IETF Logo Mail Archive

Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt

tirumal reddy <kondtir@gmail.com> Mon, 28 September 2020 07:07 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5862B3A0E60; Mon, 28 Sep 2020 00:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jG9o-mnlFrO0; Mon, 28 Sep 2020 00:07:32 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF7D43A0928; Mon, 28 Sep 2020 00:07:32 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id u6so56293iow.9; Mon, 28 Sep 2020 00:07:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZLG6piFVHRJw8272BnfuSU58kuyfrYs0BIN36qHYDSo=; b=FMGxsaaSixJOXmzuSaLeemEJOO0zscNtSDHnCU7c2Ofjf6ZoK7hBth51Cj/jHmxIsN 96GHgH2KhUaln4eU677WJbiP5qyfocyyTVNvW0VP+ymbyZN9C6r5Pi+/aexoL0AhC79F D3WU+HXysvGSwOE+AmKpC1Rh+4KuzIYlEwfiIg+javp5I/hreZk6XYvyS70vCyBhqe6+ zopz7TlKxnOas/jV4PcrzXN9H6LVQeP5mIJ71+XYuVbghk1hK+VA2AGnZR/abw+BFSpt jY0r24Y7m7w7lZT0ctRbVwcZiMoMwSCuFpbYsdZCLkMQSNXAd0/luNDL9mntpkQY/pQ+ WAOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZLG6piFVHRJw8272BnfuSU58kuyfrYs0BIN36qHYDSo=; b=iKh4AEQDbtxgdmpWWfNUvl4FwRf9UZdW/ZO053BdFAsS+Rb9/gHoSDINiI4rW+z4VD 76Ye0XLb6wiN6tCuhRW6LpBKZtNDO44H9NntwtkxVqV1q9dsllPYF5hsn9dVOyoELFIk 4mxGFUMW2k9Off+VF3WXkzpaT+dWAOUMvCfQ9Xce9OsqWO7TYnaO7EpvndhOqbqKi6qN 4zvpWyKaF+m9Z+xXXxnlV/yWVqe7GwtLnwHXPIz5sgvRMi6x3m9hr40oPTjXX7Xzr1BH NgjPcliF39NDrYQEUabIoiEomb6dSId7C9dXK9258zWwpwv+cCqT9UhJAo5K0nX0rcDD T2SQ==
X-Gm-Message-State: AOAM532yXn6kj7ZEuNGkEfV/use+0Y4Nh+zh6hchHTv+Psm/EIJni19V ID3wwFYn1pVsBcb8BtGA00Sa+q2vW2uvh2GFfgs=
X-Google-Smtp-Source: ABdhPJwu+8u64FSVf+w6zZOuKezjt/5/4IB+An3Q0UDU1iR95NeuKvLEDOUWeLzRtyPYuJ4ORMLo3by1hl2IAUBUY74=
X-Received: by 2002:a05:6638:309:: with SMTP id w9mr116231jap.58.1601276852023; Mon, 28 Sep 2020 00:07:32 -0700 (PDT)
MIME-Version: 1.0
References: <160082461431.2339.6222888407127336620@ietfa.amsl.com> <15779.1600960819@localhost> <BCB5CBD9-78C0-471A-8C32-88E4FD406136@cisco.com> <CAFpG3gdMxw2QGUFhWQELYT8oaMgVuvc5_hQf_Pfk3T3vwc2rmA@mail.gmail.com> <15491.1601055706@localhost> <CAFpG3gc-PoAdvCB5p201-uZrMsdi4Cr1hR_YM-z2bgD9tvZVUw@mail.gmail.com> <27239.1601161357@localhost>
In-Reply-To: <27239.1601161357@localhost>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 28 Sep 2020 12:37:20 +0530
Message-ID: <CAFpG3gchO6HRVVN_xV_8noD=9fsnxhMgK8x3ZiX0xnb7b4LBVg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg <opsawg@ietf.org>, mud@ietf.org, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f3b39505b05a5188"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/OSyraRY-hQbDTsyCd91W8WTM5LQ>
Subject: Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 07:07:34 -0000

On Sun, 27 Sep 2020 at 04:32, Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> tirumal reddy <kondtir@gmail.com> wrote:
>     >> tirumal reddy <kondtir@gmail.com> wrote:
>     >> > +1.  The problem is not just with public resolvers but also with
>     >> > designated resolvers. The IoT device supporting MUD must use the
>     >> > encrypted DNS server discovered in the attached network.
>     >>
>     >> Yes-ish.
>     >>
>     >> I don't think that we have to mandate use of encrypted DNS servers,
>     >> as long as it's the ones on the attached network.
>     >>
>
>     > In the home network use case, if the CPE does not support an
> encrypted DNS
>     > forwarder, endpoint will discover and use the ISP encrypted DNS
> recursive
>     > server. The CPE will no longer be able to enforce MUD rules. For
> instance,
>     > Firefox can discover and use Comcast Encrypted DNS recursive server,
> see
>     > https://tools.ietf.org/id/draft-rescorla-doh-cdisco-00.html.
>
> It's reasonable that Firefox might do that, but I don't see why IoT devices
> should follow suit, and that's the point of this document.


> Except in some very niche digital signage and kiosk use, I don't think a
> MUD
> file would be appropriate for a general-purpose browser.
>

I quoted Firefox as an example, the proposed mechanism of using SUDN to
discover the ISP encrypted DNS resolver is generic and not specific to
browsers. If the endpoint cannot discover the local encrypted DNS server
(hosted on the CPE) using DHCP/RA, the endpoint will fallback to using SUDN
to discover the one hosted by the ISP.

-Tiru


>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>

v2.23.0 | Report a Bug | By Email