Re: [Tsv-art] [MBONED] Tsvart last call review of draft-ietf-mboned-driad-amt-discovery-09
"Holland, Jake" <jholland@akamai.com> Tue, 10 December 2019 07:44 UTC
Return-Path: <jholland@akamai.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 310F012021C; Mon, 9 Dec 2019 23:44:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWfzu0IIrnIS; Mon, 9 Dec 2019 23:44:39 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 981531200FE; Mon, 9 Dec 2019 23:44:39 -0800 (PST)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBA7g1TF021128; Tue, 10 Dec 2019 07:44:38 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=JvWpKTjcd+A+A9VOGWHlIcynzZqMDBOT9O6BEsYrqzI=; b=C5AV4xX08K2Ok+IsfgmtVtRZClk/GrlVh71sBlmIP7NUPec7Zo5bJNQJNJ14l0DAl1P6 FSZRGR6VYJZ/kWlMpKka7g/KVSbj87QPHu7uG6u50Y3XAdY2QyUA388x993d4XAgogh3 GYuPeTN2Hs+dZYgni522ydXozMBlVFV72RYFvG+gLlGCSqmRLHUJANGuu2D303VjuX8Y z+6V8hVv7vXxBH76ngmsWwWP9IWqdRmulI6QoUkCjWR5aF816bwQssS4fxYz47t5mvs0 dwymLAk+20oB/KEMg+EHJlALec4/2F8SGMskmPkE8a+euVssjHh+xdUw5EPh6nC8+DYB gg==
Received: from prod-mail-ppoint7 (prod-mail-ppoint7.akamai.com [96.6.114.121] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 2wr50pc0hp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Dec 2019 07:44:38 +0000
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.27/8.16.0.27) with SMTP id xBA7WEao007673; Tue, 10 Dec 2019 02:44:36 -0500
Received: from email.msg.corp.akamai.com ([172.27.165.117]) by prod-mail-ppoint7.akamai.com with ESMTP id 2wr8a4ct4d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 10 Dec 2019 02:44:28 -0500
Received: from USTX2EX-DAG1MB4.msg.corp.akamai.com (172.27.165.122) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.165.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 10 Dec 2019 01:44:20 -0600
Received: from USTX2EX-DAG1MB4.msg.corp.akamai.com ([172.27.165.122]) by ustx2ex-dag1mb4.msg.corp.akamai.com ([172.27.165.122]) with mapi id 15.00.1473.005; Tue, 10 Dec 2019 01:44:20 -0600
From: "Holland, Jake" <jholland@akamai.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
CC: "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-mboned-driad-amt-discovery.all@ietf.org" <draft-ietf-mboned-driad-amt-discovery.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "mboned@ietf.org" <mboned@ietf.org>
Thread-Topic: [MBONED] Tsvart last call review of draft-ietf-mboned-driad-amt-discovery-09
Thread-Index: AQHVp+ipJ++RovxCwkqLMjTmlr6JiKeoinOAgADXe4CACYf7gA==
Date: Tue, 10 Dec 2019 07:44:20 +0000
Message-ID: <D6A89D02-FC0C-4DAA-B6F7-07184F4A393B@akamai.com>
References: <157516457060.14457.16384103008148553530@ietfa.amsl.com> <6ECF7074-0579-448B-BB6A-DEDD3B414C22@akamai.com> <CAOW+2dtsojmMRuz_OMb8EnKy8-6XxVg6u3sBndDYcqY11XiKNQ@mail.gmail.com>
In-Reply-To: <CAOW+2dtsojmMRuz_OMb8EnKy8-6XxVg6u3sBndDYcqY11XiKNQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.80.121]
Content-Type: text/plain; charset="utf-8"
Content-ID: <10F7D07ECDE23349AFCAA7E0FA584129@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-12-10_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1912100067
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-10_01:2019-12-10,2019-12-10 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 spamscore=0 malwarescore=0 suspectscore=0 mlxlogscore=999 impostorscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912100068
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/eE_XHEi_7YgiRhMzYskLh9lY_eQ>
Subject: Re: [Tsv-art] [MBONED] Tsvart last call review of draft-ietf-mboned-driad-amt-discovery-09
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2019 07:44:41 -0000
Hi Bernard, The follow-ups with text below with [JH]. From: Bernard Aboba <bernard.aboba@gmail.com> Date: 2019-12-03 at 14:11 > [BA] I raised the question because the value of DoT or DoH wasn't > clear to me in this context. Based on the above, it might make > sense to focus on DNSSEC and consider leaving out DoT or DoH. [JH] I believe I cribbed parts of this paragraph from Section 4 of RFC 4025, which has a similar requirement: https://tools.ietf.org/html/rfc4025#section-4 As I understand it, the ideal is to secure an end-to-end authentic RR, and the choices are either DNSSEC, or where DNSSEC is unavailable, a secure connection to a trusted resolver. I was thinking DoT and DoH were natural additions to the TSIG and SIG(0) options, so I think it makes sense either to include them or to cut TSIG and SIG(0) (as well as the "secure connection to a local server") and generalize to "secure RR transfer from a trusted resolver", removing the references. I thought a pointer to the existing options for these was a useful addition (following the example of RFC 4025), so I'm modestly inclined to leave the mentions in, with a slight rephrase to better explain how it relies on the trust relationship. So how about this? OLD: There must be a trust relationship between the end consumer of this resource record and the DNS server. This relationship may be end-to- end DNSSEC validation, a TSIG [RFC2845] or SIG(0) [RFC2931] channel to another secure source, a secure local channel on the host, DNS over TLS [RFC7858] or HTTPS [RFC8484], or some other secure mechanism. NEW: There must be a trust relationship between the end consumer of this resource record and the DNS server. This relationship may be end-to- end DNSSEC validation, or a secure connection to a trusted DNS server that provides end-to-end safety, to prevent record-spoofing of the response from the trusted server. The connection to the trusted server can use any secure channel, such as with a TSIG [RFC2845] or SIG(0) [RFC2931] channel, a secure local channel on the host, DNS over TLS [RFC7858], DNS over HTTPS [RFC8484], or some other mechanism that provides authentication of the RR. I've provisionally made the above change, but I really don't have a strong preference, so I can easily be talked into removing the secure connection pointers completely, like so: NEW(2nd alternative): There must be a trust relationship between the end consumer of this resource record and the DNS server. This relationship may be end-to- end DNSSEC validation, or a secure connection to a trusted DNS server. Please let me know about any opinions here, I'm happy with either, but leaning toward the first. >> ... <explanation about utility of the new RR> ... > [BA] Thanks for the clarification. Might be useful to add some of the > above explanation to the document. [JH] Here's a proposed new paragraph added to the bottom of section 2.3.1: Note that the DNS-SD service is not source-specific, so even though several methods of finding a more local source of multicast traffic connectivity are preferred where available to using a relay provided by an AMTRELAY RR, a gateway further upstream would still be using the AMTRELAY RR unless the upstream network has a peering or direct connectivity that provides an alternative end-to-end multicast transport path for the (S,G)'s traffic. Please let me know if that covers your concerns here or if you have any suggestions to improve it, and I'll post the new version. Thanks for the suggestions! Best regards, Jake
- [Tsv-art] Tsvart last call review of draft-ietf-m… Bernard Aboba via Datatracker
- Re: [Tsv-art] [MBONED] Tsvart last call review of… Holland, Jake
- Re: [Tsv-art] [MBONED] Tsvart last call review of… Bernard Aboba
- Re: [Tsv-art] [MBONED] Tsvart last call review of… Holland, Jake