[Secdispatch] Appropriate WG for secure communication between networks and unknown clients

Tommy Jensen <Jensen.Thomas@microsoft.com> Mon, 03 August 2020 17:58 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8133A080E for <secdispatch@ietfa.amsl.com>; Mon, 3 Aug 2020 10:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQyjLIP7CD8k for <secdispatch@ietfa.amsl.com>; Mon, 3 Aug 2020 10:58:54 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650126.outbound.protection.outlook.com [40.107.65.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D6B3A07F7 for <secdispatch@ietf.org>; Mon, 3 Aug 2020 10:58:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kEpD3tFYcFpZTJup8I26GX8gXSp8KMAQFPt0qfa1hw8xImxHdNVguFCcIS/McCl5cVfpB7oNrcN8KpcK9EhnrfeSWWx7xoR6mm6JoCJtWemUp49bRIuS3r696KZmBD+TNVguX8h+0GIpDO6wyu53EQ9O6A3/MFAQN0ILF3AsDKVc+SeJWEUePlgvCtcqJunbgo4KWNiZx0oczQHhia0vZNTyQ7Jqpy+jY8J7he3M9gMQP3HChJk9Q/ap2aFOR4EW3gTmVWdXOMstn8nrDU0/fxKJdEz1dVm62oNHsg36MlPrLoxlM+UZDxwWKtNpHxL7YYjFu5vIpOi33763JUXKYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4lIaxqOh6fqXd59THuTJqUQWYjbUQoLL+dP1oAu+XB0=; b=R6IIhHAuq8bpUtmPwHlDSB7+L5DI1iSdCYUJ5CWGyTWeKjWJ2JeyD2phnNFFFZFCJ0En17DKAVEsahiTxNsgjbzJ6dLLEVA+7i6ostgsudSWZX4sZSkDXZhhXljg5C2OXFnbncykQFIKYf4I14DboJ8vH5wij/W/9+ZoDbxGt593gz1tzgv445DRVgWprpWKCsb5/AhxxNDZ59Wj/nUbcMYZ8nsUFzUmU4hh6kAOkbXro/xQbv1CLyiOwHxuW3meLiKcCh6HS/9z1KoTAKfvMPJBNJzIvgDdi+c1SYfsrooKPnZIQKicd+wgRfU4emCgoJZ7DUhvIpYeMG3wB7rQ9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4lIaxqOh6fqXd59THuTJqUQWYjbUQoLL+dP1oAu+XB0=; b=QNjQUk8Vc81MbzAzJ6Zb0CESdz8cQSk/q3PFoPfNavmmjdLnCz4FlVOeJtqaGI6bXOKI2lODKgSnSoAWrZyZntsQmkYhSRu+gTd/cYy3TNOQXXQeJXoWOq0v54u0SibSAk6G+4imvfClxgvsrnbeygeBfijVTvvExc8a5JN54Sw=
Received: from DM6PR00MB0781.namprd00.prod.outlook.com (2603:10b6:5:1b5::20) by DM6PR00MB0604.namprd00.prod.outlook.com (2603:10b6:5:161::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3293.0; Mon, 3 Aug 2020 17:58:51 +0000
Received: from DM6PR00MB0781.namprd00.prod.outlook.com ([fe80::e898:2d46:56a9:b23e]) by DM6PR00MB0781.namprd00.prod.outlook.com ([fe80::e898:2d46:56a9:b23e%4]) with mapi id 15.20.3297.000; Mon, 3 Aug 2020 17:58:51 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: Appropriate WG for secure communication between networks and unknown clients
Thread-Index: AQHWab6UEZ3ibCpa+UClcdav7HSkhA==
Date: Mon, 03 Aug 2020 17:58:51 +0000
Message-ID: <DM6PR00MB0781A2E5741B0C0D4CC5D2B3FA4D0@DM6PR00MB0781.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-08-03T17:58:51.637Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:a080:aff0:298e:f227:e512:f71d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2c3e44f1-b0ab-417c-b058-08d837d6e179
x-ms-traffictypediagnostic: DM6PR00MB0604:
x-microsoft-antispam-prvs: <DM6PR00MB0604CC61ED73E3302313ADE3FA4D1@DM6PR00MB0604.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: g4pNsYwwABSKD6KfGrNo41WO3pq3QbxgtipACnLi+fNJeYvukFGxizjtQM96QbWPC/QJ7fC3sdvzfrjs7Tj3c+ejavY/l7QIDOM69k2WW6R02AkSdSB0m3PvT3NcHuwL20jwUayT93lFqHcw353ZexvOe93o3oKtB0768Pnrk5b4UyQfQmlbPhh5CQZMD+l3ssC2KYCYh+zFv3K8dHHTr88QV9BDOBhA85OmnUnRrzAeZGqG4aTiUU7Qu6e1le+BvLu1qJ7LSOC0teohiutJya6LmGNQ8P/VekQv6Tl2hQurXhrL6bP2a8HhrwSB0HsbO4s8QwQgsaO5J7bUSXOrQg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0781.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(39860400002)(366004)(396003)(6916009)(71200400001)(82950400001)(82960400001)(478600001)(55016002)(9686003)(5660300002)(52536014)(2906002)(6506007)(66446008)(7696005)(8676002)(316002)(8990500004)(33656002)(64756008)(86362001)(83380400001)(76116006)(66476007)(66946007)(186003)(91956017)(8936002)(19627405001)(66556008)(10290500003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 8eyDmeFFGaPrNAyG3IGZh4IQJhrT2Ah9Z7R/gY6mfgSohjSIMyFhotGVS29YQ3LQzpsRN7n58+bfO00Bb/ow7VnGt1RS3Ot0Rki3Hl6+j1HKzSVy8rvDoNPe6tAKAbUbkTCI9FUhfPub/jOP2sxb0N2TdbsEgHSXrg6rccLwoADs3qkx+jSZbg38CNkr23f+KtClau5mphwFCiP7qcQKvk2O7cq+6/bfPwDy0gt140flbKmAnE9b/4h7Bw2wXlTNY8brbwPo2jxt2idl/TFDYS0IKamwf/obQGpK8Hmme/qnxx5JBrIoCdDRys7w1gk+dsxf52Q+cgvCcaSboPSUBU9nhpbd40pdfD24G67mqFqe1pxpR9jjef9371ftlCUwHIvEFJJA7o4hd6yCb+H7Rb4I8kwQhS0UULCVMkaqTIxP0F1CZjxhleZsnLgCXNonvxDPTN6VsKOvBgnpvMbCkMmr+HXPuHwOnoIcyPHDp8qIgqF2EhrrvVOLTPPo/r7IMOTiGfNe3MPqlmA1YnehxqgKsNxQdbuBZquz6n4Q0ARCMW1Hg8KTOcfRpXAOPipxoojRFJUzxHSxGSB7gU0dOv+MO5vzuQQ7mwHPE2S1u/fRmfjbYaLNh0Mr574uBcpiikFibTZiqT49P2oQpBstIeZn6USD+P51PXC4aFD0HyIu5L8JyhnnFTuvihrVOnttI9hP8fw1w7JHGRILY/yHHQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0781A2E5741B0C0D4CC5D2B3FA4D0DM6PR00MB0781namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0781.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c3e44f1-b0ab-417c-b058-08d837d6e179
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2020 17:58:51.7516 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Atr3tOmO3o4etTvvz4AmNr26OmLVhmGCxUV/Q92DoKpiRK5jNyUx9gL5dJX9Pw4m8A2uRFFScSdvKJUEyM4sKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0604
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/_jWV_JTtubVP9cKc4Ut8pGLcueA>
Subject: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 17:58:56 -0000

Hey SECDISPATCH,

In the ADD WG, there's been a lot of discussion on the topic of secure communication between networks and clients that aren't preconfigured. The context is how a network can convince a client, which has no out-of-channel configuration to use for confirming network identity, that it has recommendations that can be distinguished from an attacker on the network.

This was brought up in our WG as part of the "Network A recommends DNS server B" which is done over DHCP or RAs today. With encrypted DNS protocols now available, we want to allow a network to advertise its own encrypted DNS servers. However, if we use DHCP or RAs as they are defined today, this can be hijacked by an attacker to convince clients to setup secure connection to an attacker's server.

We know secured network configuration without out-of-band configuration is a hard problem but want to discuss it in a larger context than just DNS so we don't try to define a mechanism that cannot be reused by other scenarios. This mailing list was recommended in our IETF 108 WG session as a good contact for helping us find the right audience for this discussion. Any thoughts?

Thanks,
Tommy Jensen