IETF Logo Mail Archive

Re: [secdir] [homenet] Secdir last call review of draft-ietf-homenet-dot-12

Mark Andrews <marka@isc.org> Thu, 31 August 2017 07:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51901320D9; Thu, 31 Aug 2017 00:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBe-JsMnZ77K; Thu, 31 Aug 2017 00:49:31 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B9FB1320B5; Thu, 31 Aug 2017 00:49:31 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 263D83494AF; Thu, 31 Aug 2017 07:49:24 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 13B4B160044; Thu, 31 Aug 2017 07:49:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E7AD2160053; Thu, 31 Aug 2017 07:49:23 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RWv2cLCSIFtI; Thu, 31 Aug 2017 07:49:23 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 90CB7160044; Thu, 31 Aug 2017 07:49:23 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id EFC3B83DAC59; Thu, 31 Aug 2017 17:49:20 +1000 (AEST)
To: Ted Lemon <mellon@fugue.com>
Cc: Daniel Migault <daniel.migault@ericsson.com>, HOMENET <homenet@ietf.org>, secdir@ietf.org
From: Mark Andrews <marka@isc.org>
References: <150307463977.14156.2178189421671973906@ietfa.amsl.com> <5C378A81-AB6B-4F2F-8D97-CDED30D788AE@fugue.com> <7561B4DC-2695-4A2A-B61C-C8ACD7431638@fugue.com>
In-reply-to: Your message of "Wed, 30 Aug 2017 15:59:31 -0400." <7561B4DC-2695-4A2A-B61C-C8ACD7431638@fugue.com>
Date: Thu, 31 Aug 2017 17:49:20 +1000
Message-Id: <20170831074920.EFC3B83DAC59@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/DQPfnJKvdcIIuFG7pyLNGOlWcaw>
Subject: Re: [secdir] [homenet] Secdir last call review of draft-ietf-homenet-dot-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Aug 2017 07:49:33 -0000

In message <7561B4DC-2695-4A2A-B61C-C8ACD7431638@fugue.com>, Ted Lemon writes:
>
> On Aug 29, 2017, at 10:03 PM, Ted Lemon <mellon@fugue.com> wrote:
> > Yes.   As far as I know the text gives IANA the information they need
> > to do; I do not know how they operate their black hole servers, so I am
> > trusting that these instructions are sufficient.   They have been
> > reviewed by people who understand this problem better than I do, like
> > Andrew Sullivan, Paul Hoffman and Mark Andrews.   I was specifically
> > advised not to overspecify this.   I would rather take their word on this
> > than yours, if you will forgive my saying so. :)
>
> Argh.   Warren made me look more closely, and you were right.   Sorry for
> doubting.   :]   Here is the new text for the IANA considerations section:
>
> 	IANA is further requested to create a new subregistry within the
>	"Locally-Served DNS Zones" registry <xref target="LSDZ"/>, titled
>	"Transport-Independent Locally-Served DNS Zones", with the same
>	format as the other subregistries.  IANA is requested to add an
> 	entry in this new registry for 'home.arpa.' with the description
>	"Homenet Special-Use Domain", listing this document as the reference.

It is up to IANA as to how they implement the delegation.  We just
specify the requirements (insecure delegation to a empty zone).  We
don't need to prescribe *where* leaked traffic is sunk.  IANA has
decades of experience with moving traffic flows if needed.

The simplest delegation is back to the servers for .arpa.  The
servers can be updated by IANA if/when they need to sink the traffic
somewhere else.  The AS112 server however not the set of servers
to sink the traffic too as they are not under IANA's control and
there is no way to get them all to serve home.arpa.

If there is another round I would remove

			, and MUST point to one or more black hole
   servers, for example 'blackhole-1.iana.org.' and 'blackhole-
   2.iana.org.'

as it is a over specification.  Just let IANA manage it.

B.T.W. blackhole-1.iana.org and blackhole-2.iana.org aren't really
blackholes as they respond to queries.  Operators if blackhole-1.iana.org
and blackhole-2.iana.org are required to ensure that they do answer
and to withdraw routing anouncements for them when they fail to do
so.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email