[OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08
"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 13 October 2023 10:32 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F21C170616; Fri, 13 Oct 2023 03:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.606
X-Spam-Level:
X-Spam-Status: No, score=-14.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="lzEuOU3/"; dkim=pass (1024-bit key) header.d=cisco.com header.b="ksnP2IhX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5C6LoVU2DPEJ; Fri, 13 Oct 2023 03:32:51 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 733DDC1522D3; Fri, 13 Oct 2023 03:32:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19936; q=dns/txt; s=iport; t=1697193171; x=1698402771; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=2q66BifvyUcdki0KHXrs6xXpxIVc8Qok1zBe7t2BWlA=; b=lzEuOU3/mukTlvdoDQxbb5MRTr1A3x595L+8489sp7DXMWuUuPWoZWCG KFLtFIcy7SOW7I2LxoK1ekfg8IrREes2AMD9V/nEcNl/Qc9aFtnKyKqoA 4XxKDMGSiPEsXHaGXoEEdekBjm4UwYCmkPXXlc6kf6bVThVzzwBE/l5L5 I=;
X-CSE-ConnectionGUID: 3f6p23lMSK24eaRknycmvg==
X-CSE-MsgGUID: 6Qe6tf9AQQGKTE0iOm1HTw==
X-IPAS-Result: A0BTAwDAGyllmJRdJa1agQklgSqBZlJ4AlkqEkiIHgOFLYZAgiOBFpAmhiuBOIRfFIERA1YPAQEBDQEBRAQBAYISgnQChxACJjQJDgECAgIBAQEBAwIDAQEBAQEBAQIBAQUBAQECAQcEFAEBAQEBAQEBHhkFDhAnhTsIJQ2GZRUTBgEBIxURARobCUIXDwEEARoTB4JcAYJeAwGoEgGBQAKKKHiBATOBAYIJAQEGBAWybAmBSIRZgzEBigYIHxuBSUSBFUOCMINXAoEZCRUPAgkRPYNVgi+Df0mBG0dIggUHDi4GATuBAQwJgQWCXhxfgRR1MQOBSYZibxNHcBsDBwOBAxArBwQvIgYJFi0lBlEELSQJExI+BIM4CoEGPw8OEYJDIgIHNjYZS4JbCRUMNQRJdhArBBQXgRNuHxUeNxESFw0DCHYdAhEjPAMFAwQ0ChUNCyEFFEMDRwZMCwMCHAUDAwSBNgUPHgIQLikDAxlNAhAUAzsDAwYDCzEDMFdLDFkDbyE5A0QdQAMLbT0UIQYOGwUEgT0FnESBdgEvDy0FAQEBBQoaEyMDBCcBBQQeBCINIBElFAYRBBkNBAELAQIHCQcBCAIEGQ8IJQ+SHhQ2II5rol8KhAyhPheEAYxwhm+Qdy1imDoggi+gDDIBCyaEZQIEAgQFAg4BAQaBYzotgS5wFTuCZ1IZD1YCgmiKbA0Jg1aPeXY7AgcLAQEDCYhuAiYHgU5fAQE
IronPort-PHdr: A9a23:WEDrbhWTBVqKd+t0BxV/2WzK0c7V8K0xAWYlg6HPw5pUeailupP6M 1OavLNmjUTCWsPQ7PcXw+bVsqW1QWUb+t7Bq3ENdpVQSgUIwdsbhQ0uAcOJSAX7IffmYjZ8H ZFqX15+9Hb9Ok9QS47lf1OHmnSp9nYJHwnncw98J+D7AInX2t6o1uSu/Jv7aARTjz37arR3f 126qAzLvZwOiJB5YuYpnwLUq2FBffhXw24gKVOIyhD74MrxtJI2+CVLsPVn/MlFOZg=
IronPort-Data: A9a23:XKM2Z6J+zemp8g1sFE+RE5UlxSXFcZb7ZxGr2PjKsXjdYENSgzUOy zQeXT2CPPvYa2OjKtEnb4q//E8HscPWmoRgTgQd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcYZsCCea/0/xWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVvW0 T/Oi5eHYgT8g2cvajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKmWDNrfnL wpr5OjRElLxp3/BOPv8+lrIWhFirorpAOS7oiE+t55OLfR1jndaPq4TbJLwYKrM4tmDt4gZJ N5l7fRcReq1V0HBsLx1bvVWL81xFfZIpqedenyaiu/Jk0DPSXjq0v5rEk5jaOX0+s4vaY1P3 eYTJDZIZReZiqfvmvSwS/JngYIoK8yD0IE34y47i2qGS6d9B8mfE80m5vcAtNs0rtpRHPLCY MwxYjt0ZxOGaBpKUrsSIMtkwL/y2yGnLFW0rnrLnKdp/2aC5TVI/5vRHYLUXdnTZflKyxPwS mXupjSlXU5y2Mak4Taf+3yww+7CgS2+X5oJHaK3s/t3jBiSwXBWBBsNEFC8p+K4hkOkUs5eL EoP0isjsaZ081akJvH6Rwaxv3GsvxMAVZxXCeJS1e2W4rDf7wDcDW8eQ3sYMpottdQ9Qnoh0 Vrhc87V6SJH67PLUSjG8pKvjmnuNCEvLmkTbioaQl5QizX8m70bghXKR9dlNae6iNzpBD39q wxmSgBj193/auZWiM2GEUD7byGE/ceWE1ZkjunDdif0sVMjPd/Ni5mAsACDtZ59wJClok5tV UXoduCE5+wISJqKjiHIGb9LF7Cy7PHDOzrZ6bKOI3XD32rxk5JAVdkAiN2bGKuPGp1bEdMOS BSD0T69HLcJYBOXgVZfOupd8fgCw6n6DsjCXfvJdNdIaZUZXFbZrX43PhPMgzuyyxNEfUQD1 XGzLJfE4ZEyV/wP8dZKb7x1PUIDn3pnnjqDGfgXMTz+iuvDDJJqdVv1GALeMr9mhE91iA7U6 N1Yf9Cb0AlSVfaWX8Uk2dB7ELz+FlBiXcqeg5UOLoare1M6cEl/UKW56e16JORYc1F9y72gE oeVABEIkTISRBTvdG23V5yUQOyzA88m9SxkbETB/z+AghAeXGpm149GH7Mfdrg8/+slxvlxJ 8Tpse3ZahiTYlwrIwggUKQ=
IronPort-HdrOrdr: A9a23:l6G/U6iL0Dzrx0se53N8G1qF/3BQX4h23DAbv31ZSRFFG/FwyP re/8jzhCWVtN9OYhAdcIi7SdW9qBPnmaKdkrNhQotKOzOW9VdATbsSp7cKpgeQeREWmdQtr5 uIH5IOb+EYbmIKwfoSgjPIburIqePvmMvH9IKuq0uFJjsaEp2Imj0JcTpzZXcGPDWua6BJcq a0145snRblU3IRaciwG3kCWMb+h/CjrvjbSC9DLSQKrC2Vgx2VyJOSKXWlNxElPA9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDLNbksLlaFhzcziKTIKhxUbyLuz445Mu17kwxrd XKqxA8e+xu9nLqeH2vqxeF4Xig7N9u0Q6j9baruwqgnSXLfkN+NyOHv/McTvLt0TtigDi76t MN44vWjesQMfqKplWC2zGBbWAaqqPzmwtsrQbW5EYvCbf3r9Rq3NUi1VIQH5EaEC3g7oc7VO FoEcHH/f5TNUiXdnbDowBUsZWRt1kIb2C7q3I5y7qo+ikTmGo8w1oTxcQZkHtF/JUhS4Nc7+ CBNqhzjrlBQsIfcKo4XY46MICKI32IRQiJPHOZIFzhGq1CM3XRq4Tv6LFw4O2xYpQHwJY7hZ yEWlJFsmw5fV7oFKS1rdV22wGIRH/4USXmy8lY6ZQ8srrgRKDzOSnGU1wqm9vImYRqPiQaYY fHBHt7OY6QEYK1I/c44+TXYeggFUUj
X-Talos-CUID: 9a23:KtGC6mPe5OfycO5DAyc57BRPHuUeUSeBwX7qIEmpAmN3R+jA
X-Talos-MUID: 9a23:0erwUw0I69fjk/aKfKN01RzY1jUjvZ2jVlwDwLw/guanCQEoOhCY1RSLXdpy
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-7.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2023 10:32:50 +0000
Received: from rcdn-opgw-1.cisco.com (rcdn-opgw-1.cisco.com [72.163.7.162]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 39DAWoVS006832 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 13 Oct 2023 10:32:50 GMT
X-CSE-ConnectionGUID: t82TEVmaQtOORKdQ1j7mEw==
X-CSE-MsgGUID: IgMNuPJLSp6OpMPFfCmM4w==
Authentication-Results: rcdn-opgw-1.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=rwilton@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.03,221,1694736000"; d="scan'208";a="4569395"
Received: from mail-bn8nam11lp2168.outbound.protection.outlook.com (HELO NAM11-BN8-obe.outbound.protection.outlook.com) ([104.47.58.168]) by rcdn-opgw-1.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2023 10:32:49 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m9edMM1ldObc8I/JkTpW1zk60EjuX/9CJNAtXZMC5jR8kjP4hk1mnXJKY5IBbUVUZmDK9tuxLxQrYgCOyhPDTiYeZnvxzYwQ/rqAD0qin9gmtTQHF7wiQWrA9UMgwk4Jg5GY98957Kjn0SnwfKbZ+IYKTtu9kaYsvDjuy0wFdMmJpC1wnbAuqR+h4HkY0MESpL0rBB+Y2IdG+kBvwecsdJ97Jr1eIRANePUEHWNpsxgqQxXN6wV7L+Smj4vscIKoMgRZB+U42dAYREmRjwSyXv4t0GecX9ZIerQMLWvRjFE4PGaP7sZFBdVXvVUju40VxKQPuCmdkROytkF+3lMluw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5yU38ofrTXHJTfOd/HWT/CKYcaVIwei8z2JWP5ex2QQ=; b=J0fxwwIRuPROsu06BopNXAFuRhF43MRTHfmz8uYYntypIxs4NdtiLCVgRFnF1DgE9R2Y8ZWxrE5WutsYNETVR4EFCWxHW+cWs+QeG+MS2fjfOumDwoW9qlJmPfl/AkdGZ4hx6JjMGrtVv1zCR8RhBfQhaLRykScYhOpHHY2t+41epirfq3SHrdDcC4hN8rFDFc1qar3Wd2yy6yk2vxbKHH9hLPntGp2b3W8zinsj2aFlXbD4K907qF47IXYXzMgk5a2JE/fLVj2d5BQUoOc4Qfii6uRWQexoFBy5LiQDoTh7W6JB9/wJJXgFR9mvv6n7E9/N8t+Ha5ww4akDTTsLyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5yU38ofrTXHJTfOd/HWT/CKYcaVIwei8z2JWP5ex2QQ=; b=ksnP2IhXh3jGu7Bv1v73NE3YVVK/Ec5YXyUOU4D3eod8EvUavfNhHyAztF4jvu7fVBu5wRf74tryI/SMZnaSs4pNHdE1JZiw2jE/FCsYbKXeYtR+BkvvpvGak/kxbiQqxBKxPLJ83ucaaWj2QcKyaPl18JuWCt7kWfuDy1rZ0OQ=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by PH8PR11MB7045.namprd11.prod.outlook.com (2603:10b6:510:217::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.43; Fri, 13 Oct 2023 10:32:47 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::97f2:7572:4ef5:6bf9]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::97f2:7572:4ef5:6bf9%3]) with mapi id 15.20.6863.046; Fri, 13 Oct 2023 10:32:47 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "opsawg@ietf.org" <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org" <draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org>
Thread-Topic: AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08
Thread-Index: Adn9uohvN+3E1lC3TL27lly1AEZWBQ==
Date: Fri, 13 Oct 2023 10:32:47 +0000
Message-ID: <BY5PR11MB419663E50375EFC179E7CE65B5D2A@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|PH8PR11MB7045:EE_
x-ms-office365-filtering-correlation-id: 39276319-0962-4884-7706-08dbcbd7be5d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y0BPcB32jsdPFKlXc2kwFiLUYKClw0NxLO4Zi2CwHTAGVm3OYaL0YhAyduYgenJfTx6kSi/2XUclwxbG+vbV7PcOMOJXs35bmnLkfopX8kSj+i80YZKP/pZcPioLp674n6+hceV988Ng+032NV1Cw0TNOtRi/F6zNnPvMsSOFB5LmSyC0pnX2hSwFEyCWjU91Z/Fn6c+ApsskLTWTGfwDfZGFswvXeKp6naS6mBzfU3t4FxdzLVZrUrW6BZDPRR/uWqGu95W74hD7KaaOXj5Kdjphje7+aGOvVmdiKDRGyVqztZ6emn1X7vREuXu01rGJQUYVXykPcrPB6WKLAxXsAmMq/avkaKz7J4Vc9+6TZ/6v2O15c9CM0ectIruhKkFw2k4ZNG/PH/WEpPMtFPMmNWBqbFhDAo1t4XgmMx4uvNbhPUK4MAzzr1f53D+3kii67mhEFKqf1neNOdwYsC9yMRUUb3rUFrycP4VpC5RWt/8/Snqv94cxcMD9tbfA6letv5IC2jPsskXcAbtDkNjsvYP1eYsZrTQSl7VDfAJScs2LW7ICBfq/mZ+hyGoqUW8XCGiXgN6+Atyr8Sv5esMdZzcscaAN+MvQRRM528m+EpsAgtDp/9cobpEbl7y0FZW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39860400002)(376002)(396003)(366004)(346002)(230922051799003)(1800799009)(451199024)(186009)(64100799003)(66574015)(8936002)(66446008)(66899024)(83380400001)(64756008)(66946007)(55016003)(38070700005)(122000001)(38100700002)(9686003)(2906002)(66476007)(86362001)(5660300002)(71200400001)(316002)(110136005)(30864003)(66556008)(76116006)(52536014)(8676002)(6506007)(41300700001)(33656002)(7696005)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TF1L4pXCY/7XJ3YqZsJ3txAXhpMh/jAEfwDtvSKOWnLvaxY7ixTGZirkLbNWoHRpdhdQxAh70wbY0UyW1/7RFD2Ugm9S2TRJ9NBWDVoNxyPMX5OJARLfpPhUhTJuaxTmasUtl4rDuO5Sc9j1P+AycBAtRz/ZRp4AlEVX9SmIDsdRWBbtqMI1SjaIOB4g84V6XhIwivujGyywGokJObkubmYrGDZ3OXRGusu0sEp11ilNr32LAQ0VUGZCPTTgeYbAkQRKikYgltFMQBe7Ikjr+BHhSUvWhll2xr2i2Npsd8cE7uqqDIjqnPNzLo96imdM/E/A7o+oqQ9pSlZ+BvtwzQpXF6p1Ida4IejKdotKYhAOm9zh50lkp1PVeUO3VzISUGD9aCcH0Zq+2Fq3K1IlQfTOc3j6ijeHPc7vRreiK0pDR7IwOwzTJiAhlP0pFDuDmqziNmXQZ2crfGC5cbCihbul2O8Su9pQRxRk10IuEq9wUIaA5I3JFJ4mwqg5KaGvU0Ty9CZpvqOacW12qSG6aSMpYWsL8UX3Gz0cTsaJIVL//gnM0iN1mvqGXzGYLt2TmwBG/cYp6JArE2KrgeajHMsR3yPoVIQ9DoDsoPQmxi3l8ecRjSBbCkTG5xSeZ4T94Lf0pM9Hlu4BxvEtBDA/J3QK03v9uA6dhiF9BPs4t8jan/TZl4K8egIf2G7AKWUY/ens6xuv6vdV+Jvua74uD3FFluYSmPIjcpeU0IiFQHmtf6uQy3whMpjQP00bu8XjQWRRmr1iPQIWcuKsetXLpaEcqOX6m1Ck+FqV4tayz/TnmzrhvOE8Q+T9g6GUdYXA9/AYnMG3Sbe2ihsI0eLhrqEiRDm/rFITtP22a+u1q3z5HUoacO10Wy0oUZiH8lC/tFRl8AY4KuxAlPhOgUw9kagq/Sh8ERFhPeaSWmqHGGm5YDmsc6/KVQJkr9YSWNGLrekWdNrnY7CdLcNqbPoLiqOea+thbxf5Imb/Lq3kZ78vcifHSmpq2K17sQN/wxuUiQIxZFIxXnKOJqEZVrd9htx21Z8mmThwzpNycbj4J8TE3QjeTwWprk1civz0puRMaMtwxwNChvi+ESA8sCatsv3QrBiNFprbKYBJsTCVRXoQpzrquD70q/60adsUNYyZKd3XOXcIMTcbOXD0yKXgXMfv/PLwIMucrZRW2EdEV6bzeBQIWObtO4hJOLnwHGWBCaBQomK+Fio8QuM5B8G9JjPbkLkiuNXduPI+nvFw/q9Hxt3EvamDVBtHoId1uTmT310h2iXN7WVgT8gUn7gs6izdUto7LjjtCyTbH4fK6tMklUV2Wlx//ZVSI6aSWajfNy856/tTMssz4YqnsaPGDWyGXXiyiwJ3OKk7zsg0YoBCGHzQ/iazl0wJD8KQW0gwT2s3//LkNgVLdididB3pOC5x7qToTu/t9yBlYEVBXBAzuOqg7+txVLERCUNI2Nu5M0EvdEsQBYqPwbSlfsbXjSLQ7pJbZENEIAgNvaWOner2YoSTMtW3+ULRp485+3W3b2/8gptIYIfRDOQrrW1XWqj1sL/ZiQq9LJEwl40hgLSSUFq771Bd/cVo2OV0UYpChMa4k6EelN95eV0lNU756FQ3g6GeDsoNnv2A9DIIEBg=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 39276319-0962-4884-7706-08dbcbd7be5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2023 10:32:47.5210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8sDdOy/bLHy4+eYQGFY3nuF15gvXKtapwaMXHwrP41O7fLVeXDZAXg6Gp+vMJtm9/cXDC3uUPqmeuFLABeUXMw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB7045
X-Outbound-SMTP-Client: 72.163.7.162, rcdn-opgw-1.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/YoB5WJ2AmXujxZLPoTRakIPRHbE>
Subject: [OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 10:32:55 -0000
Hi, Here is my AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08. I found quite a few cases where the grammar is incorrect, which I find somewhat distracting and makes the document harder to review for technical content/correctness. I've flagged as many of these that I can in my review (and some other questions). I've also run the text through a grammar checker which may highlight potential additional changes, but can also have some false positives (MCR, please can you check these). Please can you post an updated version and then I may give it a second read before starting IETF LC. Minor level comments: (1) p 2, sec 1. Introduction In TLS 1.3 with or without the use of ECH, middlebox cannot rely on SNI inspection because a malware could lie about the SNI and middlebox without acting as a TLS proxy does not have visibility into the server certificate. I find it very hard to read/understand this sentence. Did you mean something like: In TLS 1.3, with or without the use of ECH, middleboxes cannot rely on SNI inspection because malware could lie about the SNI. In addition, middleboxes do not have visibility into the server certificate unless they are acting as TLS proxies. (2) p 3, sec 1. Introduction The fourth section of this document makes a series of recommendations ("best current practices") for manufacturers on how to use DNS, and IP addresses with specific purpose IoT devices. DNS, and => DNS and (3) p 5, sec 3.1.4. Names can have wildcards github would be unable to provision all infinity of possible names into the PTR records. This sentence is somewhat unclear. (4) p 8, sec 4.1. Use of IP address literals in-protocol And with any non-determistic name or address that is returned, the MUD controller is not challenged to validate the transaction, as it can not see into the communication. I'm not sure that I understand what this paragraph is trying to convey. (5) p 9, sec 4.2. Use of non-deterministic DNS names in-protocol This in particular may apply to the location where firmware updates may be retrieved. Would it be worth more explicitly stating what the proposed alternative is here. I.e., to use stable URLs at well known stable domains? (6) p 9, sec 4.3. Use of a too inclusive DNS name Rather than "too inclusive" perhaps consider "too generic"? (7) p 11, sec 6.5. Prefer DNS servers learnt from DHCP/Route Advertisements IoT Devices should prefer doing DNS to the network provided DNS servers. Whether this is restricted to Classic DNS (Do53) or also includes using DoT/DoH is a local decision, but a locally provided DoT server SHOULD be used, as recommended by [I-D.reddy-add-iot-byod-bootstrap]. Should it be DoT/DoH server SHOULD be used, or do you mean to specifically recommend DoT over DoH here? (8) p 11, sec 7. Privacy Considerations The use of DoT and DoH eliminates the minimizes threat from passive eavesdropped, but still exposes the list to the operator of the DoT or DoH server. There are additional methods, such as described by [I-D.pauly-dprive-oblivious-doh]. This reference can be updated to RFC 9230. (9) p 11, sec 7. Privacy Considerations The use of DoT and DoH eliminates the minimizes threat from passive eavesdropped, but still exposes the list to the operator of the DoT or DoH server. There are additional methods, such as described by [I-D.pauly-dprive-oblivious-doh]. "... eliminates the threat from passive eavesdroppers, ..." (10) p 12, sec 7. Privacy Considerations The use of DoT and DoH eliminates the minimizes threat from passive eavesdropped, but still exposes the list to the operator of the DoT or DoH server. There are additional methods, such as described by [I-D.pauly-dprive-oblivious-doh]. The use of unencrypted (Do53) requests to a local DNS server exposes the list to any internal passive eavesdroppers, and for some situations that may be significant, particularly if unencrypted WiFi is used. Use of Encrypted DNS connection to a local DNS recursive resolver is a preferred choice, assuming that the trust anchor for the local DNS server can be obtained, such as via [I-D.reddy-add-iot-byod-bootstrap]. Presumably there should also be a recommendation to use encrypted WiFi too. (11) p 12, sec 7. Privacy Considerations While possession of a Large (Kitchen) Appliance at a residence may be uninteresting to most, possession of intimate personal devices (e.g., "sex toys") may be a cause for embarrassment. Not sure whether the example is needed here, but don't object if you want to keep it. I would change "Large (Kitchen) Appliance" to just "kitchen appliance". (12) p 13, sec 8. Security Considerations This document takes the view that the two requirements do not need to be in conflict, but resolving the conflict requires some advance planning by all parties. Rather than "requires some advance planning by all parties", perhaps "requires careful planning on how the DNS can be safely and effectively used by MUD controllers and IOT devices." Nit level comments: (13) p 3, sec 1. Introduction The second section of this document details how common manufacturer anti-patterns get in the way this mapping. The third section of this document details how current trends in DNS presolution such as public DNS servers, DNS over TLS (DoT), DNS over QUIC (DoQ), and DNS over HTTPS (DoH) cause problems for the strategies employed. Poor interactions with content-distribution networks is a frequent pathology that can result. presolution => resolution (14) p 4, sec 3.1.1. Too slow While subsequent connections to the same site (and subsequent packets in the same flow) will not be affected if the results are cached, the effects will be felt. The ACL results can be cached for a period of time given by the TTL of the DNS results, but the lookup must be performed again in a number of hours to days. hours to days => hours or days. (15) p 6, sec 3.2. A successful strategy In order to compensate for this, the MUD controller SHOULD regularly do DNS lookups in order to get never have stale data. regularly do => regularly perform to get never have => to never have (16) p 6, sec 3.2. A successful strategy These lookups need to be rate limited in order to avoid load. It may be necessary to avoid local recursive DNS servers. Suggest "These lookups must be rate limited to avoid excessive load on the DNS servers, and it may be necessary to avoid local recursive resolvers." (17) p 6, sec 3.2. A successful strategy A MUD controller that is aware of which recursive DNS server that the IoT device will use can instead query that server on a periodic basis. Doing so provides three advantages: server that the => server the (18) p 7, sec 3.2. A successful strategy The solution of using the same caching recursive resolver as the target device is very simple when the MUD controllers is located in a residential CPE device. The device is usually also the policy enforcement point for the ACLs, and a caching resolver is typically located on the same device. In addition the convenience, there is a shared fate advantage: as all three components are running on the same device, if the device is rebooted, clearing the cache, then all three components will get restarted when the device is restarted. the convenience => to convenience (19) p 7, sec 3.2. A successful strategy Where the solution is more complex is when the MUD controller is located elsewhere in an Enteprise, or remotely in a cloud such as when a Software Defines Network (SDN) is used to manage the ACLs. The DNS servers for a particular device may not be known to the MUD controller, nor the MUD controller be even permitted to make recusive queries that server if it is known. In this case, additional installation specific mechanisms are probably needed to get the right view of DNS. The scenario where the solution is more complex is when ... that server => to that server of DNS => of the DNS (20) p 7, sec 4. DNS and IP Anti-Patterns for IoT device Manufacturers This section describes a number of things with IoT manufacturers have been observed to do in the field, each of which presents difficulties for MUD enforcement points. with IoT => which IoT (21) p 8, sec 4.1. Use of IP address literals in-protocol An authoritative server might be tempted to provided an IP address literal inside the protocol: there are two arguments (anti-patterns) for doing this. One is that it eliminates problems to firmware updates that might be caused by lack of DNS, or incompatibilities with DNS. For instance the bug that causes interoperability issues with some recursive servers would become unpatchable for devices that were forced to use that recursive resolver type. Suggest "One is that" -> "The first is that ..." "the bug that" -> "a bug that" (22) p 8, sec 4.1. Use of IP address literals in-protocol A second reason to avoid a DNS in the URL is when an inhouse content- distribution system is involved that involves on-demand instances being added (or removed) from a cloud computing architecture. Suggest "A second" -> "The second" (23) p 8, sec 4.1. Use of IP address literals in-protocol But, there are many problems with use of IP address literals for the location of the firmware. Perhaps change "many problems" => "more problems". (24) p 8, sec 4.1. Use of IP address literals in-protocol Third-party content-distribution networks (CDN) tend to use DNS names in order to isolate the content-owner from changes to the distribution network. I suggest "Finally, Third-party content-distribution ..." (25) p 9, sec 5. DNS privacy and outsourcing versus MUD controllers A described above in Section 3 the MUD controller needs to have access to the same resolver(s) as the IoT device. A described ... => As described ... (26) p 10, sec 6. Recommendations to IoT device manufacturer on MUD and DNS usage The difficult part is determining what to put into the MUD file itself. There are currently tools that help with the definition and analysis of MUD files, see [mudmaker]. The remaining difficulty is now the semantic contents of what is in the MUD file. An IoT manufacturer must now spend some time reviewing what the network communications that their device does. what the network ... => "reviewing the network communications by their device." (27) p 10, sec 6. Recommendations to IoT device manufacturer on MUD and DNS usage This document has discussed a number of challenges that occur relating to how DNS requests are made and resolved, and it is the goal of this section to make recommendations on how to modify IoT systems to work well with MUD. has discussed => discusses it is the goal => and the goal section to make => section is to make (28) p 10, sec 6.2. Use primary DNS names controlled by the manufacturer While it used to be costly to have a large number of aliases in a web server certificate, this is no longer the case. Wildcard certificates are also commonly available which allowed for an infinite number of possible names. allowed for => allow for (29) p 10, sec 6.3. Use Content-Distribution Network with stable names When aliases point to a Content-Distribution Network (CDN), prefer to use stable names that point to appropriately load balanced targets. CDNs that employ very low time-to-live (TTL) values for DNS make it harder for the MUD controller to get the same answer as the IoT Device. A CDN that always returns the same set of A and AAAA records, but permutes them to provide the best one first provides a more reliable answer. prefer to use stable => prefer stable (30) p 11, sec 6.4. Do not use geofenced names Due the problems with different answers from different DNS servers, described above, a strong recommendation is to avoid using such things. Due to the problems ... .... is to avoid using geofenced names. (31) p 11, sec 6.5. Prefer DNS servers learnt from DHCP/Route Advertisements It is recommended that use of non-local resolvers is only done when the locally provided resolvers provide no answers to any queries at all, and do so repeatedly. The use of the operator provided resolvers SHOULD be retried on a periodic basis, and once they answer, there should be no further attempts to contact public resolvers. Perhaps change last should to SHOULD? (32) p 12, sec 7. Privacy Considerations Identifying the IoT device type empowers the attacker to launch targeted attacks to the IoT device (e.g., Attacker can advantage of the device vulnerability). can take advantage of any known vulnerabilities on the device. (33) p 12, sec 7. Privacy Considerations The more complex case of section Section 4.1 postulates that the version number needs to be provided to an intelligent agent that can decided the correct route to do upgrades. The current [RFC9019] specification provides a wide variety of ways to accomplish the same thing without having to divulge the current version number. section Section 4.1 => Section 4.1 The current [RFC9019] specification provides => "RFC 9019 provides" (Or you can say current, at the time of publication, ...) (34) p 13, sec 8. Security Considerations This document deals with conflicting Security requirements: Security => security Spellings to check: Enteprise, consistitute, consititute, funnelled, inhouse, inprotocol,, liimt, middlebox, permutted, presolution, recusive, Grammar Warnings: Section: 1, draft text: Use of a DNS name rather than IP address in the ACL has many advantages: not only does the layer of indirection permit the mapping of name to IP address to be changed over time, it also generalizes automatically to IPv4 and IPv6 addresses, as well as permitting loading balancing of traffic by many different common ways, including multi-CDN deployments wherein load balancing can account for geography and load. Warning: Consider using many. Suggested change: "many" Section: 1, draft text: The Security Considerations section covers some of the negative outcomes should MUD/firewall managers and IoT manufacturers choose not to cooperate. Warning: If the text is a generality, 'of the' is not necessary. Suggested change: "some" Section: 3.1.3, draft text: The same is not true for reverse names: they can often be incomplete or incorrect for months or even years without visible affect on operations. Warning: Did you mean effect? Suggested change: "effect" Section: 3.1.3, draft text: To liimt churn of DNS PTR records, and reduce failures of the MUD ACLs, operators would want to add all possible names for each reverse name, whether or not the DNS load balancing in the forward DNS space lists that end-point at that moment. Warning: Consider shortening this phrase to just whether. It is correct though if you mean 'regardless of whether'. Suggested change: "whether" Section: 3.1.4, draft text: Instead a wildcard exists to answer. Warning: Did you forget a comma after a conjunctive/linking adverb? Suggested change: "Instead," Section: 3.1.4, draft text: github would be unable to provision all infinity of possible names into the PTR records. Warning: This sentence does not start with an uppercase letter. Suggested change: "Github" Section: 3.2, draft text: The MUD controller and the device get a matching set, and the ACLs that are setup cover all possibilities. Warning: The verb 'set up' is spelled as two words. The noun 'setup' is spelled as one. Suggested change: "set up" Section: 3.2, draft text: The simplest is when the round robin does not return all addresses. Warning: This word is normally spelled with hyphen. Suggested change: "round-robin" Section: 3.2, draft text: In addition the convenience, there is a shared fate advantage: as all three components are running on the same device, if the device is rebooted, clearing the cache, then all three components will get restarted when the device is restarted. Warning: Did you forget a comma after a conjunctive/linking adverb? Suggested change: "addition," Section: 4.1, draft text: A common pattern for a number of devices is to look for firmware updates in a two step process. Warning: This word is normally spelled with hyphen. Suggested change: "two-step" Section: 4.1, draft text: An initial query is made (often over HTTPS, sometimes with a POST, but the method is immaterial) to a vendor system that knows whether or not an update is required. Warning: Consider shortening this phrase to just whether. It is correct though if you mean 'regardless of whether'. Suggested change: "whether" Section: 4.1, draft text: An authoritative server might be tempted to provided an IP address literal inside the protocol: there are two arguments (anti-patterns) for doing this. Warning: Did you mean to provide? Suggested change: "to provide" Section: 4.1, draft text: A DNS name can contain both kinds of addresses, and can also contain many different IP addresses of each kind. Warning: Consider using many. Suggested change: "many" Section: 4.2, draft text: Even if the content provider chosen names are deterministic they may change at a rate much faster than MUD files can be updated. Warning: "Even if" at the beginning of a sentence requires a 2nd clause. Maybe a comma, question or exclamation mark is missing, or the sentence is incomplete and should be joined with the following sentence. Section: 6, draft text: It can even be done without code changes via the use of a QR code affixed to the packaging (see [RFC9238]. Warning: Unpaired symbol: ')' seems to be missing Section: 6.2, draft text: While it used to be costly to have a large number of aliases in a web server certificate, this is no longer the case. Warning: Specify a number, remove phrase, or simply use many or numerous Suggested change: "many" Section: 6.4, draft text: Due the problems with different answers from different DNS servers, described above, a strong recommendation is to avoid using such things. Warning: It appears that a preposition is missing after 'Due'. Suggested change: "Due to the" Section: 7, draft text: The use of unencrypted (Do53) requests to a local DNS server exposes the list to any internal passive eavesdroppers, and for some situations that may be significant, particularly if unencrypted WiFi is used. Warning: Did you mean Wi-Fi? (This is the officially approved term by the Wi-Fi Alliance.) Suggested change: "Wi-Fi" Section: 7, draft text: Instead, details of how to query and where to get the firmware would be provided as a MUD extension, and a Enterprise-wide mechanism would retrieve firmware, and then distribute it internally. Warning: Use an instead of 'a' if the following word starts with a vowel sound, e.g. 'an article', 'an hour' Suggested change: "an" Regards, Rob
- [OPSAWG] AD review of draft-ietf-opsawg-mud-iot-d… Rob Wilton (rwilton)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… mohamed.boucadair
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Rob Wilton (rwilton)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Eliot Lear
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Toerless Eckert
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Toerless Eckert
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Toerless Eckert
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Rob Wilton (rwilton)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Qin Wu
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Qin Wu
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Rob Wilton (rwilton)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-i… Michael Richardson