IETF Logo Mail Archive

Re: [mif] Last Call for MIF DNS server selection document

<teemu.savolainen@nokia.com> Mon, 12 September 2011 08:06 UTC

Return-Path: <teemu.savolainen@nokia.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E2F021F848E; Mon, 12 Sep 2011 01:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.708
X-Spam-Level:
X-Spam-Status: No, score=-2.708 tagged_above=-999 required=5 tests=[AWL=-0.109, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wDRY4wvaGlb; Mon, 12 Sep 2011 01:06:41 -0700 (PDT)
Received: from mgw-sa01.nokia.com (smtp.nokia.com [147.243.1.47]) by ietfa.amsl.com (Postfix) with ESMTP id 6660021F848D; Mon, 12 Sep 2011 01:06:38 -0700 (PDT)
Received: from vaebh106.NOE.Nokia.com (vaebh106.europe.nokia.com [10.160.244.32]) by mgw-sa01.nokia.com (Switch-3.4.4/Switch-3.4.3) with ESMTP id p8C88ait007247; Mon, 12 Sep 2011 11:08:37 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.8]) by vaebh106.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 12 Sep 2011 11:08:32 +0300
Received: from 008-AM1MMR1-004.mgdnok.nokia.com (65.54.30.59) by NOK-AM1MHUB-04.mgdnok.nokia.com (65.54.30.8) with Microsoft SMTP Server (TLS) id 8.2.255.0; Mon, 12 Sep 2011 10:08:28 +0200
Received: from 008-AM1MPN1-032.mgdnok.nokia.com ([169.254.2.143]) by 008-AM1MMR1-004.mgdnok.nokia.com ([65.54.30.59]) with mapi id 14.01.0323.007; Mon, 12 Sep 2011 10:08:28 +0200
From: teemu.savolainen@nokia.com
To: brian.e.carpenter@gmail.com
Thread-Topic: [mif] Last Call for MIF DNS server selection document
Thread-Index: AQHMbdzsBHSQ8Tn9hkac95+LwFpGipVC/6HggADYVwCAABZPgIAAoquAgADZC4CAA/dpoA==
Date: Mon, 12 Sep 2011 08:08:27 +0000
Message-ID: <916CE6CF87173740BC8A2CE44309696202571A30@008-AM1MPN1-032.mgdnok.nokia.com>
References: <COL118-W599D9E8760C3E370077FC3B1140@phx.gbl> <4E683F9B.7020905@gmail.com> <916CE6CF87173740BC8A2CE4430969620256F33F@008-AM1MPN1-032.mgdnok.nokia.com> <4E692D62.5080902@gmail.com> <BFFE3312-4DE3-432D-8DC7-20987AB3E34A@network-heretics.com> <916CE6CF87173740BC8A2CE443096962025704BA@008-AM1MPN1-032.mgdnok.nokia.com> <4E6A7E9F.5070706@gmail.com>
In-Reply-To: <4E6A7E9F.5070706@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-tituslabs-classifications-30: TLPropertyRoot=Nokia; Confidentiality=Company Confidential; Project=None;
x-titus-version: 3.3.8.1
x-headerinfofordlp: None
x-tituslabs-classificationhash-30: VgNFIFU9Hx+/nZJb9Kg7IijnarCFufw93yGp9Kqg4VsreROV3oSoCKo4MAZQAlH7cl7QEYi2t0p8hTrsrklpyqBfRuV1a3TP5t4zLsal1WzFsT0mQwFWR/yRh3UhJztIIhyLXE7aj3YtN85Eqji4hyMU9zDnsRybCxak6t2mfbgLZX2mjzSIIHnDkgCjyHZFFOhfBqPd/c5FcvKdb64f0sgP1bp0Rng5aZTrafF1qFNxmzB3fX0dr0qbeG9YfeKCcsiZk5WqSUtPkVYQ2fFAPg==
x-originating-ip: [10.162.78.119]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0016_01CC713C.4A440550"
MIME-Version: 1.0
X-OriginalArrivalTime: 12 Sep 2011 08:08:32.0604 (UTC) FILETIME=[29CDA9C0:01CC7123]
X-Nokia-AV: Clean
Cc: mif@ietf.org, margaretw42@gmail.com, moore@network-heretics.com, denghui02@hotmail.com, iesg@ietf.org
Subject: Re: [mif] Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2011 08:06:43 -0000

Brian,

I agree with that very reasonable suggestion. I think the problem described in 
section 2.3 is one symptom of issues caused by non-uniqueness (and for which I 
have not figured out automated solution).

I mostly rewrote (for the -04 draft version) section 7 "Considerations for 
network administrators" as follows. Would that address this concern?
--
Network administrators deploying private namespaces should assist advanced 
nodes in their DNS server selection process by providing information described 
within this document.

Private namespaces MUST be globally unique in order to keep DNS unambiguous 
and henceforth avoiding caching related issues and destination selection 
problems (see section 2.3). An exception to this rule are domains utilized for 
local name resolution (such as .local).

Private namespaces MUST only consist of subdomains of the domains communicated 
for nodes (e.g. subdomains of example.com). This means that a DNS server MUST 
NOT resolve any domains that are not globally resolvable and are not 
subdomains of said communicated domains.

To mitigate against attacks against local namespaces, administrators utilizing 
this tool SHOULD deploy DNSSEC for their zone.
--

The .local remains open issue though, I encountered this also in homenet 
mailing list.. well it works fine as long as node is not connected to multiple 
local networks at the same time... If node is, then I guess the application 
must be able to select the right local network interface to use..

Best regards,

Teemu

> -----Original Message-----
> From: ext Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: 10. syyskuuta 2011 00:01
> To: Savolainen Teemu (Nokia-CTO/Tampere)
> Cc: moore@network-heretics.com; margaretw42@gmail.com;
> mif@ietf.org; denghui02@hotmail.com
> Subject: Re: [mif] Last Call for MIF DNS server selection document
>
> Teemu,
>
> I think the reference to multiple namespaces in the requirements draft is 
> too
> short to really generate discussion, and in any case it's only an 
> Informational
> document.
>
> However, I was trying to be quite careful in what I wrote.
>
> >> if the network administrator just does not want names to be
> >> resolvable on the public Internet.
>
> That is one thing, and an *ambiguous* namespace is another.
>
> I guess I would like to see some MUSTs or MUST NOTs in the MIF draft or
> elsewhere that make it clear that any domains that are not globally
> resolvable must nevertheless be globally unique. That needs to be expressed
> a bit more precisely and there might have to be an exception for .local.
> However, if a host can see a DNS server from example.com, a rule could
> be: that server MUST NOT resolve any domains that are not globally
> resolvable and are not subdomains of example.com.
>
> I am sure there is a better way to express this. It just needs to guarantee 
> a
> strict hierarchy in the namespace.
>
> Regards
>    Brian Carpenter
>
> On 2011-09-09 18:15, teemu.savolainen@nokia.com wrote:
> > Keith, Brian,
> >
> > The problem this draft is addressing has been acknowledged in the
> > draft-ietf-mif-problem-statement-15.txt section 4.1. The problem
> > statement is already at the RFC editor's queue.
> >
> > Based on the acceptance of the problem, this WG was chartered with a
> > goal
> > of:
> > --
> >   1) DNS server selection solution: a specification for describing a way
> >   for a network to communicate to nodes information required to perform
> >   advanced DNS server selection at name resolution request granularity
> >   in scenarios involving multiple namespaces. The specification shall
> >   describe the information to be delivered for nodes and the protocol to
> >   be used for delivery.
> > --
> >
> > This draft is the solution that has been accepted as a WG work item.
> >
> > The topic has been discussed for a quite long time and I don't think
> > there are any such surprises you refer to (except perhaps for
> > individuals who just now start following the work).
> >
> > Furthermore, I cannot easily buy the argument (I hope I read your
> > points
> > right) that a solution should not be developed for an acknowledged
> > problem out of fear of "legitimizing" the problematic behavior.
> >
> > I do agree BCP or similar might be nice to have, but would such BCP
> > really make any difference e.g. if the network administrator just does
> > not want names to be resolvable on the public Internet.
> >
> > Best regards,
> >
> > 	Teemu
> >
> >> -----Original Message-----
> >> From: ext Keith Moore [mailto:moore@network-heretics.com]
> >> Sent: 09. syyskuuta 2011 01:22
> >> To: Brian E Carpenter
> >> Cc: Savolainen Teemu (Nokia-CTO/Tampere); margaretw42@gmail.com;
> >> mif@ietf.org; denghui02@hotmail.com
> >> Subject: Re: [mif] Last Call for MIF DNS server selection document
> >>
> >>
> >> On Sep 8, 2011, at 5:02 PM, Brian E Carpenter wrote:
> >>
> >>> Teemu,
> >>>
> >>> On 2011-09-08 18:16, teemu.savolainen@nokia.com wrote:
> >>>> Brian,
> >>>>
> >>>> Thank you for review. I agree it is a good idea to consult those
> >>>> WGs (and DHC as well I suppose), but what makes you so concerned of
> >>>> this
> >> text:
> >>>>>>   In deployments where multiple namespaces are present, selection
> of
> >>>>>>   correct route and destination and source addresses for the
> >>>>>> actual
> > IP
> >>>>>>   connection is crucial as well, as the resolved destination's IP
> >>>>>>   addresses may be only usable on the network interface over
> >>>>>> which
> > the
> >>>>>>   name was resolved on.
> >>>> I wrote that as I thought it would be useful to talk a little about
> >>>> bigger picture of some deployments (like in the demo we had few
> >>>> IETFs back - without presence of DHCPv6 more specific route options
> >>>> the system would not have worked properly) .. but if that text
> >>>> creates an unwanted link or dependency or confusion, I think we can
> >>>> drop the text just as well and focus on the document just to the
> >>>> new options and leave this kind of additional system-level
> >>>> consideration out of the
> >> doc.
> >>> As Andrew pointed out, the draft starts
> >>>
> >>>   "...from the premise that operators sometimes include private
> >>>    namespaces in the answers they provide from DNS servers, and that
> >>>    those private namespaces are at least as useful to clients as the
> >>>    answers from the public DNS."
> >>>
> >>> I believe that you will discover during IETF LC that many people
> >>> have strong feelings about this premise; as Andrew implied,
> >>> conceptually the DNS is a unified global namespace. This draft is a
> >>> backdoor way of legitimising an ambiguous namespace. I don't think
> >>> that will have an easy time in IETF LC, especially if it is dropped
> >>> as a surprise into the DNS community. It's your choice, but I would
> >>> suggest that exposing it to the DNS WGs now would be a smart move.
> >>
> >> Frankly, I consider this very nearly a showstopper, in the sense that
> >> MIF needs an extremely good reason to do this, and I haven't seen
> >> even a hint
> > of
> >> such a reason.    You may recall that I raised this issue in Quebec,
> > though
> >> perhaps I was too polite about it.  (Since I hadn't read the document
> >> yet,
> > and
> >> was coming late into the discussion, I wanted to give the group the
> > benefit
> >> of the doubt.)
> >>
> >> I'm quite surprised that MIF was able to get this far with the document
> >> without the issue being raised.    I'm shocked that this issue appears to
> > be a
> >> surprise to the WG.  I think that by itself is likely a sign of a
> >> serious
> > process or
> >> management failure.
> >>
> >>
> >>> It goes further. The IETF has a longstanding issue with technology
> >>> that encourages walled gardens. See for example RFC 3002. I think
> >>> there will be quite some discussion, and this will definitely happen
> >>> even if you try to remove the "system-level" considerations, because
> >>> they are strongly implied anyway.
> >>>
> >>> Personally I'm not sure what I think about this, but it needs to be
> >>> discussed in the community IMHO.
> >> +1.
> >>
> >> Keith
> >

v2.23.0 | Report a Bug | By Email