: [mif] AD review of draft-ietf-mif-current-practices

Ted Lemon <Ted.Lemon@nominum.com> Mon, 28 March 2011 15:23 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: mif@core3.amsl.com
Delivered-To: mif@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59CDB28C0CF for <mif@core3.amsl.com>; Mon, 28 Mar 2011 08:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.546
X-Spam-Level:
X-Spam-Status: No, score=-106.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGyGX91GPZfk for <mif@core3.amsl.com>; Mon, 28 Mar 2011 08:23:09 -0700 (PDT)
Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by core3.amsl.com (Postfix) with ESMTP id 390C93A6819 for <mif@ietf.org>; Mon, 28 Mar 2011 08:23:09 -0700 (PDT)
Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKTZCoPlQRMn8pZcUxvYWarlGKt1WaprO8@postini.com; Mon, 28 Mar 2011 08:24:47 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 10A37F80A3 for <mif@ietf.org>; Mon, 28 Mar 2011 08:24:46 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id EBE74190069; Mon, 28 Mar 2011 08:24:45 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-01.WIN.NOMINUM.COM ([64.89.228.131]) with mapi id 14.01.0255.000; Mon, 28 Mar 2011 08:24:45 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Jari Arkko <jari.arkko@piuha.net>
Thread-Topic: AD review of draft-ietf-mif-current-practices
Thread-Index: AQHL7U9IuT4hgyWp1kuj9x/QaruM85RC3eqb
Date: Mon, 28 Mar 2011 15:24:45 +0000
Message-ID: <8D91C7B0-190C-4C82-868A-CA0507F9C09B@nominum.com>
References: <4D90926D.3030700@piuha.net>
In-Reply-To: <4D90926D.3030700@piuha.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-mif-current-practices@tools.ietf.org" <draft-ietf-mif-current-practices@tools.ietf.org>, mif <mif@ietf.org>
Subject: Re: [mif] AD review of draft-ietf-mif-current-practices
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 15:23:10 -0000

FYI, this is a rough approximation of the text I would want to add:

4.1a.  DNS resolution issues with captive portals

   A MIF node (M1) has an active interface(I1) connected to a network
   (N1) which has its DNS server (S1) and another active interface
   (I2) connected to a network (N2) which has its DNS server (S2).  S1
   is configured to respond to any A or AAAA record query with the
   IP address of a captive portal, so as to redirect web browsers to an
   access control portal web page.  Any of the following situations
   may occur:

   1.  M1 stack, based on its routing table, uses I2 to reach S1 to
       resolve "a.example.com".  M1 never reaches S1.  The name
       is not resolved.
   2.  M1 keeps only one set of DNS server addresses from the received
       configuration objects and kept S2 address.  M1 sends the
       forward DNS query for a.example.com to S2.  S2 responds with the
       correct answer, R1.   M1 attempts to contact R1 by way of I1.
       The connection fails.     Or, the connection succeeds,
       bypassing the security policy on N1, possibly exposing the
       owner of M1 to prosecution.
   3.  M1 keeps only one set of DNS server addresses from the received
       configuration objects and kept S1 address.  M1 sends the DNS
       query for a.example.com to S1.  S1 provides the address of its
       captive portal.   S1 attempts to contact this IP address using
       I1.   The application tries to connect to the wrong destination
       node, resulting in lack of service and possible security issues.
   4.  M1 has resolved an FQDN to the IP address of the captive portal
       connected to N1.  If the node loses connection to N1, the node
       may try to connect, via N2, to the same IP address as earlier,
       but as the address was only locally valid, connection setup
       fails.

v2.23.0 | Report a Bug | By Email