Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt

Eliot Lear <lear@cisco.com> Sat, 26 September 2020 09:09 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F7A3A11A0; Sat, 26 Sep 2020 02:09:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iX21Zh9qFaZ6; Sat, 26 Sep 2020 02:09:37 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 032FB3A119D; Sat, 26 Sep 2020 02:09:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3392; q=dns/txt; s=iport; t=1601111377; x=1602320977; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=41qRtIs96/FXwafzSoTWqGvp2X5eMy48bIPNcdHWk6A=; b=Y7folHSM/nNPjoL5WUCRxrOMoEpY6jMuOpQlR1I2lSfUQafOKDDcruHh tI8XsBxYYmNsisdtWtWS8QAxYXJZNhYJ8GcusOC+iWczi2pokqCTjnHp1 bbj0exlK76OXbwR32OR1ogkdA5UbwvHJETkF8cRynNplB3/ns0FJu71gK s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A2BAD+BG9f/xbLJq1fHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgU8CgSGBB3BVASASLI0+iEWKDol6iBkLAQEBDQEBIwwEAQG?= =?us-ascii?q?ESwKCLyY5BQ0CAwEBCwEBBQEBAQIBBgRthVwMhXIBAQEBAgF5BQsLBBQuITY?= =?us-ascii?q?GE4MmAYJLAw4gD7VedIE0hVOCaA2CHgaBOAGNEDiCAIE4HIJNPoIaQgIBAoF?= =?us-ascii?q?Eg2KCLQS2bVGCcYMThWiMU4UJAx+hEp1vgmqOXINdAgQGBQIVgWwigVczGgg?= =?us-ascii?q?bFWUBgj4+EhkNlySFRD8DMAI1AgYKAQEDCY91AQE?=
X-IronPort-AV: E=Sophos; i="5.77,305,1596499200"; d="scan'208,217"; a="29868956"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Sep 2020 09:09:33 +0000
Received: from dhcp-10-61-108-189.cisco.com (dhcp-10-61-108-189.cisco.com [10.61.108.189]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 08Q99WMb010786 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 26 Sep 2020 09:09:32 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <01E82C2E-1F3E-49AD-B900-45B3F834A127@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E370867F-0312-4E46-9D1A-08260B802D10"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Sat, 26 Sep 2020 11:09:32 +0200
In-Reply-To: <CAFpG3gc-PoAdvCB5p201-uZrMsdi4Cr1hR_YM-z2bgD9tvZVUw@mail.gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, opsawg <opsawg@ietf.org>, mud@ietf.org
To: tirumal reddy <kondtir@gmail.com>
References: <160082461431.2339.6222888407127336620@ietfa.amsl.com> <15779.1600960819@localhost> <BCB5CBD9-78C0-471A-8C32-88E4FD406136@cisco.com> <CAFpG3gdMxw2QGUFhWQELYT8oaMgVuvc5_hQf_Pfk3T3vwc2rmA@mail.gmail.com> <15491.1601055706@localhost> <CAFpG3gc-PoAdvCB5p201-uZrMsdi4Cr1hR_YM-z2bgD9tvZVUw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.108.189, dhcp-10-61-108-189.cisco.com
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/tpt0zpXp_tHI20xDLYoSP44s1hI>
Subject: Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Sep 2020 09:09:39 -0000

Hi Tiru

> On 26 Sep 2020, at 09:39, tirumal reddy <kondtir@gmail.com> wrote:
> 
> In the home network use case, if the CPE does not support an encrypted DNS forwarder, endpoint will discover and use the ISP encrypted DNS recursive server. The CPE will no longer be able to enforce MUD rules. For instance, Firefox can discover and use Comcast Encrypted DNS recursive server, see https://tools.ietf.org/id/draft-rescorla-doh-cdisco-00.html <https://tools.ietf.org/id/draft-rescorla-doh-cdisco-00.html>. 


Not necessarily.  That is a matter of signaling between the CPE and the ISP.

Eliot