IETF Logo Mail Archive

[OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08

"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 13 October 2023 10:32 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F21C170616; Fri, 13 Oct 2023 03:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.606
X-Spam-Level:
X-Spam-Status: No, score=-14.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="lzEuOU3/"; dkim=pass (1024-bit key) header.d=cisco.com header.b="ksnP2IhX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5C6LoVU2DPEJ; Fri, 13 Oct 2023 03:32:51 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 733DDC1522D3; Fri, 13 Oct 2023 03:32:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19936; q=dns/txt; s=iport; t=1697193171; x=1698402771; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=2q66BifvyUcdki0KHXrs6xXpxIVc8Qok1zBe7t2BWlA=; b=lzEuOU3/mukTlvdoDQxbb5MRTr1A3x595L+8489sp7DXMWuUuPWoZWCG KFLtFIcy7SOW7I2LxoK1ekfg8IrREes2AMD9V/nEcNl/Qc9aFtnKyKqoA 4XxKDMGSiPEsXHaGXoEEdekBjm4UwYCmkPXXlc6kf6bVThVzzwBE/l5L5 I=;
X-CSE-ConnectionGUID: 3f6p23lMSK24eaRknycmvg==
X-CSE-MsgGUID: 6Qe6tf9AQQGKTE0iOm1HTw==
X-IPAS-Result: A0BTAwDAGyllmJRdJa1agQklgSqBZlJ4AlkqEkiIHgOFLYZAgiOBFpAmhiuBOIRfFIERA1YPAQEBDQEBRAQBAYISgnQChxACJjQJDgECAgIBAQEBAwIDAQEBAQEBAQIBAQUBAQECAQcEFAEBAQEBAQEBHhkFDhAnhTsIJQ2GZRUTBgEBIxURARobCUIXDwEEARoTB4JcAYJeAwGoEgGBQAKKKHiBATOBAYIJAQEGBAWybAmBSIRZgzEBigYIHxuBSUSBFUOCMINXAoEZCRUPAgkRPYNVgi+Df0mBG0dIggUHDi4GATuBAQwJgQWCXhxfgRR1MQOBSYZibxNHcBsDBwOBAxArBwQvIgYJFi0lBlEELSQJExI+BIM4CoEGPw8OEYJDIgIHNjYZS4JbCRUMNQRJdhArBBQXgRNuHxUeNxESFw0DCHYdAhEjPAMFAwQ0ChUNCyEFFEMDRwZMCwMCHAUDAwSBNgUPHgIQLikDAxlNAhAUAzsDAwYDCzEDMFdLDFkDbyE5A0QdQAMLbT0UIQYOGwUEgT0FnESBdgEvDy0FAQEBBQoaEyMDBCcBBQQeBCINIBElFAYRBBkNBAELAQIHCQcBCAIEGQ8IJQ+SHhQ2II5rol8KhAyhPheEAYxwhm+Qdy1imDoggi+gDDIBCyaEZQIEAgQFAg4BAQaBYzotgS5wFTuCZ1IZD1YCgmiKbA0Jg1aPeXY7AgcLAQEDCYhuAiYHgU5fAQE
IronPort-PHdr: A9a23:WEDrbhWTBVqKd+t0BxV/2WzK0c7V8K0xAWYlg6HPw5pUeailupP6M 1OavLNmjUTCWsPQ7PcXw+bVsqW1QWUb+t7Bq3ENdpVQSgUIwdsbhQ0uAcOJSAX7IffmYjZ8H ZFqX15+9Hb9Ok9QS47lf1OHmnSp9nYJHwnncw98J+D7AInX2t6o1uSu/Jv7aARTjz37arR3f 126qAzLvZwOiJB5YuYpnwLUq2FBffhXw24gKVOIyhD74MrxtJI2+CVLsPVn/MlFOZg=
IronPort-Data: A9a23:XKM2Z6J+zemp8g1sFE+RE5UlxSXFcZb7ZxGr2PjKsXjdYENSgzUOy zQeXT2CPPvYa2OjKtEnb4q//E8HscPWmoRgTgQd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcYZsCCea/0/xWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVvW0 T/Oi5eHYgT8g2cvajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKmWDNrfnL wpr5OjRElLxp3/BOPv8+lrIWhFirorpAOS7oiE+t55OLfR1jndaPq4TbJLwYKrM4tmDt4gZJ N5l7fRcReq1V0HBsLx1bvVWL81xFfZIpqedenyaiu/Jk0DPSXjq0v5rEk5jaOX0+s4vaY1P3 eYTJDZIZReZiqfvmvSwS/JngYIoK8yD0IE34y47i2qGS6d9B8mfE80m5vcAtNs0rtpRHPLCY MwxYjt0ZxOGaBpKUrsSIMtkwL/y2yGnLFW0rnrLnKdp/2aC5TVI/5vRHYLUXdnTZflKyxPwS mXupjSlXU5y2Mak4Taf+3yww+7CgS2+X5oJHaK3s/t3jBiSwXBWBBsNEFC8p+K4hkOkUs5eL EoP0isjsaZ081akJvH6Rwaxv3GsvxMAVZxXCeJS1e2W4rDf7wDcDW8eQ3sYMpottdQ9Qnoh0 Vrhc87V6SJH67PLUSjG8pKvjmnuNCEvLmkTbioaQl5QizX8m70bghXKR9dlNae6iNzpBD39q wxmSgBj193/auZWiM2GEUD7byGE/ceWE1ZkjunDdif0sVMjPd/Ni5mAsACDtZ59wJClok5tV UXoduCE5+wISJqKjiHIGb9LF7Cy7PHDOzrZ6bKOI3XD32rxk5JAVdkAiN2bGKuPGp1bEdMOS BSD0T69HLcJYBOXgVZfOupd8fgCw6n6DsjCXfvJdNdIaZUZXFbZrX43PhPMgzuyyxNEfUQD1 XGzLJfE4ZEyV/wP8dZKb7x1PUIDn3pnnjqDGfgXMTz+iuvDDJJqdVv1GALeMr9mhE91iA7U6 N1Yf9Cb0AlSVfaWX8Uk2dB7ELz+FlBiXcqeg5UOLoare1M6cEl/UKW56e16JORYc1F9y72gE oeVABEIkTISRBTvdG23V5yUQOyzA88m9SxkbETB/z+AghAeXGpm149GH7Mfdrg8/+slxvlxJ 8Tpse3ZahiTYlwrIwggUKQ=
IronPort-HdrOrdr: A9a23:l6G/U6iL0Dzrx0se53N8G1qF/3BQX4h23DAbv31ZSRFFG/FwyP re/8jzhCWVtN9OYhAdcIi7SdW9qBPnmaKdkrNhQotKOzOW9VdATbsSp7cKpgeQeREWmdQtr5 uIH5IOb+EYbmIKwfoSgjPIburIqePvmMvH9IKuq0uFJjsaEp2Imj0JcTpzZXcGPDWua6BJcq a0145snRblU3IRaciwG3kCWMb+h/CjrvjbSC9DLSQKrC2Vgx2VyJOSKXWlNxElPA9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDLNbksLlaFhzcziKTIKhxUbyLuz445Mu17kwxrd XKqxA8e+xu9nLqeH2vqxeF4Xig7N9u0Q6j9baruwqgnSXLfkN+NyOHv/McTvLt0TtigDi76t MN44vWjesQMfqKplWC2zGBbWAaqqPzmwtsrQbW5EYvCbf3r9Rq3NUi1VIQH5EaEC3g7oc7VO FoEcHH/f5TNUiXdnbDowBUsZWRt1kIb2C7q3I5y7qo+ikTmGo8w1oTxcQZkHtF/JUhS4Nc7+ CBNqhzjrlBQsIfcKo4XY46MICKI32IRQiJPHOZIFzhGq1CM3XRq4Tv6LFw4O2xYpQHwJY7hZ yEWlJFsmw5fV7oFKS1rdV22wGIRH/4USXmy8lY6ZQ8srrgRKDzOSnGU1wqm9vImYRqPiQaYY fHBHt7OY6QEYK1I/c44+TXYeggFUUj
X-Talos-CUID: 9a23:KtGC6mPe5OfycO5DAyc57BRPHuUeUSeBwX7qIEmpAmN3R+jA
X-Talos-MUID: 9a23:0erwUw0I69fjk/aKfKN01RzY1jUjvZ2jVlwDwLw/guanCQEoOhCY1RSLXdpy
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-7.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2023 10:32:50 +0000
Received: from rcdn-opgw-1.cisco.com (rcdn-opgw-1.cisco.com [72.163.7.162]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 39DAWoVS006832 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 13 Oct 2023 10:32:50 GMT
X-CSE-ConnectionGUID: t82TEVmaQtOORKdQ1j7mEw==
X-CSE-MsgGUID: IgMNuPJLSp6OpMPFfCmM4w==
Authentication-Results: rcdn-opgw-1.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=rwilton@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.03,221,1694736000"; d="scan'208";a="4569395"
Received: from mail-bn8nam11lp2168.outbound.protection.outlook.com (HELO NAM11-BN8-obe.outbound.protection.outlook.com) ([104.47.58.168]) by rcdn-opgw-1.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2023 10:32:49 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m9edMM1ldObc8I/JkTpW1zk60EjuX/9CJNAtXZMC5jR8kjP4hk1mnXJKY5IBbUVUZmDK9tuxLxQrYgCOyhPDTiYeZnvxzYwQ/rqAD0qin9gmtTQHF7wiQWrA9UMgwk4Jg5GY98957Kjn0SnwfKbZ+IYKTtu9kaYsvDjuy0wFdMmJpC1wnbAuqR+h4HkY0MESpL0rBB+Y2IdG+kBvwecsdJ97Jr1eIRANePUEHWNpsxgqQxXN6wV7L+Smj4vscIKoMgRZB+U42dAYREmRjwSyXv4t0GecX9ZIerQMLWvRjFE4PGaP7sZFBdVXvVUju40VxKQPuCmdkROytkF+3lMluw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5yU38ofrTXHJTfOd/HWT/CKYcaVIwei8z2JWP5ex2QQ=; b=J0fxwwIRuPROsu06BopNXAFuRhF43MRTHfmz8uYYntypIxs4NdtiLCVgRFnF1DgE9R2Y8ZWxrE5WutsYNETVR4EFCWxHW+cWs+QeG+MS2fjfOumDwoW9qlJmPfl/AkdGZ4hx6JjMGrtVv1zCR8RhBfQhaLRykScYhOpHHY2t+41epirfq3SHrdDcC4hN8rFDFc1qar3Wd2yy6yk2vxbKHH9hLPntGp2b3W8zinsj2aFlXbD4K907qF47IXYXzMgk5a2JE/fLVj2d5BQUoOc4Qfii6uRWQexoFBy5LiQDoTh7W6JB9/wJJXgFR9mvv6n7E9/N8t+Ha5ww4akDTTsLyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5yU38ofrTXHJTfOd/HWT/CKYcaVIwei8z2JWP5ex2QQ=; b=ksnP2IhXh3jGu7Bv1v73NE3YVVK/Ec5YXyUOU4D3eod8EvUavfNhHyAztF4jvu7fVBu5wRf74tryI/SMZnaSs4pNHdE1JZiw2jE/FCsYbKXeYtR+BkvvpvGak/kxbiQqxBKxPLJ83ucaaWj2QcKyaPl18JuWCt7kWfuDy1rZ0OQ=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by PH8PR11MB7045.namprd11.prod.outlook.com (2603:10b6:510:217::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.43; Fri, 13 Oct 2023 10:32:47 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::97f2:7572:4ef5:6bf9]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::97f2:7572:4ef5:6bf9%3]) with mapi id 15.20.6863.046; Fri, 13 Oct 2023 10:32:47 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "opsawg@ietf.org" <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org" <draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org>
Thread-Topic: AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08
Thread-Index: Adn9uohvN+3E1lC3TL27lly1AEZWBQ==
Date: Fri, 13 Oct 2023 10:32:47 +0000
Message-ID: <BY5PR11MB419663E50375EFC179E7CE65B5D2A@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|PH8PR11MB7045:EE_
x-ms-office365-filtering-correlation-id: 39276319-0962-4884-7706-08dbcbd7be5d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y0BPcB32jsdPFKlXc2kwFiLUYKClw0NxLO4Zi2CwHTAGVm3OYaL0YhAyduYgenJfTx6kSi/2XUclwxbG+vbV7PcOMOJXs35bmnLkfopX8kSj+i80YZKP/pZcPioLp674n6+hceV988Ng+032NV1Cw0TNOtRi/F6zNnPvMsSOFB5LmSyC0pnX2hSwFEyCWjU91Z/Fn6c+ApsskLTWTGfwDfZGFswvXeKp6naS6mBzfU3t4FxdzLVZrUrW6BZDPRR/uWqGu95W74hD7KaaOXj5Kdjphje7+aGOvVmdiKDRGyVqztZ6emn1X7vREuXu01rGJQUYVXykPcrPB6WKLAxXsAmMq/avkaKz7J4Vc9+6TZ/6v2O15c9CM0ectIruhKkFw2k4ZNG/PH/WEpPMtFPMmNWBqbFhDAo1t4XgmMx4uvNbhPUK4MAzzr1f53D+3kii67mhEFKqf1neNOdwYsC9yMRUUb3rUFrycP4VpC5RWt/8/Snqv94cxcMD9tbfA6letv5IC2jPsskXcAbtDkNjsvYP1eYsZrTQSl7VDfAJScs2LW7ICBfq/mZ+hyGoqUW8XCGiXgN6+Atyr8Sv5esMdZzcscaAN+MvQRRM528m+EpsAgtDp/9cobpEbl7y0FZW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39860400002)(376002)(396003)(366004)(346002)(230922051799003)(1800799009)(451199024)(186009)(64100799003)(66574015)(8936002)(66446008)(66899024)(83380400001)(64756008)(66946007)(55016003)(38070700005)(122000001)(38100700002)(9686003)(2906002)(66476007)(86362001)(5660300002)(71200400001)(316002)(110136005)(30864003)(66556008)(76116006)(52536014)(8676002)(6506007)(41300700001)(33656002)(7696005)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TF1L4pXCY/7XJ3YqZsJ3txAXhpMh/jAEfwDtvSKOWnLvaxY7ixTGZirkLbNWoHRpdhdQxAh70wbY0UyW1/7RFD2Ugm9S2TRJ9NBWDVoNxyPMX5OJARLfpPhUhTJuaxTmasUtl4rDuO5Sc9j1P+AycBAtRz/ZRp4AlEVX9SmIDsdRWBbtqMI1SjaIOB4g84V6XhIwivujGyywGokJObkubmYrGDZ3OXRGusu0sEp11ilNr32LAQ0VUGZCPTTgeYbAkQRKikYgltFMQBe7Ikjr+BHhSUvWhll2xr2i2Npsd8cE7uqqDIjqnPNzLo96imdM/E/A7o+oqQ9pSlZ+BvtwzQpXF6p1Ida4IejKdotKYhAOm9zh50lkp1PVeUO3VzISUGD9aCcH0Zq+2Fq3K1IlQfTOc3j6ijeHPc7vRreiK0pDR7IwOwzTJiAhlP0pFDuDmqziNmXQZ2crfGC5cbCihbul2O8Su9pQRxRk10IuEq9wUIaA5I3JFJ4mwqg5KaGvU0Ty9CZpvqOacW12qSG6aSMpYWsL8UX3Gz0cTsaJIVL//gnM0iN1mvqGXzGYLt2TmwBG/cYp6JArE2KrgeajHMsR3yPoVIQ9DoDsoPQmxi3l8ecRjSBbCkTG5xSeZ4T94Lf0pM9Hlu4BxvEtBDA/J3QK03v9uA6dhiF9BPs4t8jan/TZl4K8egIf2G7AKWUY/ens6xuv6vdV+Jvua74uD3FFluYSmPIjcpeU0IiFQHmtf6uQy3whMpjQP00bu8XjQWRRmr1iPQIWcuKsetXLpaEcqOX6m1Ck+FqV4tayz/TnmzrhvOE8Q+T9g6GUdYXA9/AYnMG3Sbe2ihsI0eLhrqEiRDm/rFITtP22a+u1q3z5HUoacO10Wy0oUZiH8lC/tFRl8AY4KuxAlPhOgUw9kagq/Sh8ERFhPeaSWmqHGGm5YDmsc6/KVQJkr9YSWNGLrekWdNrnY7CdLcNqbPoLiqOea+thbxf5Imb/Lq3kZ78vcifHSmpq2K17sQN/wxuUiQIxZFIxXnKOJqEZVrd9htx21Z8mmThwzpNycbj4J8TE3QjeTwWprk1civz0puRMaMtwxwNChvi+ESA8sCatsv3QrBiNFprbKYBJsTCVRXoQpzrquD70q/60adsUNYyZKd3XOXcIMTcbOXD0yKXgXMfv/PLwIMucrZRW2EdEV6bzeBQIWObtO4hJOLnwHGWBCaBQomK+Fio8QuM5B8G9JjPbkLkiuNXduPI+nvFw/q9Hxt3EvamDVBtHoId1uTmT310h2iXN7WVgT8gUn7gs6izdUto7LjjtCyTbH4fK6tMklUV2Wlx//ZVSI6aSWajfNy856/tTMssz4YqnsaPGDWyGXXiyiwJ3OKk7zsg0YoBCGHzQ/iazl0wJD8KQW0gwT2s3//LkNgVLdididB3pOC5x7qToTu/t9yBlYEVBXBAzuOqg7+txVLERCUNI2Nu5M0EvdEsQBYqPwbSlfsbXjSLQ7pJbZENEIAgNvaWOner2YoSTMtW3+ULRp485+3W3b2/8gptIYIfRDOQrrW1XWqj1sL/ZiQq9LJEwl40hgLSSUFq771Bd/cVo2OV0UYpChMa4k6EelN95eV0lNU756FQ3g6GeDsoNnv2A9DIIEBg=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 39276319-0962-4884-7706-08dbcbd7be5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2023 10:32:47.5210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8sDdOy/bLHy4+eYQGFY3nuF15gvXKtapwaMXHwrP41O7fLVeXDZAXg6Gp+vMJtm9/cXDC3uUPqmeuFLABeUXMw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB7045
X-Outbound-SMTP-Client: 72.163.7.162, rcdn-opgw-1.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/YoB5WJ2AmXujxZLPoTRakIPRHbE>
Subject: [OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 10:32:55 -0000

Hi,

Here is my AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08.

I found quite a few cases where the grammar is incorrect, which I find somewhat distracting and makes the document harder to review for technical content/correctness.  I've flagged as many of these that I can in my review (and some other questions).  I've also run the text through a grammar checker which may highlight potential additional changes, but can also have some false positives (MCR, please can you check these).  Please can you post an updated version and then I may give it a second read before starting IETF LC.

Minor level comments:

(1) p 2, sec 1.  Introduction

     In TLS 1.3 with or without
   the use of ECH, middlebox cannot rely on SNI inspection because a
   malware could lie about the SNI and middlebox without acting as a TLS
   proxy does not have visibility into the server certificate.

I find it very hard to read/understand this sentence.

Did you mean something like:

   In TLS 1.3, with or without the use of ECH, middleboxes cannot rely on
   SNI inspection because malware could lie about the SNI.  In addition,
   middleboxes do not have visibility into the server certificate unless
   they are acting as TLS proxies.


(2) p 3, sec 1.  Introduction

   The fourth section of this document makes a series of recommendations
   ("best current practices") for manufacturers on how to use DNS, and
   IP addresses with specific purpose IoT devices.

DNS, and => DNS and


(3) p 5, sec 3.1.4.  Names can have wildcards

   github would be unable to provision all infinity of possible names
   into the PTR records.

This sentence is somewhat unclear.


(4) p 8, sec 4.1.  Use of IP address literals in-protocol

   And with any non-determistic name or address that is returned, the
   MUD controller is not challenged to validate the transaction, as it
   can not see into the communication.

I'm not sure that I understand what this paragraph is trying to convey.


(5) p 9, sec 4.2.  Use of non-deterministic DNS names in-protocol

   This in particular may apply to the location where firmware updates
   may be retrieved.

Would it be worth more explicitly stating what the proposed alternative is here.  I.e., to use stable URLs at well known stable domains?


(6) p 9, sec 4.3.  Use of a too inclusive DNS name

Rather than "too inclusive" perhaps consider "too generic"?


(7) p 11, sec 6.5.  Prefer DNS servers learnt from DHCP/Route Advertisements

   IoT Devices should prefer doing DNS to the network provided DNS
   servers.  Whether this is restricted to Classic DNS (Do53) or also
   includes using DoT/DoH is a local decision, but a locally provided
   DoT server SHOULD be used, as recommended by
   [I-D.reddy-add-iot-byod-bootstrap].

Should it be DoT/DoH server SHOULD be used, or do you mean to specifically recommend DoT over DoH here?


(8) p 11, sec 7.  Privacy Considerations

   The use of DoT and DoH eliminates the minimizes threat from passive
   eavesdropped, but still exposes the list to the operator of the DoT
   or DoH server.  There are additional methods, such as described by
   [I-D.pauly-dprive-oblivious-doh].

This reference can be updated to RFC 9230.


(9) p 11, sec 7.  Privacy Considerations

   The use of DoT and DoH eliminates the minimizes threat from passive
   eavesdropped, but still exposes the list to the operator of the DoT
   or DoH server.  There are additional methods, such as described by
   [I-D.pauly-dprive-oblivious-doh].

"... eliminates the threat from passive eavesdroppers, ..."


(10) p 12, sec 7.  Privacy Considerations

   The use of DoT and DoH eliminates the minimizes threat from passive
   eavesdropped, but still exposes the list to the operator of the DoT
   or DoH server.  There are additional methods, such as described by
   [I-D.pauly-dprive-oblivious-doh].
   The use of unencrypted (Do53) requests to a local DNS server exposes
   the list to any internal passive eavesdroppers, and for some
   situations that may be significant, particularly if unencrypted WiFi
   is used.  Use of Encrypted DNS connection to a local DNS recursive
   resolver is a preferred choice, assuming that the trust anchor for
   the local DNS server can be obtained, such as via
   [I-D.reddy-add-iot-byod-bootstrap].

Presumably there should also be a recommendation to use encrypted WiFi too.


(11) p 12, sec 7.  Privacy Considerations

   While possession of a Large (Kitchen) Appliance at a residence may be
   uninteresting to most, possession of intimate personal devices (e.g.,
   "sex toys") may be a cause for embarrassment.

Not sure whether the example is needed here, but don't object if you want to keep it.  I would change "Large (Kitchen) Appliance" to just "kitchen appliance".


(12) p 13, sec 8.  Security Considerations

   This document takes the view that the two requirements do not need to
   be in conflict, but resolving the conflict requires some advance
   planning by all parties.

Rather than "requires some advance planning by all parties", perhaps "requires careful planning on how the DNS can be safely and effectively used by MUD controllers and IOT devices."



Nit level comments:

(13) p 3, sec 1.  Introduction

   The second section of this document details how common manufacturer
   anti-patterns get in the way this mapping.
   The third section of this document details how current trends in DNS
   presolution such as public DNS servers, DNS over TLS (DoT), DNS over
   QUIC (DoQ), and DNS over HTTPS (DoH) cause problems for the
   strategies employed.  Poor interactions with content-distribution
   networks is a frequent pathology that can result.

presolution => resolution


(14) p 4, sec 3.1.1.  Too slow

   While subsequent connections to the same site (and subsequent packets
   in the same flow) will not be affected if the results are cached, the
   effects will be felt.  The ACL results can be cached for a period of
   time given by the TTL of the DNS results, but the lookup must be
   performed again in a number of hours to days.

hours to days => hours or days.


(15) p 6, sec 3.2.  A successful strategy

   In order to compensate for this, the MUD controller SHOULD regularly
   do DNS lookups in order to get never have stale data.

regularly do => regularly perform
to get never have => to never have


(16) p 6, sec 3.2.  A successful strategy

     These lookups
   need to be rate limited in order to avoid load.  It may be necessary
   to avoid local recursive DNS servers.

Suggest "These lookups must be rate limited to avoid excessive load on the DNS servers, and it may be necessary to avoid local recursive resolvers."


(17) p 6, sec 3.2.  A successful strategy

   A MUD controller that is aware of which recursive DNS server that the
   IoT device will use can instead query that server on a periodic
   basis.  Doing so provides three advantages:

server that the => server the


(18) p 7, sec 3.2.  A successful strategy

   The solution of using the same caching recursive resolver as the
   target device is very simple when the MUD controllers is located in a
   residential CPE device.  The device is usually also the policy
   enforcement point for the ACLs, and a caching resolver is typically
   located on the same device.  In addition the convenience, there is a
   shared fate advantage: as all three components are running on the
   same device, if the device is rebooted, clearing the cache, then all
   three components will get restarted when the device is restarted.

the convenience => to convenience


(19) p 7, sec 3.2.  A successful strategy

   Where the solution is more complex is when the MUD controller is
   located elsewhere in an Enteprise, or remotely in a cloud such as
   when a Software Defines Network (SDN) is used to manage the ACLs.
   The DNS servers for a particular device may not be known to the MUD
   controller, nor the MUD controller be even permitted to make recusive
   queries that server if it is known.  In this case, additional
   installation specific mechanisms are probably needed to get the right
   view of DNS.

The scenario where the solution is more complex is when ...
that server => to that server
of DNS => of the DNS


(20) p 7, sec 4.  DNS and IP Anti-Patterns for IoT device Manufacturers

   This section describes a number of things with IoT manufacturers have
   been observed to do in the field, each of which presents difficulties
   for MUD enforcement points.

with IoT => which IoT


(21) p 8, sec 4.1.  Use of IP address literals in-protocol

   An authoritative server might be tempted to provided an IP address
   literal inside the protocol: there are two arguments (anti-patterns)
   for doing this.
   One is that it eliminates problems to firmware updates that might be
   caused by lack of DNS, or incompatibilities with DNS.  For instance
   the bug that causes interoperability issues with some recursive
   servers would become unpatchable for devices that were forced to use
   that recursive resolver type.

Suggest "One is that" -> "The first is that ..."
"the bug that" -> "a bug that"


(22) p 8, sec 4.1.  Use of IP address literals in-protocol

   A second reason to avoid a DNS in the URL is when an inhouse content-
   distribution system is involved that involves on-demand instances
   being added (or removed) from a cloud computing architecture.

Suggest "A second" -> "The second"


(23) p 8, sec 4.1.  Use of IP address literals in-protocol

   But, there are many problems with use of IP address literals for the
   location of the firmware.

Perhaps change "many problems" => "more problems".


(24) p 8, sec 4.1.  Use of IP address literals in-protocol

   Third-party content-distribution networks (CDN) tend to use DNS names
   in order to isolate the content-owner from changes to the
   distribution network.

I suggest "Finally, Third-party content-distribution ..."


(25) p 9, sec 5.  DNS privacy and outsourcing versus MUD controllers

   A described above in Section 3 the MUD controller needs to have
   access to the same resolver(s) as the IoT device.

A described ... => As described ...


(26) p 10, sec 6.  Recommendations to IoT device manufacturer on MUD and DNS usage

   The difficult part is determining what to put into the MUD file
   itself.  There are currently tools that help with the definition and
   analysis of MUD files, see [mudmaker].  The remaining difficulty is
   now the semantic contents of what is in the MUD file.  An IoT
   manufacturer must now spend some time reviewing what the network
   communications that their device does.

what the network ... => "reviewing the network communications by their device."


(27) p 10, sec 6.  Recommendations to IoT device manufacturer on MUD and DNS usage

   This document has discussed a number of challenges that occur
   relating to how DNS requests are made and resolved, and it is the
   goal of this section to make recommendations on how to modify IoT
   systems to work well with MUD.

has discussed => discusses
it is the goal => and the goal
section to make => section is to make


(28) p 10, sec 6.2.  Use primary DNS names controlled by the manufacturer

   While it used to be costly to have a large number of aliases in a web
   server certificate, this is no longer the case.  Wildcard
   certificates are also commonly available which allowed for an
   infinite number of possible names.

allowed for => allow for


(29) p 10, sec 6.3.  Use Content-Distribution Network with stable names

   When aliases point to a Content-Distribution Network (CDN), prefer to
   use stable names that point to appropriately load balanced targets.
   CDNs that employ very low time-to-live (TTL) values for DNS make it
   harder for the MUD controller to get the same answer as the IoT
   Device.  A CDN that always returns the same set of A and AAAA
   records, but permutes them to provide the best one first provides a
   more reliable answer.

prefer to use stable => prefer stable


(30) p 11, sec 6.4.  Do not use geofenced names

   Due the problems with different answers from different DNS servers,
   described above, a strong recommendation is to avoid using such
   things.

Due to the problems ...
.... is to avoid using geofenced names.


(31) p 11, sec 6.5.  Prefer DNS servers learnt from DHCP/Route Advertisements

   It is recommended that use of non-local resolvers is only done when
   the locally provided resolvers provide no answers to any queries at
   all, and do so repeatedly.  The use of the operator provided
   resolvers SHOULD be retried on a periodic basis, and once they
   answer, there should be no further attempts to contact public
   resolvers.

Perhaps change last should to SHOULD?


(32) p 12, sec 7.  Privacy Considerations

   Identifying the IoT device type empowers the attacker to launch
   targeted attacks to the IoT device (e.g., Attacker can advantage of
   the device vulnerability).

can take advantage of any known vulnerabilities on the device.


(33) p 12, sec 7.  Privacy Considerations

   The more complex case of section Section 4.1 postulates that the
   version number needs to be provided to an intelligent agent that can
   decided the correct route to do upgrades.  The current [RFC9019]
   specification provides a wide variety of ways to accomplish the same
   thing without having to divulge the current version number.

section Section 4.1 => Section 4.1
The current [RFC9019] specification provides => "RFC 9019 provides" (Or you can say current, at the time of publication, ...)


(34) p 13, sec 8.  Security Considerations

   This document deals with conflicting Security requirements:

Security => security


Spellings to check:
Enteprise,
consistitute,
consititute,
funnelled,
inhouse,
inprotocol,,
liimt,
middlebox,
permutted,
presolution,
recusive,

Grammar Warnings:
Section: 1, draft text:
Use of a DNS name rather than IP address in the ACL has many advantages: not only does the layer of indirection permit the mapping of name to IP address to be changed over time, it also generalizes automatically to IPv4 and IPv6 addresses, as well as permitting loading balancing of traffic by many different common ways, including multi-CDN deployments wherein load balancing can account for geography and load.
Warning:  Consider using many.
Suggested change:  "many"

Section: 1, draft text:
The Security Considerations section covers some of the negative outcomes should MUD/firewall managers and IoT manufacturers choose not to cooperate.
Warning:  If the text is a generality, 'of the' is not necessary.
Suggested change:  "some"

Section: 3.1.3, draft text:
The same is not true for reverse names: they can often be incomplete or incorrect for months or even years without visible affect on operations.
Warning:  Did you mean effect?
Suggested change:  "effect"

Section: 3.1.3, draft text:
To liimt churn of DNS PTR records, and reduce failures of the MUD ACLs, operators would want to add all possible names for each reverse name, whether or not the DNS load balancing in the forward DNS space lists that end-point at that moment.
Warning:  Consider shortening this phrase to just whether. It is correct though if you mean 'regardless of whether'.
Suggested change:  "whether"

Section: 3.1.4, draft text:
Instead a wildcard exists to answer.
Warning:  Did you forget a comma after a conjunctive/linking adverb?
Suggested change:  "Instead,"

Section: 3.1.4, draft text:
github would be unable to provision all infinity of possible names into the PTR records.
Warning:  This sentence does not start with an uppercase letter.
Suggested change:  "Github"

Section: 3.2, draft text:
The MUD controller and the device get a matching set, and the ACLs that are setup cover all possibilities.
Warning:  The verb 'set up' is spelled as two words. The noun 'setup' is spelled as one.
Suggested change:  "set up"

Section: 3.2, draft text:
The simplest is when the round robin does not return all addresses. 
Warning:  This word is normally spelled with hyphen.
Suggested change:  "round-robin"

Section: 3.2, draft text:
In addition the convenience, there is a shared fate advantage: as all three components are running on the same device, if the device is rebooted, clearing the cache, then all three components will get restarted when the device is restarted.
Warning:  Did you forget a comma after a conjunctive/linking adverb?
Suggested change:  "addition,"

Section: 4.1, draft text:
A common pattern for a number of devices is to look for firmware updates in a two step process. 
Warning:  This word is normally spelled with hyphen.
Suggested change:  "two-step"

Section: 4.1, draft text:
An initial query is made (often over HTTPS, sometimes with a POST, but the method is immaterial) to a vendor system that knows whether or not an update is required.
Warning:  Consider shortening this phrase to just whether. It is correct though if you mean 'regardless of whether'.
Suggested change:  "whether"

Section: 4.1, draft text:
An authoritative server might be tempted to provided an IP address literal inside the protocol: there are two arguments (anti-patterns) for doing this.
Warning:  Did you mean to provide?
Suggested change:  "to provide"

Section: 4.1, draft text:
A DNS name can contain both kinds of addresses, and can also contain many different IP addresses of each kind.
Warning:  Consider using many.
Suggested change:  "many"

Section: 4.2, draft text:
Even if the content provider chosen names are deterministic they may change at a rate much faster than MUD files can be updated.
Warning:  "Even if" at the beginning of a sentence requires a 2nd clause. Maybe a comma, question or exclamation mark is missing, or the sentence is incomplete and should be joined with the following sentence.

Section: 6, draft text:
It can even be done without code changes via the use of a QR code affixed to the packaging (see [RFC9238].
Warning:  Unpaired symbol: ')' seems to be missing

Section: 6.2, draft text:
While it used to be costly to have a large number of aliases in a web server certificate, this is no longer the case. 
Warning:  Specify a number, remove phrase, or simply use many or numerous
Suggested change:  "many"

Section: 6.4, draft text:
Due the problems with different answers from different DNS servers, described above, a strong recommendation is to avoid using such things.
Warning:  It appears that a preposition is missing after 'Due'.
Suggested change:  "Due to the"

Section: 7, draft text:
The use of unencrypted (Do53) requests to a local DNS server exposes the list to any internal passive eavesdroppers, and for some situations that may be significant, particularly if unencrypted WiFi is used. 
Warning:  Did you mean Wi-Fi? (This is the officially approved term by the Wi-Fi Alliance.)
Suggested change:  "Wi-Fi"

Section: 7, draft text:
Instead, details of how to query and where to get the firmware would be provided as a MUD extension, and a Enterprise-wide mechanism would retrieve firmware, and then distribute it internally. 
Warning:  Use an instead of 'a' if the following word starts with a vowel sound, e.g. 'an article', 'an hour'
Suggested change:  "an"

Regards,
Rob

v2.23.0 | Report a Bug | By Email