Hi Tommy,Sorry for the brevity in the review. It is quite possible that the deployment scenario I am thinking of is illogical and would be happy to have people tell me these points won't be an issue.
The notional scenario I have in mind is one where the proxy is communicating with an external client but a DNS resolver inside of a network.
Internet | Private Networks
|
Client ----- Proxy ----- DNS resolver
|
If the DNS results returned to the proxy contain private IP addresses
and/or non-global names, does that:
1. Lead the client to a state of confusion if it is provided non-global information?
2. Expose sensitive information on internal naming/addressing to an external entity?
Regards, Brian On 10/23/23 11:43 AM, Tommy Pauly wrote:
Hi Brian, Thanks for the review! I’m not sure I quite follow your concern here. This proxy status parameter is a way for the proxy to communicate informational details back to the client about the DNS it performed when communicating to the next hop. Note that it already can communicate the next hop IP address, etc. This helps communicate the CNAME chain, if any exists. The client does not use the next hop IP or CNAME info to make direct connections to the end, but only to understand more about the identity of what was used. I don’t think the proxy sitting behind a NAT or using split DNS is necessarily impactful, but even if the proxy is able to access addresses and DNS resolution that the client could not on its own, it shouldn’t matter. Does this help clarify things? If not, can you further explain what scenario you are concerned with? Best, TommyOn Oct 23, 2023, at 7:25 AM, Brian Haberman via Datatracker <noreply@xxxxxxxx> wrote: Reviewer: Brian Haberman Review result: On the Right Track I am an assigned INT directorate reviewer for draft-ietf-httpbis-alias-proxy-status. These comments were written primarily for the benefit of the Internet Area Directors. Document editors and shepherd(s) should treat these comments just like they would treat comments from any other IETF contributors and resolve them along with any other Last Call comments that have been received. For more details on the INT Directorate, see https://datatracker.ietf.org/group/intdir/about/. Major Issues: I am a bit concerned that there is no discussion about the potential scope for either domain names or IP addresses. What happens if a proxy sits behind a NAT? Does the NAT now need an ALG to convert private IP addresses to global ones? What about a situation where the proxy sits behind a firewall utilizing split DNS?
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
