From nobody Wed Mar 15 12:57:42 2023 Return-Path: X-Original-To: opsawg@ietfa.amsl.com Delivered-To: opsawg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5331C1522DA for ; Wed, 15 Mar 2023 12:57:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rg5QZ_BOxGSl for ; Wed, 15 Mar 2023 12:57:34 -0700 (PDT) Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65459C14CE38 for ; Wed, 15 Mar 2023 12:57:34 -0700 (PDT) Received: by mail-ed1-x530.google.com with SMTP id fd5so46116366edb.7 for ; Wed, 15 Mar 2023 12:57:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1678910253; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=e1kv8GVWCeqfHGCw88mITQYuUzhfuU6nZ4ifv5w+YKQ=; b=UTbwf+ZQ/iNRyqcneThni7UKb0NkdHKzxw6Ui+zVoW6P1qeSNBHDBrp6q5eE+2zqlD SaSddGHRNT/dfgSfalZEArdIEFxDkjAdUTJ2HkpI2UzJpdz8ATapKNOVEHRtG3klq6Xt 6vE0gz8gpY+WKHkS0D091Kc8iR4FHzVrc83vM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678910253; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e1kv8GVWCeqfHGCw88mITQYuUzhfuU6nZ4ifv5w+YKQ=; b=WLUu512r+hAHZTF9Jzo0yKvqaud+FZns9icPf03j+T9bOYHt+StVkevyNploFEdEGk pS1QsBxPn3z2d1/lFzwH+Tqbs3K9h9lQ6k1vBmStXn4eWeDSTjV3c3HdsmKTHhRNJSzy te+yJ877t5tzpInzXRGNUS/FyD+ynTdrq1gsHq5+XQLFIdDfSX6okf/zq18OwloEs0bs dkGm1XwiOtoQng79PDnIJZkY+g4wY4GXyr0JW/5MEet9zlIubB5mCXuO1bR800QkFlJm 4OKklyZ4WJozh3bK2NoXzctVwIEpvDDJkiZtE+mla8+tfvXUjDNHMC+9ho+F8XhDFbx7 VanQ== X-Gm-Message-State: AO0yUKU+9yS3b/0H1RvWeYAKINf0E+4QFWK/YG8TnXwMT3bdpC8Y8zdq uxKShK9gtpYjBBHQSZMmRwolBw== X-Google-Smtp-Source: AK7set927Luwrn6bvVsBMSeYf4UJyTO8eAPoMvGuWhxZG3zWVrNt4gP7AtTv2Gvx+QM46uxfsTb+lQ== X-Received: by 2002:a17:907:7631:b0:900:a150:cea4 with SMTP id jy17-20020a170907763100b00900a150cea4mr6844979ejc.37.1678910252730; Wed, 15 Mar 2023 12:57:32 -0700 (PDT) Received: from smtpclient.apple ([74.122.52.94]) by smtp.gmail.com with ESMTPSA id bv4-20020a170906b1c400b0091fdd2ee44bsm2886120ejb.197.2023.03.15.12.57.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Mar 2023 12:57:32 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Paul Wouters Mime-Version: 1.0 (1.0) Date: Wed, 15 Mar 2023 15:57:19 -0400 Message-Id: <79C795F8-1A4F-4549-B31E-A94947169297@aiven.io> References: <17676_1678906252_6412138C_17676_3_1_5464bf8a9dc147cc9bb99ffd5bb6c098@orange.com> Cc: The IESG , draft-ietf-opsawg-add-encrypted-dns@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, dhcwg@ietf.org, bevolz@gmail.com In-Reply-To: <17676_1678906252_6412138C_17676_3_1_5464bf8a9dc147cc9bb99ffd5bb6c098@orange.com> To: mohamed.boucadair@orange.com X-Mailer: iPhone Mail (20C65) Archived-At: Subject: Re: [OPSAWG] Paul Wouters' Yes on draft-ietf-opsawg-add-encrypted-dns-11: (with COMMENT) X-BeenThere: opsawg@ietf.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: OPSA Working Group Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2023 19:57:38 -0000 On Mar 15, 2023, at 14:50, mohamed.boucadair@orange.com wrote: >=20 > =EF=BB=BFHi Paul,=20 >=20 > Please see inline. >=20 > Cheers, > Med >=20 >> -----Message d'origine----- >> De : Paul Wouters >> Envoy=C3=A9 : mercredi 15 mars 2023 18:00 >> =C3=80 : BOUCADAIR Mohamed INNOV/NET >> Cc : The IESG ; draft-ietf-opsawg-add-encrypted- >> dns@ietf.org; opsawg-chairs@ietf.org; opsawg@ietf.org; >> dhcwg@ietf.org; bevolz@gmail.com >> Objet : Re: Paul Wouters' Yes on draft-ietf-opsawg-add-encrypted- >> dns-11: (with COMMENT) >>=20 >>> On Mar 15, 2023, at 02:35, mohamed.boucadair@orange.com wrote: >>>=20 >>>=20 >>>>=20 >>>> This document targets deployments where a trusted >> relationship >>>> is in >>>> place between the RADIUS client and server with >> communication >>>> optionally >>>> secured by IPsec or Transport Layer Security (TLS) >> [RFC6614]. >>>>=20 >>>> I don't understand what this sentence is trying to say. >>>>=20 >>>=20 >>> [Med] As per today, the use of ipsec/TLs are optional in RADIUS >> in trusted networks. As you know there is an effort to make >> ipsec/TLs mandatory even for trusted networks (and deprecate the >> use of plain UDP/TCP transport) and also move 6614 to standard >> track, but all of these are still individual drafts. >>=20 >> But it is still always trusted for authentication. And sending ADD >> information is still possible and desirable even if radius wasn=E2=80=99t= >> using IPsec or TLS. So I still think the sentence should just be >> removed. >>=20 >=20 > [Med] The use of ipsec/tls between radius client/server is superior even i= n trusted environments because, otherwise, many attacks would be possible fr= om within the network (gleaning private information, etc.). I prefer to leav= e the mention of ipsec/TLS. Thank you. =20 Yes it is superior but because you say you are targeting that, it makes the r= adius setups without TLS or IPsec out of scope and I think that=E2=80=99s wr= ong. Paul >=20 >=20 > __________________________________________________________________________= _______________________________________________ >=20 > Ce message et ses pieces jointes peuvent contenir des informations confide= ntielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez rec= u ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages e= lectroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou= falsifie. Merci. >=20 > This message and its attachments may contain confidential or privileged in= formation that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and del= ete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been= modified, changed or falsified. > Thank you. >=20