IETF Logo Mail Archive

Re: [OPSAWG] Paul Wouters' Yes on draft-ietf-opsawg-add-encrypted-dns-11: (with COMMENT)

Paul Wouters <paul.wouters@aiven.io> Wed, 15 March 2023 19:57 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5331C1522DA for <opsawg@ietfa.amsl.com>; Wed, 15 Mar 2023 12:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rg5QZ_BOxGSl for <opsawg@ietfa.amsl.com>; Wed, 15 Mar 2023 12:57:34 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65459C14CE38 for <opsawg@ietf.org>; Wed, 15 Mar 2023 12:57:34 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id fd5so46116366edb.7 for <opsawg@ietf.org>; Wed, 15 Mar 2023 12:57:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1678910253; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=e1kv8GVWCeqfHGCw88mITQYuUzhfuU6nZ4ifv5w+YKQ=; b=UTbwf+ZQ/iNRyqcneThni7UKb0NkdHKzxw6Ui+zVoW6P1qeSNBHDBrp6q5eE+2zqlD SaSddGHRNT/dfgSfalZEArdIEFxDkjAdUTJ2HkpI2UzJpdz8ATapKNOVEHRtG3klq6Xt 6vE0gz8gpY+WKHkS0D091Kc8iR4FHzVrc83vM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678910253; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e1kv8GVWCeqfHGCw88mITQYuUzhfuU6nZ4ifv5w+YKQ=; b=WLUu512r+hAHZTF9Jzo0yKvqaud+FZns9icPf03j+T9bOYHt+StVkevyNploFEdEGk pS1QsBxPn3z2d1/lFzwH+Tqbs3K9h9lQ6k1vBmStXn4eWeDSTjV3c3HdsmKTHhRNJSzy te+yJ877t5tzpInzXRGNUS/FyD+ynTdrq1gsHq5+XQLFIdDfSX6okf/zq18OwloEs0bs dkGm1XwiOtoQng79PDnIJZkY+g4wY4GXyr0JW/5MEet9zlIubB5mCXuO1bR800QkFlJm 4OKklyZ4WJozh3bK2NoXzctVwIEpvDDJkiZtE+mla8+tfvXUjDNHMC+9ho+F8XhDFbx7 VanQ==
X-Gm-Message-State: AO0yUKU+9yS3b/0H1RvWeYAKINf0E+4QFWK/YG8TnXwMT3bdpC8Y8zdq uxKShK9gtpYjBBHQSZMmRwolBw==
X-Google-Smtp-Source: AK7set927Luwrn6bvVsBMSeYf4UJyTO8eAPoMvGuWhxZG3zWVrNt4gP7AtTv2Gvx+QM46uxfsTb+lQ==
X-Received: by 2002:a17:907:7631:b0:900:a150:cea4 with SMTP id jy17-20020a170907763100b00900a150cea4mr6844979ejc.37.1678910252730; Wed, 15 Mar 2023 12:57:32 -0700 (PDT)
Received: from smtpclient.apple ([74.122.52.94]) by smtp.gmail.com with ESMTPSA id bv4-20020a170906b1c400b0091fdd2ee44bsm2886120ejb.197.2023.03.15.12.57.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Mar 2023 12:57:32 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Wed, 15 Mar 2023 15:57:19 -0400
Message-Id: <79C795F8-1A4F-4549-B31E-A94947169297@aiven.io>
References: <17676_1678906252_6412138C_17676_3_1_5464bf8a9dc147cc9bb99ffd5bb6c098@orange.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-add-encrypted-dns@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, dhcwg@ietf.org, bevolz@gmail.com
In-Reply-To: <17676_1678906252_6412138C_17676_3_1_5464bf8a9dc147cc9bb99ffd5bb6c098@orange.com>
To: mohamed.boucadair@orange.com
X-Mailer: iPhone Mail (20C65)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/hpoExo8MGhC_DsDwRxRTvTipvlU>
Subject: Re: [OPSAWG] Paul Wouters' Yes on draft-ietf-opsawg-add-encrypted-dns-11: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2023 19:57:38 -0000

On Mar 15, 2023, at 14:50, mohamed.boucadair@orange.com wrote:
> 
> Hi Paul, 
> 
> Please see inline.
> 
> Cheers,
> Med
> 
>> -----Message d'origine-----
>> De : Paul Wouters <paul.wouters@aiven.io>
>> Envoyé : mercredi 15 mars 2023 18:00
>> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
>> Cc : The IESG <iesg@ietf.org>; draft-ietf-opsawg-add-encrypted-
>> dns@ietf.org; opsawg-chairs@ietf.org; opsawg@ietf.org;
>> dhcwg@ietf.org; bevolz@gmail.com
>> Objet : Re: Paul Wouters' Yes on draft-ietf-opsawg-add-encrypted-
>> dns-11: (with COMMENT)
>> 
>>> On Mar 15, 2023, at 02:35, mohamed.boucadair@orange.com wrote:
>>> 
>>> 
>>>> 
>>>>      This document targets deployments where a trusted
>> relationship
>>>> is in
>>>>      place between the RADIUS client and server with
>> communication
>>>> optionally
>>>>      secured by IPsec or Transport Layer Security (TLS)
>> [RFC6614].
>>>> 
>>>> I don't understand what this sentence is trying to say.
>>>> 
>>> 
>>> [Med] As per today, the use of ipsec/TLs are optional in RADIUS
>> in trusted networks. As you know there is an effort to make
>> ipsec/TLs mandatory even for trusted networks (and deprecate the
>> use of plain UDP/TCP transport) and also move 6614 to standard
>> track, but all of these are still individual drafts.
>> 
>> But it is still always trusted for authentication. And sending ADD
>> information is still possible and desirable even if radius wasn’t
>> using IPsec or TLS. So I still think the sentence should just be
>> removed.
>> 
> 
> [Med] The use of ipsec/tls between radius client/server is superior even in trusted environments because, otherwise, many attacks would be possible from within the network (gleaning private information, etc.). I prefer to leave the mention of ipsec/TLS. Thank you.  

Yes it is superior but because you say you are targeting that, it makes the radius setups without TLS or IPsec out of scope and I think that’s wrong.

Paul




> 
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>

v2.46.0 | Report a Bug | By Email | System Status