IETF Logo Mail Archive

Re: [OPSAWG] [secdir] Secdir early review of draft-ietf-opsawg-mud-iot-dns-considerations-03

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 28 March 2022 22:18 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD5393A19A4; Mon, 28 Mar 2022 15:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3lSpealfoef; Mon, 28 Mar 2022 15:18:47 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35283A199F; Mon, 28 Mar 2022 15:18:46 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [75.98.19.151]) by relay.sandelman.ca (Postfix) with ESMTPS id 293011F45E; Mon, 28 Mar 2022 22:18:44 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id BBE0A1A0215; Tue, 29 Mar 2022 00:18:41 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ben Schwartz <bemasc@google.com>, opsawg <opsawg@ietf.org>, mud@ietf.org
In-reply-to: <CAHbrMsDZizpDAVXX-BhKo15p7N0kAa3mhwujO=emU2aWmRsupQ@mail.gmail.com>
References: <164661249505.9085.15140248784912063860@ietfa.amsl.com> <1C625713-898F-48D2-97E6-83B23893D3FA@heapingbits.net> <CAHbrMsATaT9SBveN94YP=Sr3Z5L9uE8cH=hMm022QkYjnHuDhw@mail.gmail.com> <81b54118-a080-b09f-3591-d303b8b6e2ec@sandelman.ca> <CAHbrMsDZizpDAVXX-BhKo15p7N0kAa3mhwujO=emU2aWmRsupQ@mail.gmail.com>
Comments: In-reply-to Ben Schwartz <bemasc@google.com> message dated "Mon, 28 Mar 2022 19:00:59 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 28 Mar 2022 18:18:41 -0400
Message-ID: <113677.1648505921@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/RDTkiXOCKjnKQt-wqpbRxw2cz60>
Subject: Re: [OPSAWG] [secdir] Secdir early review of draft-ietf-opsawg-mud-iot-dns-considerations-03
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 22:18:52 -0000

Ben Schwartz <bemasc@google.com> wrote:
    > Local SOCKS5 proxies are conventionally discovered via WPAD [1], which
    > returns a PAC file [2].  I'm no great fan of WPAD, but it is widely
    > implemented in browsers and OSes.

Yeah, that's not going to fly.
  } [1] https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01 
1) draft-ietf-wrec-wpad is a 22 year old ID which specifies use of a
   private-use DHCP option (252).
   
   While one think one can get away with an SRV entry, that requires
   local DNS to be working, which is exactly the kind of thing that
   IoT manufacturers are having trouble relying upon.
   (Yes, if a MUD controller is present, we can expect local DNS
   to be more reliable, but it is exactly in the opposite case that there is
   concern) 
   
2) Once you find the CFile, according to the URL you dug up 
   (Thank you. The link in the 22 year old ID is long dead)

    > https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file

The PAC file is javascript?





-- 
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email