Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

Ben Schwartz <bemasc@google.com> Thu, 13 October 2022 14:50 UTC

Return-Path: <bemasc@google.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5FBFC14F734 for <opsawg@ietfa.amsl.com>; Thu, 13 Oct 2022 07:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.607
X-Spam-Level:
X-Spam-Status: No, score=-17.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDqfJALrGKnk for <opsawg@ietfa.amsl.com>; Thu, 13 Oct 2022 07:50:51 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56000C14F748 for <opsawg@ietf.org>; Thu, 13 Oct 2022 07:50:51 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id d187so2012700vsd.6 for <opsawg@ietf.org>; Thu, 13 Oct 2022 07:50:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8d3deoR7Zc6TBdH/27fMuRrC1xSWnDbrkNQfGet4A4g=; b=RTkUDgad9O7jocVEQEwVH5FxgtOwFsa5jK7gPUty23xCLwxK4Ddl74XlfphVCFEXj7 QLY1yUYOL883B/w27EQHqavSYBLaAJxu6oiI8vHPFsg/DB1GJQHAq1+RYQKAeY1Xjv6+ w1EEFFkSQrKpVqJ4MIRAVmxDFzqmPhEjPBLLKQbopMz1hRSdBWDQWkVeizGCaZZcbQbq Llw0/KMEWdBTiJJHyoripfNR1y32o9TXOVtMoczDW1uvTyU3ZMSjC97bJVbiCTLyWRUc aEzLeh46dg6AHpCid3Iwl+z7vrbrdlkZzeHxFTgDw0aufxZLMpMn/HMBWYtWgj3JTVfK 3CTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8d3deoR7Zc6TBdH/27fMuRrC1xSWnDbrkNQfGet4A4g=; b=U4KIHrsIw+W4eYOHdxfktrbz3VbAWd8897Tu6fes0hfz8YD40GheTnspsaPDJCCD6K P4bMG/vrpk8cZU5hQVhk18P5v+RD8wWFU/XNpYG3WYK/pUX2hMJeDVIVlze5JaCTLqJp PHbUv2gTGB/ciq9tveTRe4hTgGiXyyNp8++GYiyhROyl0Boi+2VWKcYXHlcN0SNsRVgY jVMz3QdFyALZQBc4a9VwmA9BxudrnUALHVPYWtc3UQlvwT77qtS9oquobSMbUTcYokB5 6qBXdV53aJszGwSCafbzWzq15GQPCm7Ll3zsG7PyJWpRSbQBkHdorAFQegm0AuOpzLsj BSqQ==
X-Gm-Message-State: ACrzQf0EQim0KJsb/Tq1VmzpERC5cWmbY0P7GVBvtWaDmez3+hxIIz2Y kqCKbYJvusYCpWmuHQpLDrnFQE8fLABgfXhhtpT38A==
X-Google-Smtp-Source: AMsMyM5fA5KiUc+pvr9mAYYaTYJfAdUlcfkY+oZ8GMgRz7S+WyyVYjhj9JZU7y7hI7XscF2bSrvLmyMdFlj3xOGDOwE=
X-Received: by 2002:a05:6102:31b5:b0:3a6:ec1f:ecd2 with SMTP id d21-20020a05610231b500b003a6ec1fecd2mr16161174vsh.75.1665672650223; Thu, 13 Oct 2022 07:50:50 -0700 (PDT)
MIME-Version: 1.0
References: <28766_1665646855_6347C107_28766_2_1_c61b294eae1742b4bfbf125d0fd0e92f@orange.com> <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca>
In-Reply-To: <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 13 Oct 2022 10:50:38 -0400
Message-ID: <CAHbrMsAsC0N2uNpFuiMYEiPgQQQzAwikuiTL0dWZoNhgcPRwNw@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Mohamed Boucadair <mohamed.boucadair@orange.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Alan DeKok <aland@deployingradius.com>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, opsawg <opsawg@ietf.org>, radext@ietf.org, ADD Mailing list <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000a6ac8b05eaeba2dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/wjpZbXJLpB0WnGo2IxXxl0Yxd74>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 14:50:55 -0000

I don't think we need to determine whether ECH is relevant for the DNR use
case.  Indeed, ECH as presently specified will generally fit inside the
250-octet limit.  My point is that we are setting ourselves up for a very
painful compatibility challenge if longer SvcParams come into use in the
future.  I can certainly imagine longer parameters (e.g. signed objects
with certificate chains) that might be useful in DNR.

Even if longer SvcParams aren't useful in DNR, creating an encoding that
can't carry them introduces a serious compatibility problem for systems
that copy between SVCB, DNR, and RADIUS.  What is such a tool supposed to
do when a valid SVCB record or DNR option is unrepresentable in RADIUS?
What is a naive operator to do, faced with this error message?

I understand that we can't eliminate this problem, due to the 4K limit, but
I think it's worth avoiding it as much as we can, even if it costs us a
page or two of standards text.

--Ben

On Thu, Oct 13, 2022 at 9:03 AM Joe Abley <jabley@hopcount.ca> wrote:

> Hi Mohamed,
>
> I may well have missed some nuance in the discussion that came before, but
> I found this comment interesting:
>
> On Oct 13, 2022, at 03:41, mohamed.boucadair@orange.com wrote:
>
> This specification targets typical broadband services in which the use of
> ECH is not relevant. It does not make sense for ISPs to be hosting multiple
> domains on the same IP address as the encrypted DNS resolver.
>
>
> Can you say why?
>
> If an operator has invested in infrasructure designed to be able to handle
> TLS and HTTP at high volumes with high availability, does it not seem
> possible that they would seek to reuse that general TLS/HTTP infrastructure
> for multiple purposes? If ECH is relevant in other services carried over
> HTTPS, why is it definitively not relevant for this one?
>
>
> Joe
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>