IETF Logo Mail Archive

Re: [OPSAWG] [dhcwg] Éric Vyncke's Discuss on draft-ietf-opsawg-add-encrypted-dns-11: (with DISCUSS and COMMENT)

Alan DeKok <aland@deployingradius.com> Tue, 14 March 2023 13:48 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDA8C1522C2; Tue, 14 Mar 2023 06:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WX6Z7TMH5JIF; Tue, 14 Mar 2023 06:48:23 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89FD7C14CE3F; Tue, 14 Mar 2023 06:48:10 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 3A000669; Tue, 14 Mar 2023 13:48:06 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <877F2ADD-CB79-480D-9EDF-F0AB5880D185@gmail.com>
Date: Tue, 14 Mar 2023 09:48:05 -0400
Cc: mohamed.boucadair@orange.com, jinmei@wide.ad.jp, draft-ietf-opsawg-add-encrypted-dns@ietf.org, opsawg-chairs@ietf.org, The IESG <iesg@ietf.org>, dhcwg@ietf.org, opsawg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B03A4F6-3719-492F-81CB-5F4E9BD75179@deployingradius.com>
References: <449_1678790291_64104E93_449_84_3_b945ef133fb144de85ff14f55da27fb8@orange.com> <877F2ADD-CB79-480D-9EDF-F0AB5880D185@gmail.com>
To: Bernie Volz <bevolz@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FDDKoL1myqca1TlrPTdwRlbQF2c>
Subject: Re: [OPSAWG] [dhcwg] Éric Vyncke's Discuss on draft-ietf-opsawg-add-encrypted-dns-11: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2023 13:48:29 -0000

On Mar 14, 2023, at 7:10 AM, Bernie Volz <bevolz@gmail.com> wrote:
> Of course if the data is malformed, then following existing policies (rfc6929) is prudent. Though even there it isn’t 100% clear what to do if the attribute is well formatted but the option data is bad - mostly the length of the last DHCP option exceeds the remaining data in the RADIUS attribute. I doubt we expect RADIUS or DHCP servers to assure that each individual option is valid (such as the length is a multiple of 4 or 16 if data is list of addresses).

  If a RADIUS server implements this specification, we pretty much do expect that.

  RADIUS servers which don't support this specification can have administrators define the options as opaque strings: 0xabcdef...  In that case, the RADIUS server has no idea what the data is, and doesn't validate the options.

  RADIUS servers which do support this specification have some way to expose the DHCP data as something other than opaque strings.  In which case the RADIUS server takes those humanly readable values, and packs them into DHCP options, and then into RADIUS attributes.  This packing not only must be done correctly, it should automatically create correctly-formed attributes.

  Alan DeKok.

v2.46.0 | Report a Bug | By Email | System Status