Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

Erik Kline <ek.ietf@gmail.com> Thu, 13 October 2022 15:05 UTC

Return-Path: <ek.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C066C14CE35; Thu, 13 Oct 2022 08:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAxKTQ7khHS3; Thu, 13 Oct 2022 08:05:49 -0700 (PDT)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54920C14CE20; Thu, 13 Oct 2022 08:05:49 -0700 (PDT)
Received: by mail-vk1-xa2a.google.com with SMTP id h25so558917vkc.6; Thu, 13 Oct 2022 08:05:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ttq4Xxvx9RBU6NEWpNjyokm3/5+o6ir6Sh/USikpMc4=; b=OZ483zSQyz370oWJXbY50jRHta7eF4AvsUk0f6EEF1HSLj77EYGXJtS/ecXeng0Jg8 67b376ze3qaoDKFJDrKixGZ0x6dhXvT7GGH57aQqxVZ6a5Hg0uZRSsrxejKpoAJ0K2eE DjltX7nUg1bRUlos9HhSe8bBSDrqrsOGE/aDURv2iG8oIug+wF/DhzqPZpdHxdSzzp5h 8n+DZ50/cKmUvHJWp6IfzFa/so2MxKjRYHpDwbFXvXz0dNXu+gegjZG7KXglm8wwrxdA XdjylymNIz/0qT/ANFKEnd1vXfhFMWBK/Xjlwe7qIpnUiOnVG6VNPep53BnfUEpz+eFx cEMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ttq4Xxvx9RBU6NEWpNjyokm3/5+o6ir6Sh/USikpMc4=; b=iRXgPWmbZjg7f6k5CrIW5Wf7bFsF5qWx3Okq+NWCERbhyhDLxGTkTA1AAKYQbwZDI/ /Xgkfx7FgZMlY7MXiHGXR7d37fxW91NK8rMP+f7dNJ2f2+CgsLy6QO26p7o1r1DIrRqP xsyTedFehqRpqKW0MP4U/PWzIS2OVNjFS1dfJ9gvGVoreFRFXd2BW4+z3bnqGXNa8MPe lVbJQzUvoVc8cx5HUNWkBTCBUHa2a/qL28YmMJPoQeIiaNeibIwhBfmiOGMQS37364/L KP5axYfhDhbtzM1I5lriL67RODxD3i8MkXdXvN5meqgHtQdH1s8svXpiiWd7kNOD4uyh 4wUg==
X-Gm-Message-State: ACrzQf0vLZ8JvnoMC9AWPw00F+IrHeRgEqTpEfj+rvXXRjF74ZDZmYJ3 WEzhd+ppA87gK4JpMnmCOfmkEb8BpCazuGC5+gE=
X-Google-Smtp-Source: AMsMyM4pd+WIplMjWWuZiGQvOIf632OXvTjTocrtgijcxEUw69XY70qHQZtduGLOdkm5ALS5ytPd5gcEYKydVyrtXLk=
X-Received: by 2002:a1f:9f16:0:b0:3af:1cc7:5096 with SMTP id i22-20020a1f9f16000000b003af1cc75096mr319700vke.8.1665673548111; Thu, 13 Oct 2022 08:05:48 -0700 (PDT)
MIME-Version: 1.0
References: <28766_1665646855_6347C107_28766_2_1_c61b294eae1742b4bfbf125d0fd0e92f@orange.com> <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca> <CAHbrMsAsC0N2uNpFuiMYEiPgQQQzAwikuiTL0dWZoNhgcPRwNw@mail.gmail.com>
In-Reply-To: <CAHbrMsAsC0N2uNpFuiMYEiPgQQQzAwikuiTL0dWZoNhgcPRwNw@mail.gmail.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Thu, 13 Oct 2022 08:05:35 -0700
Message-ID: <CAMGpriUQD3P6-Ok9tPmpzZ3Q=MHO1wQymGb5h5vqL+xDWgwyZQ@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Joe Abley <jabley@hopcount.ca>, radext@ietf.org, ADD Mailing list <add@ietf.org>, opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025a31705eaebd88e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/LNEx5kyjvz-D6seU_f2XVbaNlTg>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 15:05:53 -0000

On Thu, Oct 13, 2022 at 7:51 AM Ben Schwartz <bemasc=
40google.com@dmarc.ietf.org> wrote:

> I don't think we need to determine whether ECH is relevant for the DNR use
> case.  Indeed, ECH as presently specified will generally fit inside the
> 250-octet limit.  My point is that we are setting ourselves up for a very
> painful compatibility challenge if longer SvcParams come into use in the
> future.  I can certainly imagine longer parameters (e.g. signed objects
> with certificate chains) that might be useful in DNR.
>
> Even if longer SvcParams aren't useful in DNR, creating an encoding that
> can't carry them introduces a serious compatibility problem for systems
> that copy between SVCB, DNR, and RADIUS.  What is such a tool supposed to
> do when a valid SVCB record or DNR option is unrepresentable in RADIUS?
> What is a naive operator to do, faced with this error message?
>
> I understand that we can't eliminate this problem, due to the 4K limit,
> but I think it's worth avoiding it as much as we can, even if it costs us a
> page or two of standards text.
>

+1

--Ben
>
> On Thu, Oct 13, 2022 at 9:03 AM Joe Abley <jabley@hopcount.ca> wrote:
>
>> Hi Mohamed,
>>
>> I may well have missed some nuance in the discussion that came before,
>> but I found this comment interesting:
>>
>> On Oct 13, 2022, at 03:41, mohamed.boucadair@orange.com wrote:
>>
>> This specification targets typical broadband services in which the use of
>> ECH is not relevant. It does not make sense for ISPs to be hosting multiple
>> domains on the same IP address as the encrypted DNS resolver.
>>
>>
>> Can you say why?
>>
>> If an operator has invested in infrasructure designed to be able to
>> handle TLS and HTTP at high volumes with high availability, does it not
>> seem possible that they would seek to reuse that general TLS/HTTP
>> infrastructure for multiple purposes? If ECH is relevant in other services
>> carried over HTTPS, why is it definitively not relevant for this one?
>>
>>
>> Joe
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>