Re: [OPSAWG] [radext] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

mohamed.boucadair@orange.com Fri, 14 October 2022 06:43 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BF4C14CE42; Thu, 13 Oct 2022 23:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39PUpltNQyCM; Thu, 13 Oct 2022 23:43:13 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2319C14CE2F; Thu, 13 Oct 2022 23:43:12 -0700 (PDT)
Received: from opfedar03.francetelecom.fr (unknown [xx.xx.xx.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar25.francetelecom.fr (ESMTP service) with ESMTPS id 4MpcKB5lBYz8tdm; Fri, 14 Oct 2022 08:43:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1665729790; bh=KsvWJ8M7rxHwoS5KLhvTUtDV0Xua50bvHapXNfIs76U=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=t1o0mFVbw77Mb0QxrSk0RvMVPrSHzEqKDDRfA+I2Ta0OvldHYiE6NQO+4kTyYovVN jj9NQd5vfAK3SF4yB0QvL/L5xoP/4ul5GYdJuGG4JjVwYDsYaEFdj/sV6kSdB+JNvw LCecL06P5nGv7yOzBuYDwW3x4aEwQIgoY+5DnJHxsscNa6a12gBQKVtmICHFnY2CMK p66005tIyTRvbQZWqbd23QHftrbEeodg8YXvPXvjXEEV+sRmecutbfpYcMIxZ664jh arj/UyLAI6p0TC2h7MC2VmKdtwkrzR+aHuK7eHfDAQCLA0gdTbW+m1M/S4BzMrVRWa olMLeDzMhGS8g==
From: mohamed.boucadair@orange.com
To: Joe Abley <jabley@hopcount.ca>
CC: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Alan DeKok <aland@deployingradius.com>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "radext@ietf.org" <radext@ietf.org>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [radext] [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
Thread-Index: AQHY3wQ12SZMl/CTrEa7/2gJOOHeua4NcOsw
Content-Class:
Date: Fri, 14 Oct 2022 06:43:10 +0000
Message-ID: <19877_1665729790_634904FE_19877_133_6_bd5c4e64028345a4961cad19ee6cd06d@orange.com>
References: <28766_1665646855_6347C107_28766_2_1_c61b294eae1742b4bfbf125d0fd0e92f@orange.com> <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca>
In-Reply-To: <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-10-14T06:37:55Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=8aeb2dba-1bb8-4a7d-a43b-3b9d7644969e; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.50]
Content-Type: multipart/alternative; boundary="_000_bd5c4e64028345a4961cad19ee6cd06dorangecom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/NjuxrIJ4u91Lo_PRvuRnC4HBO-I>
Subject: Re: [OPSAWG] [radext] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 06:43:17 -0000

Hi Joe,

That’s because network services are isolated/segregated by adequate addressing schemes. I don’t expect that to change and see DNS service offered by operators be muxed with other customler-facing services they offer.

Cheers,
Med

De : radext <radext-bounces@ietf.org> De la part de Joe Abley
Envoyé : jeudi 13 octobre 2022 15:03
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
Cc : Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>; Alan DeKok <aland@deployingradius.com>; Joe Clarke (jclarke) <jclarke@cisco.com>; opsawg@ietf.org; radext@ietf.org; add@ietf.org
Objet : Re: [radext] [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

Hi Mohamed,

I may well have missed some nuance in the discussion that came before, but I found this comment interesting:

On Oct 13, 2022, at 03:41, mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> wrote:

This specification targets typical broadband services in which the use of ECH is not relevant. It does not make sense for ISPs to be hosting multiple domains on the same IP address as the encrypted DNS resolver.

Can you say why?

If an operator has invested in infrasructure designed to be able to handle TLS and HTTP at high volumes with high availability, does it not seem possible that they would seek to reuse that general TLS/HTTP infrastructure for multiple purposes? If ECH is relevant in other services carried over HTTPS, why is it definitively not relevant for this one?


Joe

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.