Re: [mif] Comments on draft-ietf-mif-dns-server-selection-01
<teemu.savolainen@nokia.com> Tue, 29 March 2011 07:45 UTC
Return-Path: <teemu.savolainen@nokia.com>
X-Original-To: mif@core3.amsl.com
Delivered-To: mif@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FAA63A68BA for <mif@core3.amsl.com>; Tue, 29 Mar 2011 00:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.706
X-Spam-Level:
X-Spam-Status: No, score=-2.706 tagged_above=-999 required=5 tests=[AWL=-0.107, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jVYfenGFgjAk for <mif@core3.amsl.com>; Tue, 29 Mar 2011 00:45:52 -0700 (PDT)
Received: from mgw-sa02.nokia.com (smtp.nokia.com [147.243.1.48]) by core3.amsl.com (Postfix) with ESMTP id D83EF3A6A83 for <mif@ietf.org>; Tue, 29 Mar 2011 00:45:51 -0700 (PDT)
Received: from vaebh106.NOE.Nokia.com (vaebh106.europe.nokia.com [10.160.244.32]) by mgw-sa02.nokia.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p2T7lSfN001050; Tue, 29 Mar 2011 10:47:28 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh106.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 29 Mar 2011 10:47:20 +0300
Received: from 008-AM1MMR1-004.mgdnok.nokia.com (65.54.30.59) by NOK-am1MHUB-02.mgdnok.nokia.com (65.54.30.6) with Microsoft SMTP Server (TLS) id 8.2.255.0; Tue, 29 Mar 2011 09:47:20 +0200
Received: from 008-AM1MPN1-036.mgdnok.nokia.com ([169.254.6.195]) by 008-AM1MMR1-004.mgdnok.nokia.com ([65.54.30.59]) with mapi id 14.01.0270.002; Tue, 29 Mar 2011 09:47:19 +0200
From: teemu.savolainen@nokia.com
To: Ted.Lemon@nominum.com
Thread-Topic: [mif] Comments on draft-ietf-mif-dns-server-selection-01
Thread-Index: AQHL7T2VVgIU2Jh5UkG+cybp2+5g35RDR9gwgAB2gwCAACvaoA==
Date: Tue, 29 Mar 2011 07:47:18 +0000
Message-ID: <916CE6CF87173740BC8A2CE443096962016624@008-AM1MPN1-036.mgdnok.nokia.com>
References: <20110328114453.GD85777@crankycanuck.ca>, <916CE6CF87173740BC8A2CE44309696201647D@008-AM1MPN1-036.mgdnok.nokia.com> <EA8E2993-CEB7-45E9-B573-4140F5560A55@nominum.com>
In-Reply-To: <EA8E2993-CEB7-45E9-B573-4140F5560A55@nominum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.162.70.248]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Mar 2011 07:47:20.0434 (UTC) FILETIME=[888BAD20:01CBEDE5]
X-Nokia-AV: Clean
Cc: mif@ietf.org
Subject: Re: [mif] Comments on draft-ietf-mif-dns-server-selection-01
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 07:45:53 -0000
Then maybe something like (slight modification): -- A node MAY request and accept OPTION_DNS_SERVER_SELECT in any of the following four cases. In other cases the node MUST NOT request or accept OPTION_DNS_SERVER_SELECT unless the node is specifically configured to do so. 1. The server selection option is delivered across a secure, trusted channel. 2. The server selection option is not secured, but the client on a node does DNSSEC validation. 3. The server selection option is not secured, the resolver does DNSSEC validation, and the client communicates with the resolver configured with server selection option over a secure, trusted channel. 4. The DNS server IP address that is being recommended in the server selection option is known and trusted by the client; that is, the server selection option serves not to introduce the client to a new server, but rather to inform it that a server it has already been configured to trust is available to it for resolving certain domains. -- Where the case 4 could happen? When the trusted DNS server address is configured via some secure channel (e.g. administratively)? The cellular interface (handset to first hop router) is AFAIK considered cryptographically secure. But anyhow, decision whether a channel is secure enough or not needs to be done case by case (e.g. by 3GPP(2), WiMAX Forum, BBF...). Best regards, Teemu > -----Original Message----- > From: ext Ted Lemon [mailto:Ted.Lemon@nominum.com] > Sent: 29. maaliskuuta 2011 08:48 > To: Savolainen Teemu (Nokia-MS/Tampere) > Cc: ajs@shinkuro.com; mif@ietf.org > Subject: Re: [mif] Comments on draft-ietf-mif-dns-server-selection-01 > > On Mar 29, 2011, at 12:29 AM, "teemu.savolainen@nokia.com" > <teemu.savolainen@nokia.com> wrote: > > I think there are four cases to consider here: > > 1. The server selection option is delivered across a secure, trusted > channel. > 2. The server selection option is not secure, but the client does > DNSSEC validation. > 3. The server selection option is not secure, the resolver does DNSSEC > validation, and the client communicates with the resolver over a > secure, trusted channel. > 4. The DNS server IP address that is being recommended in the server > selection option is known and trusted by the client; that is, the > server selection option serves not to introduce the client to a new > server, but rather to inform it that a server it has already been > configured to trust is available to it for resolving certain domains. > > I think any use of the server selection option that falls outside of > these four cases should be excluded. By excluding such cases, we > eliminate the possibility that the server selection option can be used > to initiate an attack that could not be initiated without it. > > I think that trusting the cell provider connection is something that > needs to be thought through carefully. It may in fact be okay to do > so. But it depends on that channel being both secure and trusted, not > just trusted. In DHCP it's somewhat traditional to trust provider > channels even though they aren't cryptographically secure, and we get > away with this because they are in fact in secure locations, and the > information we're trusting isn't that sensitive. But those two > rationalizations don't apply here--cell service is done by radio, and > hence not in a secure location, and the information we propose to trust > is in fact quite sensitive.
- [mif] Comments on draft-ietf-mif-dns-server-selec… Andrew Sullivan
- Re: [mif] Comments on draft-ietf-mif-dns-server-s… teemu.savolainen
- Re: [mif] Comments on draft-ietf-mif-dns-server-s… Ted Lemon
- Re: [mif] Comments on draft-ietf-mif-dns-server-s… teemu.savolainen
- Re: [mif] Comments on draft-ietf-mif-dns-server-s… Ted Lemon
- Re: [mif] Comments on draft-ietf-mif-dns-server-s… Andrew Sullivan