IETF Logo Mail Archive

Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 23 October 2023 15:23 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B4E6C151545; Mon, 23 Oct 2023 08:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YUe07tMHKL5Y; Mon, 23 Oct 2023 08:23:50 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE44DC151534; Mon, 23 Oct 2023 08:23:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 290D91800E; Mon, 23 Oct 2023 11:23:48 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Cw1YcOFlmjqu; Mon, 23 Oct 2023 11:23:47 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 755D71800C; Mon, 23 Oct 2023 11:23:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1698074627; bh=OW1ZO2aIqfI4byweULPDr28hshgnfctoezoAxURg+Hg=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=H5w7eLs7Y9SNp3HNrXNUMnPaPH97w08BBBL4rtYX5RE6hY4WeHXDIXfBkD8hRCglD Pos+Gdj+31dI0IbJ9cjSSBxShwQUY0PstNgAC/3G+HBzHw9+1s6laKRs9lovVyLU24 EF8NLYm5r8ro3LpRXtwR/Y41CJMFu6eJlB8qulMjxFPS6uZRomw6W83yEG1abIuJR6 PykL8HlKfw0hqABWGxts2qgIfVhg4pyZEaeQLQhAFcZQTeCFuO7lwklrQ5yDVykHnU MCNRngpdAvP9kzzLlDQdrhkCjRauAr9SgukS/958d3TKx8BQbOLMEOVIlNX4rzanwE 0COO2IlhGHjnQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 71A9F28F; Mon, 23 Oct 2023 11:23:47 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mohamed.boucadair@orange.com
cc: "Rob Wilton (rwilton)" <rwilton@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org" <draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org>
In-Reply-To: <DU2PR02MB10160547DD3B4D7A81EF211F488D5A@DU2PR02MB10160.eurprd02.prod.outlook.com>
References: <BY5PR11MB419663E50375EFC179E7CE65B5D2A@BY5PR11MB4196.namprd11.prod.outlook.com> <12876.1697643420@localhost> <DU2PR02MB10160547DD3B4D7A81EF211F488D5A@DU2PR02MB10160.eurprd02.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 23 Oct 2023 11:23:47 -0400
Message-ID: <24466.1698074627@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/n-HAU-pvH0H3tKjJezSuxir8uSQ>
Subject: Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 15:23:54 -0000

This changes I made based upon your comments are at:
  https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/pull/12

I've merged it to make/post -10, but if you are further comments and want to
suggest other changes in the github, please go ahead.

mohamed.boucadair@orange.com wrote:
    > * I don't think we can leave the ref to the bootstrap I-D as that was
    > abandoned since a while. I was delete that citation.
    > * Not sure why DoT/DoH is explicitly mentioned in that text. I think
    > the reasoning should be more about encrypted DNS in general.

okay, the key point is to use local DNS.

    > The ADD WG is currently only focusing on insecure discovery
    > mechanisms like DHCP/RA [I-D.ietf-add-dnr] and DNS based discovery
    > mechanisms ([I-D.ietf-add-ddr]).

    > I would refresh the text as both DNR and DDR are to be published as
    > RFCs.

okay: fixed.  RPC usually catches that.
They aren't actually RFCs yet (AUTH48 today) :-)

    > * Also, not sure it is worth mentioning here given the scope, but
    > secure discovery is possible with draft-ietf-ipsecme-add-ike.

No, it's not worth mentioning, because IoT devices are generally, not using IPsec.
(Generally, because I know of at least one big thing that does use IPsec for
remote maintenance/monitoring. But I would expect a MUD definition to
describe how the IPsec tunnel can work, and if it uses DNS to find the tunnel
end-point, that this would occur before the tunnel is up)

    > * Not sure I would maintain "Use of public QuadX resolver" as there are
    > public resolvers that are not Quads

RFC8499 hints at "public resolver", under "open resolver", but does not
actually define that term.  I'll update to rfc8499bis ID too.

    > * "This should include the port numbers (53, 853 for DoT, 443 for
    > DoH)": these are default ports numbers. Alternate port numbers can be
    > used and thus be configured.

Yes, I'm saying to include the port numbers.  Don't assume defaults.

    > Aaah, BTW please remove this entry:

    > [I-D.peterson-doh-dhcp]
    > Peterson, T., "DNS over HTTP resolver announcement Using
    > DHCP or Router Advertisements", Work in Progress,
    > Internet-Draft, draft-peterson-doh-dhcp-01, 21 October
    > 2019, <https://www.ietf.org/archive/id/draft-peterson-doh-
    dhcp-01.txt> .

Done.

    > and double check the normative references. I'm sure those at least are not normative:

    > [Akamai]   "Akamai", 2019,
    > <https://en.wikipedia.org/wiki/Akamai_Technologies>.

    > [AmazonS3] "Amazon S3", 2019,
    > <https://en.wikipedia.org/wiki/Amazon_S3>.

Made informative.

    > [I-D.ietf-dnsop-terminology-ter]
    > Hoffman, P. E., "Terminology for DNS Transports and
    > Location", Work in Progress, Internet-Draft, draft-ietf-
    > dnsop-terminology-ter-02, 3 August 2020,
    > <https://www.ietf.org/archive/id/draft-ietf-dnsop-
    terminology-ter-02.txt> .

RFC8499bis now, and I think it should be normative.



--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email