IETF Logo Mail Archive

Re: [OPSAWG] 🔔 WG Last Call for draft-ietf-opsawg-mud-iot-dns-considerations-05

tirumal reddy <kondtir@gmail.com> Tue, 17 January 2023 05:42 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC19C1CCC81 for <opsawg@ietfa.amsl.com>; Mon, 16 Jan 2023 21:42:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umL2JenXfMZJ for <opsawg@ietfa.amsl.com>; Mon, 16 Jan 2023 21:42:12 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49C23C14F74A for <opsawg@ietf.org>; Mon, 16 Jan 2023 21:42:12 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id g13so45587656lfv.7 for <opsawg@ietf.org>; Mon, 16 Jan 2023 21:42:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MzPsVCORVwHhREWZmMKW6RlTKin2GVsPRv919qYjDuA=; b=hnIQJgfLAjN1BKzrcfjfjeRt3z7fgW5OIOrDJ6ccbx/NCSJKgzgwnJ7Cr9uHAWGjHF bG99aBb4wVqNyCLB9xJLezbP+xX2qiv+4NqIzNvkJQPkkkNfRC7ZdRqj33sSaEhIn+Vk jp2pgtnX46afMmSHzU/0RDwes767+N6N3sf9qLDkSqvtjfDsPlZ3Xn4imqgmhbLIUBjW DVDLVvAoQBHYJ7T27KreDJkhyg9Kbcogq0Xy9GR79rD/qt3YjVNQrYsFILcr1OrJbz58 YJGUZZxyaHyCuL9wYxwyqXGKkb88ov2rZ6hcPlF8JuWwH+1IvxU4y0V9A+d1eDxggMr7 ZLZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MzPsVCORVwHhREWZmMKW6RlTKin2GVsPRv919qYjDuA=; b=2Ml1ZkMA2d2J9/t85ltzR0g4/7vft+twhmg5el28QAr4nDjVI/WMjOmQJcJJ0IzRp1 dZciaqZr3RqfkhTIU86o5yyXx9FLYq+FMoLuiLz7lx7EbVktWFmvA4ndMgH+++8sx5jt HsTJAnkFV5D7kvEDxwTLYcsvgoR2tarBC8YMxhLP6bvvwsYhMLUwKf+msPRFoSczgV+6 uSMVhhnISqou1gWzmFuOHGHi4oKMIjXscEwu6A7O22kz0j6Dxj4xCEfUrKOc+dyUV793 t7RB7m1M7QxVpecPJHDQpcOwXHqaoAInPN52AZti1FEH7n8sxui2SU2l/T5ZArHESRjT gNZg==
X-Gm-Message-State: AFqh2kouIPLaJWKbSPqOMqA4sddwMKjh9vq27m1E/7/sTSqzVyiOdl9B Dyzh2Ww739U3Sx7JOQbBgKyvO3xcxHlEC+npcyU=
X-Google-Smtp-Source: AMrXdXuqGhLKk9Y1ht0ZsPGcefJpb/dRxCyUYN/BBu29RvMC7G+8rRKCldrqy4uLhwCf+L/mBqhOAOSKvRppdMfJszI=
X-Received: by 2002:a05:6512:3450:b0:4b5:7dcb:161b with SMTP id j16-20020a056512345000b004b57dcb161bmr127463lfr.74.1673934130137; Mon, 16 Jan 2023 21:42:10 -0800 (PST)
MIME-Version: 1.0
References: <fb4c37ad-870f-c462-c876-e85e38892c57@sit.fraunhofer.de>
In-Reply-To: <fb4c37ad-870f-c462-c876-e85e38892c57@sit.fraunhofer.de>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 17 Jan 2023 11:11:58 +0530
Message-ID: <CAFpG3ge2-Q1=zCbJud=Xrh8UG-vvomWfid8cJRoJYANgDGAuqQ@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000344eb905f26f29f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/hBHFJHvfYJgw9TRYi6pxfhk-z9I>
Subject: Re: [OPSAWG] 🔔 WG Last Call for draft-ietf-opsawg-mud-iot-dns-considerations-05
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2023 05:42:16 -0000

I support progressing the draft and I have the following comments/nits
which should be straightforward to address:

1.

It has been suggested that one answer to this problem is to provide a
forced
intermediate for the TLS connections. This could in theory be done for TLS
1.2 connections.
The MUD policy enforcement point could observe the Server Name Identifier
(SNI) [RFC6066].
Some Enterprises do this already. But, as this involves active termination
of the TCP
connection (a forced circuit proxy) in order to see enough of the traffic,
it
requires significant effort. But, TLS 1.3 provides options to encrypt the
SNI as the
ESNI, which renders the practice useless in the end.

Comment> In TLS 1.3, the client can lie about SNI and a firewall passively
inspecting the handshake cannot identify it without looking into the server
certificate (which is not possible).

I would say SNI inspection is not useful in TLS 1.3 (with or without ECH).

2.
XXX --- explain in detail how this can fail.
XXX --- explain N:1 vs 1:1 for virtual hosting.

Nit> You may want to remove "XXX".

3.
The third section of this document details how current trends in DNS
presolution
such as public DNS servers, DNS over TLS (DoT), and DNS over HTTPS (DoH)
cause
problems for the strategies employed. Poor interactions with
content-distribution
networks is a frequent pathology that can result.

Comment> You may also want to refer to DoQ.

4.
A third problem involves the use of HTTPS. IP address literals do not
provide enough
context for TLS ServerNameIndicator to be useful [RFC6066]. This limits the
firmware repository to be a single tenant on that IP address, and for IPv4
(at least),
this is no longer a sustainable use of IP addresses.

Comment> You may want to look into
https://www.rfc-editor.org/rfc/rfc8738.html, it will address the limitation
with IP address as an identifier in certificates.

5. Section 6.5> I suggest replacing the references by the drafts adopted by
ADD WG (DNR and DDR)..

Cheers,
-Tiru


On Fri, 9 Dec 2022 at 21:53, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
wrote:

> Dear OPSAWG members,
>
> this email starts a four week period for a Working Group Last Call of
>
> >
> https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-iot-dns-considerations-05.html
>
> ending on Friday, January 6th 2023.
>
> Several reviews of this document were submitted. The most recent one
> from the Security Directorate was addressed. The authors believe the
> Internet-Draft is ready for a WGLC and the chairs are in support of a
> WGLC. The draft has been discussed visibly on the list and at previous
> IETF meetings.
>
> Please reply with your active support (+1 required) or objections and
> your assessment of whether or not it is ready to proceed to publication
> before January 6th 2023.
>
>
> For the OPSAWG co-chairs,
>
> Henk
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>

v2.23.0 | Report a Bug | By Email