Re: [OPSAWG] [Iot-directorate] Iotdir telechat review of draft-ietf-opsawg-mud-iot-dns-considerations-12
dthaler1968@googlemail.com Wed, 27 March 2024 16:07 UTC
Return-Path: <dthaler1968@googlemail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F76C14F69E; Wed, 27 Mar 2024 09:07:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUGTpDVORv6E; Wed, 27 Mar 2024 09:07:48 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8E05C14F6A2; Wed, 27 Mar 2024 09:07:47 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1def3340682so57291425ad.1; Wed, 27 Mar 2024 09:07:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1711555667; x=1712160467; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=YcH/1tbuIqNi79FwjK0MTENR8lg4rLQ9Xf5SHzzyGnc=; b=KhMYH6n0Ej2Z0oHuW6EnOar8gEa6AxxMNS+I8nvb+VkvG2P9jkj47MRSbrhy4Hvucm fKmeCQfONap3QmlsQ2rB8yg6AEkfi8L5bq6Yu50jTHKXcaUnvy0KPwFOK02X4HAN9B6x QInFmtOxTiYY6O5uA5JVu5mhQjjXbeaMa6e6RZs7hLq/+wNBxkFi00Cy6gNdZ7+njKg7 oLOY3vDzYbEuClBVSldRTXlA0i4lxLe8q0wuPzQYIfbA8xM5cRBhvcKRMeejw+KRsOq6 AgMKim/b6i/+cdJNiYxXX2aBN6haHax7u+ZK7fZxNwwiP1n7phUz3P6p6d2sMlYKkpdq 7bPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711555667; x=1712160467; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YcH/1tbuIqNi79FwjK0MTENR8lg4rLQ9Xf5SHzzyGnc=; b=R5MKDTUDJL1KkvUZI4AP/ydSKqfD5NVmdTYzXyL8vq2yUuS/aiDGOaC8Us/pFBNjRe MWSj0TzqbLBoJryAQuERhzFeo//o/MZamviPZkkqDnLug+6ZWiQZLLh0IZoK2q75HwkF wdb5Rq0VR05T0kT8eCMm2P+TvsjtapeE4jIJNszrz0SvwJMLyiAdxw8WA3gloKVL+xtu VWfIsTev+1nlo7qTOoRtMCFbVQ+Hul0afazvDAfTzENSWWSNsB3NGd4Jm9MYNHtXzAYA vGSmFpLJuQ5SFlK0fI+r87Zm+r5DuMkjA97+7W729jNTGamxshAPMEltUQHL3NgckzWb QGQw==
X-Forwarded-Encrypted: i=1; AJvYcCX0sTCIxJ855Uq2ulWVm7RFgw2prgT9fITBAyeeU8fTyXYSh1DL1U96tZjwap5Sz70G7eEw/kUbpEMgl45LNGBN1IckeoCblK1ZL6OuD+5MC/2NazWx2FtFy4pKS1/lXtiruI54jIdy5AGvVLAuKM6hPQ0jsojsy4NNcVEbMcH82tqiR3iDVMrlqb4srR0dmMHRjrShkkdmvmKv/Ew=
X-Gm-Message-State: AOJu0Yy2vZCDnkwh6FWaEPqlset0sQVvfbm2TSgSNTfXSDT/mm6rhSGY JC0wcYjwS8UE26onJtREhJCX+rmwmJ0zimHxeyXw/z5gg9cwBL38
X-Google-Smtp-Source: AGHT+IGiIPTeq/4oSnSTB2pzHyA7X4KQ43RGHLND1RPBccSCtQMKCN5b9e5mWrV408ZRLX/BkpWEcA==
X-Received: by 2002:a17:902:7c92:b0:1e0:9468:e711 with SMTP id y18-20020a1709027c9200b001e09468e711mr106385pll.52.1711555666879; Wed, 27 Mar 2024 09:07:46 -0700 (PDT)
Received: from ArmidaleLaptop (c-67-170-74-237.hsd1.wa.comcast.net. [67.170.74.237]) by smtp.gmail.com with ESMTPSA id y23-20020a17090264d700b001dcc7795524sm9358420pli.24.2024.03.27.09.07.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2024 09:07:46 -0700 (PDT)
From: dthaler1968@googlemail.com
X-Google-Original-From: <dthaler1968@gmail.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'Dave Thaler' <dave.thaler.ietf@gmail.com>
Cc: iot-directorate@ietf.org, mud@ietf.org, 'Eric Vyncke' <evyncke@cisco.com>, draft-ietf-opsawg-mud-iot-dns-considerations.all@ietf.org, last-call@ietf.org, opsawg@ietf.org
References: <170966862434.44439.11464149628011549154@ietfa.amsl.com> <518697.1711550102@dyas>
In-Reply-To: <518697.1711550102@dyas>
Date: Wed, 27 Mar 2024 09:07:43 -0700
Message-ID: <088601da8060$e7a75590$b6f600b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGMaHnREGSopFj9RSgXJKbjGVQ1UwJdhEQhsdUDuiA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/LpQhtA7wEMh5bb4SGayoGe7CulE>
Subject: Re: [OPSAWG] [Iot-directorate] Iotdir telechat review of draft-ietf-opsawg-mud-iot-dns-considerations-12
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 16:07:52 -0000
Thanks Michael for working on this. See answers below. > -----Original Message----- > From: Michael Richardson <mcr+ietf@sandelman.ca> > Sent: Wednesday, March 27, 2024 7:35 AM > To: Dave Thaler <dave.thaler.ietf@gmail.com> > Cc: iot-directorate@ietf.org; mud@ietf.org; Eric Vyncke <evyncke@cisco.com>; > draft-ietf-opsawg-mud-iot-dns-considerations.all@ietf.org; last-call@ietf.org; > opsawg@ietf.org > Subject: Re: [Iot-directorate] Iotdir telechat review of draft-ietf-opsawg-mud- > iot-dns-considerations-12 > > > Dave Thaler via Datatracker <noreply@ietf.org> wrote: > > Section 3.2 (A successful strategy): > >> This situation does not result in failures as long as all possible A/ > >> AAAA records are returned. The MUD controller and the device get a > >> matching set, and the ACLs that are set up cover all possibilities. > > > This paragraph, and various others in the draft, make a potentially false > > assumption that the IoT device does a DNS query. > > okay, so that's a good point. > Recommendation 0: use DNS? > Or maybe just clarify that the scope is only for devices that use DNS? I'd probably suggest just clarifying that the scope is only for devices that use DNS. > > RFC 8520 section 8.1 states: > >> 8.1 src-dnsname The argument corresponds to a domain name of a > source as > > specified by inet:host. > A number of means may be used to resolve > hosts. What > > is important is that such resolutions be consistent > with ACLs that are > > required by Things to properly operate.“ > > > As far as I can tell, MUD has no such requirement that the device use > DNS to > > resolve domain names. Specifically, above says "A number of means may > be used > > to resolve hosts." DNS is only one such means. > > yes. > If the device has hard-coded IP addresses in the firmware (it has happened > many times, I think. There was an NTP situation a decade ago...) then that's > okay, just hard-code the same IP address into the MUD file. > > If the device uses some other elaborate protocol, then I agree, it's a > problem. I'm not sure what I should say about that, other than scope it > out of scope? Yeah, I'd probably explicitly say it's out of scope. > >> A MUD controller that is aware of which recursive DNS server the IoT > >> device will use can instead query that server on a periodic basis. > > > This is not as good as the MUD controller _being_ the recursive DNS > server > > the IoT device uses, where the ACL in the enforcement point can be > updated > > at the same time as the DNS cache is updated, when the IoT device does > a > > DNS query. If there is a time delay between the DNS cache being > updated > > and the ACL being updated, one can get lack of connectivity since the > DNS > > cache can contain a new IP address that the enforcement point won't > learn > > about until the next time it gets around to querying DNS. I would expect > > that connectivity failures would be NOT RECOMMENDED. > > Yes. having the MUD controller be the recursive DNS server is how this whole > document got started. We implemented exactly that for the SHG project at > CIRA.ca. > Then we discussed failure situations, and enterprise situations, and 8.8.8.8 > usage. > > Paul Vixie has a few rants about trying to get various devices in his home to > use the (DHCP) provided DNS servers, and how often they'd wander off and > use > 8.8.8.8 even when the local one was working perfectly fine... and the number > of devices that fail when 8.8.8.8 is blocked. I think he also tried > impersonating 8.8.8.8, which works fine for Do53, but ought to fail for all > secured versions, and how many devices just continued working, because > they didn't actually check the certificate. I don't know how/if to include any > of this. > > > Section 3.2 alludes to this issue when it says: > > >> Where the solution is more complex is when the MUD controller is > >> located elsewhere in an Enterprise, or remotely in a cloud such as > >> when a Software Defined Network (SDN) is used to manage the ACLs. > >> The DNS servers for a particular device may not be known to the MUD > >> controller, nor the MUD controller be even permitted to make > >> recursive queries to that server if it is known. In this case, > >> additional installation specific mechanisms are probably needed to > >> get the right view of the DNS. > > > Given the resulting connecting failures I point out, it would probably > > be good to say such use is NOT RECOMMENDED. But right now I think > the > > draft is remiss in not evening point out that connectivity failures > > can easily result. > > okay. I will think on how to address this. > I'll also stop here, and continue tomorrow. Here I'd probably say that having an enforcement point that has to make DNS queries periodically, instead of directly using the DNS cache in the recursive resolver used by the IoT devices, is NOT RECOMMENDED as it causes non-deterministic connectivity failures. Dave
- [OPSAWG] Iotdir telechat review of draft-ietf-ops… Dave Thaler via Datatracker
- Re: [OPSAWG] [Iot-directorate] Iotdir telechat re… Erik Kline
- Re: [OPSAWG] [Iot-directorate] Iotdir telechat re… Michael Richardson
- Re: [OPSAWG] [Iot-directorate] Iotdir telechat re… dthaler1968