Re: [mif] AD review of draft-ietf-mif-current-practices
Ted Lemon <Ted.Lemon@nominum.com> Mon, 28 March 2011 15:23 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: mif@core3.amsl.com
Delivered-To: mif@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59CDB28C0CF for <mif@core3.amsl.com>; Mon, 28 Mar 2011 08:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.546
X-Spam-Level:
X-Spam-Status: No, score=-106.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGyGX91GPZfk for <mif@core3.amsl.com>; Mon, 28 Mar 2011 08:23:09 -0700 (PDT)
Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by core3.amsl.com (Postfix) with ESMTP id 390C93A6819 for <mif@ietf.org>; Mon, 28 Mar 2011 08:23:09 -0700 (PDT)
Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKTZCoPlQRMn8pZcUxvYWarlGKt1WaprO8@postini.com; Mon, 28 Mar 2011 08:24:47 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 10A37F80A3 for <mif@ietf.org>; Mon, 28 Mar 2011 08:24:46 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id EBE74190069; Mon, 28 Mar 2011 08:24:45 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-01.WIN.NOMINUM.COM ([64.89.228.131]) with mapi id 14.01.0255.000; Mon, 28 Mar 2011 08:24:45 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Jari Arkko <jari.arkko@piuha.net>
Thread-Topic: AD review of draft-ietf-mif-current-practices
Thread-Index: AQHL7U9IuT4hgyWp1kuj9x/QaruM85RC3eqb
Date: Mon, 28 Mar 2011 15:24:45 +0000
Message-ID: <8D91C7B0-190C-4C82-868A-CA0507F9C09B@nominum.com>
References: <4D90926D.3030700@piuha.net>
In-Reply-To: <4D90926D.3030700@piuha.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-mif-current-practices@tools.ietf.org" <draft-ietf-mif-current-practices@tools.ietf.org>, mif <mif@ietf.org>
Subject: Re: [mif] AD review of draft-ietf-mif-current-practices
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 15:23:10 -0000
FYI, this is a rough approximation of the text I would want to add: 4.1a. DNS resolution issues with captive portals A MIF node (M1) has an active interface(I1) connected to a network (N1) which has its DNS server (S1) and another active interface (I2) connected to a network (N2) which has its DNS server (S2). S1 is configured to respond to any A or AAAA record query with the IP address of a captive portal, so as to redirect web browsers to an access control portal web page. Any of the following situations may occur: 1. M1 stack, based on its routing table, uses I2 to reach S1 to resolve "a.example.com". M1 never reaches S1. The name is not resolved. 2. M1 keeps only one set of DNS server addresses from the received configuration objects and kept S2 address. M1 sends the forward DNS query for a.example.com to S2. S2 responds with the correct answer, R1. M1 attempts to contact R1 by way of I1. The connection fails. Or, the connection succeeds, bypassing the security policy on N1, possibly exposing the owner of M1 to prosecution. 3. M1 keeps only one set of DNS server addresses from the received configuration objects and kept S1 address. M1 sends the DNS query for a.example.com to S1. S1 provides the address of its captive portal. S1 attempts to contact this IP address using I1. The application tries to connect to the wrong destination node, resulting in lack of service and possible security issues. 4. M1 has resolved an FQDN to the IP address of the captive portal connected to N1. If the node loses connection to N1, the node may try to connect, via N2, to the same IP address as earlier, but as the address was only locally valid, connection setup fails.
- [mif] AD review of draft-ietf-mif-current-practic… Jari Arkko
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… stefano faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- [mif] AD review of draft-ietf-mif-current-practic… Jari Arkko
- Re: [mif] AD review of draft-ietf-mif-current-pra… Ted Lemon
- Re: [mif] AD review of draft-ietf-mif-current-pra… teemu.savolainen
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Ted Lemon
- [mif] prblem statement: DNS/captive portals - was… pierrick.seite
- Re: [mif] prblem statement: DNS/captive portals -… Hui Deng
- Re: [mif] prblem statement: DNS/captive portals -… pierrick.seite
- Re: [mif] prblem statement: DNS/captive portals -… Julien Laganier
- Re: [mif] prblem statement: DNS/captive portals -… Ted Lemon
- Re: [mif] prblem statement: DNS/captive portals -… pierrick.seite