Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
mohamed.boucadair@orange.com Mon, 17 October 2022 15:03 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDCA1C152715; Mon, 17 Oct 2022 08:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5TTXuyZoCxko; Mon, 17 Oct 2022 08:03:42 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3482CC152716; Mon, 17 Oct 2022 08:03:25 -0700 (PDT)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar26.francetelecom.fr (ESMTP service) with ESMTPS id 4MrgGz2sCNzFq2g; Mon, 17 Oct 2022 17:03:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1666019003; bh=ETB1/rvFPo1UOdJ4v2/JMzYpwAdylObYIP4J437MrfQ=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=hYhsIqYYKBwvX77bOJFieqPMSEyMGm4tw9dChrDFDtdgchmFtJx640PSem+EBu6rm KYacmm88xBSZP65TMEtei9j+Vz6F2b2Vuoy7nhUzLFBVELo0uQ0eHsSfQU5BWS0WIa q5bXxfNuRJ25EDsqxO8OXyV5Ge4iP0brrFsYJQWqftBc7m8syAFJ4INHafRAMsOfdY /ujz89z5KEG58Etj8K9waLaMha93DXuKQFO7B+m75GbCF2X1fBuZfbydSaf+zXKk/e N3w3U2Y4y629hyR7q3Tlp2qdn5yhkDO45WWas+YxfJNbYD0F6ZB1sl+PGVyIvqTXKN 9Qbo17KdUCpkA==
From: mohamed.boucadair@orange.com
To: Alan DeKok <aland@deployingradius.com>, Bernie Volz <bevolz@gmail.com>
CC: "dhcwg@ietf.org" <dhcwg@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, opsawg <opsawg@ietf.org>, ADD Mailing list <add@ietf.org>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [dhcwg] [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
Thread-Index: AQHY4iciydqUphhpO0elkuGQ9NhINK4SrceQ
Content-Class:
Date: Mon, 17 Oct 2022 15:03:22 +0000
Message-ID: <29904_1666019003_634D6EBB_29904_141_1_8152ee5cf302407bb54aa2f52fd3b6ec@orange.com>
References: <14325_1665987354_634CF31A_14325_41_1_1dd1e0ff79424830b17e2ff0b468dbb7@orange.com> <0CEBD10A-6952-448B-92DC-AE5814475888@gmail.com> <F7042A3E-6A2D-4F73-B20B-EF51054153E8@deployingradius.com>
In-Reply-To: <F7042A3E-6A2D-4F73-B20B-EF51054153E8@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-10-17T14:59:30Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=5a862c34-f1b2-4fc6-8b04-c0551a8856af; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.50]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/M_z0_qWJsVt5NlY36u64wNim4Qc>
Subject: Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 15:03:46 -0000
Re-, Thanks for the feedback. I submitted a new version which takes into account the comments received so far: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-add-encrypted-dns-04. Please let me know if I missed any of the comments. Thanks. Cheers, Med > -----Message d'origine----- > De : Alan DeKok <aland@deployingradius.com> > Envoyé : lundi 17 octobre 2022 14:51 > À : Bernie Volz <bevolz@gmail.com> > Cc : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; > dhcwg@ietf.org; Joe Clarke (jclarke) <jclarke@cisco.com>; opsawg > <opsawg@ietf.org>; ADD Mailing list <add@ietf.org>; > radext@ietf.org > Objet : Re: [dhcwg] [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for > Encrypted DNS > > On Oct 17, 2022, at 7:41 AM, Bernie Volz <bevolz@gmail.com> wrote: > > I was thinking more to put this restriction on the dhcp server, > when it makes use of the Radius attribute to respond to a client. > I have no issue with it being limited at configuration too, but > the dhcp server should also make sure only a limited set of > options are sent to client. > > > > Leaving this wide open causes issues as it may be miss used to > inject things that really shouldn’t be. > > I agree. There should be a limited set of options which are > allowed, perhaps via a registry. > > > Looking at it again, it is also unclear how a dhcp server is to > use information. For example, does the server use options from > this information before its own configuration or only if it has no > configuration (I suspect the former, as this is more > client/request specific). > > That should be made explicit in the draft. I don't have > opinions either way, but your point makes sense. > > > And from RFC7037, there is > > > > 169 DNS-Server-IPv6-Address [RFC6911] > > > > Does this mean someone could now place the DNS server option > into your new Radius attribute instead of using this attribute to > have the server map it to the DHCP option? > > If it's allowed by the registry, presumably, yes. RFFC 6911 > says that those RADIUS attributes can appear multiple times. So > presumably it doesn't matter much if the DNS server information > appears once in a RADIUS attribute, and separately in a DHCPv6- > Options attribute. They can all be added to the packets. > > i.e. if the administrator of the system configures something > weird, the systems should just do what's asked. > > Anything past basic filtering is complex to define, and complex > to implement. And arguably doesn't have a lot of extra value. > > Alan DeKok. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted… Joe Clarke (jclarke)
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Joe Clarke (jclarke)
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Joe Abley
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Erik Kline
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Michael Richardson
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [radext] [Add] 🔔 WG LC: RADIUS Exten… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extens… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extens… mohamed.boucadair
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] [dhcwg] 🔔 WG LC: RADIUS Extensions f… Bernie Volz
- Re: [OPSAWG] [Add] [dhcwg] 🔔 WG LC: RADIUS Extens… mohamed.boucadair
- Re: [OPSAWG] [Add] [dhcwg] 🔔 WG LC: RADIUS Extens… Bernie Volz