Re: [OPSAWG] Éric Vyncke's No Objection on draft-ietf-opsawg-mud-iot-dns-considerations-12: (with COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 27 March 2024 11:50 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE25BC14F6BD; Wed, 27 Mar 2024 04:50:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PiCkKk3UHFP; Wed, 27 Mar 2024 04:50:06 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D430C14F6BF; Wed, 27 Mar 2024 04:50:05 -0700 (PDT)
Received: from dyas.sandelman.ca (60-240-91-174.static.tpgi.com.au [60.240.91.174]) by relay.sandelman.ca (Postfix) with ESMTPS id 155EF1F448; Wed, 27 Mar 2024 11:50:03 +0000 (UTC)
Authentication-Results: relay.sandelman.ca; dkim=pass (2048-bit key; secure) header.d=sandelman.ca header.i=@sandelman.ca header.b="Jmq1t80a"; dkim-atps=neutral
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id 3929DA191C; Wed, 27 Mar 2024 22:49:58 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sandelman.ca; s=dyas; t=1711540198; bh=pMjf+/BC7ukI8llYO3gznZab6SJF4gpSEB7YjdVuris=; h=From:To:cc:Subject:In-reply-to:References:Date:From; b=Jmq1t80a5wk35uCslND/23F9bPRGjPPPMSaDnkvXcaCWud+ingjel3BFBNJZmeLVB SzCYOspV2LKEBz94a8adKddSYuMjSuRcMeZuAyt8yhOfOBLT22sZkDE+TmrzvueD5F +MnIb9VRuClmGsroM4ifKfR4U1ij4NXpBGgKLSTiBy3alzsRGkJSfnEqsXVrN3JLJG Fk+5hhhW1fAKzs0LOfOik02FmDmk3FimLz5Orkjo/VAVbOC2ydSRhABwWzmhXI86qx jhhjX9BvpUA6vWt2aoBG/oOJhmRtVIUhoYdvW2lrvSGv3ZG1O1nsHet7R7GZWnCE0F IDd5IYk1yoOEw==
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id 36C0CA1918; Wed, 27 Mar 2024 22:49:58 +1100 (AEDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: =?utf-8?q?=C3=89ric_Vyncke?= <evyncke@cisco.com>
cc: The IESG <iesg@ietf.org>, dthaler1968@gmail.com, opsawg@ietf.org, opsawg-chairs@ietf.org, mud@ietf.org, draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org
In-reply-to: <170965098581.18959.9237979064052019782@ietfa.amsl.com>
References: <170965098581.18959.9237979064052019782@ietfa.amsl.com>
Comments: In-reply-to =?utf-8?q?=C3=89ric_Vyncke_via_Datatracker?= <noreply@ietf.org> message dated "Tue, 05 Mar 2024 07:03:05 -0800."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 27 Mar 2024 22:49:58 +1100
Message-ID: <511187.1711540198@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/sy2dJB3Jv6vV6dkZcoRNLnwulww>
Subject: Re: [OPSAWG] Éric Vyncke's No Objection on draft-ietf-opsawg-mud-iot-dns-considerations-12: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 11:50:10 -0000
Eric, I've processed your comments first among the COMMENTS after reorganizing the document. That re-org is in -13, and I sent a message about that change before. I'll post -14 once I've been through them all. I suspect that many of your comments are repeated by other ADs, but I can't keep track of them all at once, so I'll try to note to them if I've dealt with their comments already with yours. I've moved comments where I have something to day other than "okay"/done to the beginning of this email so that you don't have to fish for them. Your comments are collected into commit at: https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/commit/d29461cc4a3d255cbdfe923d0668f50aab26b1ac Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > Special thanks to Henk Birkholz for the shepherd's detailed write-up including > the WG consensus and the *very light* justification of the intended status. I hope that the argument for BCP is clearer after the document reorganization. > ## Section 3.1.2 > `They could determine when a home was occupied or not`: actually when I leave > home to travel (e.g., to IETF-119) most of my IoT devices are still active as I > want to 'control' my home from remote. Assumg a cloud-centric IoT solution. (You wouldn't buy one, and I wouldn't, but...) if you aren't home then the motion sensor isn't busy talking to the cloud in order to tell the lights (which also talk to the cloud) to go on. There would probably be a noticeable change in traffic, and since reverse DNS mappings do not last forever, an observer could notice the traffic. > Please note that Dave Thaler is the IoT directorate reviewer (at my request) > and you may want to consider this iot-dir review as well when it will > be It's in my todo, and I enjoyed his review, I'm pleased he did it. > # COMMENTS (non-blocking) > ## Absence of mDNS > Is mDNS used in the context of MUD ? If so, then it should be mentioned here. Collected as: https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/issues/16 and perhaps solved as: https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/pull/17 > ## Section 5 > Whether the MUD devices and the MUD controllers use the same recursive resolver > is probably orthogonal to the use of DoT/DoH. It's not due to tailored replies. A device is more likely to use DoT or DoH, to a "public DNS server", because they believe it's more secure than Do53 to 192.168.1.1, while the MUD controller is likely co-located with the recursive server at 192.168.1.1 > ## Section 6 > AFAIK, LLDP can also be used per RFC 8520 in addition to DHCP to retrieve the > MUD string. yes. That's true. It's probably not going to ever happen in the home. But, in the enterprise, it requires SNMP (or RESTCONF) or some other mechanism to collect that info from the L2 switches, while DHCP requests tend to already flow to a centralized point. So I can add two words somewhere, but I'm not sure it helps. > ## Section 7 > `The use of non-local DNS servers exposes the list of names resolved to a third > party` even if the recursive resolution is done 'locally' (i.e., on a CPE) it > will leak the MUD requests, we could argue that using a non-local recursive > resolver will only expose the requests to this non-local server but not to the > actual authoritative server. The MUD requests could be done via oblivious HTTP. This is not a new problem, I think. Do53 certainly reveals lots of passive eavesdroppers. But, you are right, ideally, only the recursive resolver sees the list. non-controversal edits: > ## Abstract > Let's be positive s/This document details concerns /This document details > considerations / done above. > ## Section 1 > s/Some Enterprises do this already. /Some organisations do this already. / ? > (e.g., governmental agencies, ...) > Suggest to put the sentence `The first section of this document...` on its own > 1-sentence paragraph. okay. > ## Section 3 > Suggest to always use "DNS names" rather than plain "names". Applicable in > several places in the document. Searched and replaced. > Isn't the mapping from address to DNS names usually called "reverse mapping" ? > E.g., section 3.1.3 uses `reverse names`. uhm. Sure. Does that become reverse DNS mapping, give above? I've done that in: https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/commit/3529a008cc089c4ad5fb9a4641d565e8532bc1ae > ## Section 3.1 > Suggest to add "often" in the too assertive sentence `Attempts to map IP > address to names in real time fails for a number of reasons`. okay. > ## Section 3.1.3 > `Service providers` is rather vague in this context, is it the access/internet > SP or a hosted-IoT-service ? In this context, I mean CDN service, and I've clarified that. > ## Section 3.2 > It seems indeed to be the most obvious technique. So obvious that it should be > given a hint in the introduction. > Is there a common use case where the MUD controller is changing location ? > I.e., then having different forward DNS resolution answers ? I would also > expect the authoritative geo-sensitve servers will use a short DNS TTL in their > answers. This text has been emphasized and the other text moved to an appendix. > ## Section 4.3 > Unsure whether using a real case with Amazon is useful here... I"m open to adjustments here, but it's something they had problems with, and addressed somewhat recently. > ## Section 6.5 > The section title is about `Prefer DNS servers learnt from DHCP/Route > Advertisements` but the text is only about DHCP. > Btw, the exact wording is "Route*r* Advertisement" and a reference to RFC 8106 > could be useful. fixed. > Which are the reasons in `There are a number of reasons to avoid this` > ? added text. > ## References > Please note that DNR & DDR are published as RFC 9462 / 9463 (dated November > 2023). already fixed. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
- [OPSAWG] Éric Vyncke's No Objection on draft-ietf… Éric Vyncke via Datatracker
- Re: [OPSAWG] Éric Vyncke's No Objection on draft-… Michael Richardson
- Re: [OPSAWG] Éric Vyncke's No Objection on draft-… Michael Richardson