At 9:19 AM +0200 9/28/07, Stephane Bortzmeyer wrote:
On Thu, Sep 27, 2007 at 06:45:55PM -0700,
Paul Hoffman <paul.hoffman@xxxxxxxx> wrote
a message of 36 lines which said:
> It ignores one of the main reasons that many organizations purposely
choose to provide recursive lookup to the public, namely for their
own roaming users.
No, it is *not* ignored. See section 4, for instance :
o Use TSIG [RFC2845] or SIG(0) [RFC2931] signed queries to
authenticate the clients. This is a less error prone method,
which allows server operators to provide service to clients who
change IP address frequently (e.g. roaming clients).
This is a suggestion for something that essentially no one can use
today (as is admitted after the text after the quote).
VPN are another solution, although not mentioned in the I-D, may be
because it is obvious.
It is not "obvious", at least to some of the people I have spoken
with. It is also not obvious to VPN vendors; otherwise, they would
have easy-to-use settings to make it happen. None of the VPN client
that I have seen have such settings. Listing such things in the
Security Considerations section of a document is a good practice,
regardless of what you think is obvious.
At 12:15 PM +0200 9/28/07, Jaap Akkerhuis wrote:
There are two major reasons for an organization to not want roaming
users to trust locally-assigned DNS servers.
Open recursive servers doesn't help in against man in the middle
attacks.
Correct; no one said that they did. Open recursive name servers help
against against roaming users being directed to DNS servers whose
security policy is different than their organizations'.
If you want to avoid that use VPN's or (for DNS) TSIG.
Indeed.
I seem to remember that the ID actually mentions that.
I cannot find any mentions of VPNs or IPsec. Given that the document
admits that TSIG and SIG(0) are essentially unavailable today on end
users systems, and IPsec is much more common, saying something about
this in the Security Considerations section might be of value. As my
earlier message said, this is not for Section 4, which is only
talking about authentication of clients.
At 1:20 PM +0200 9/28/07, Joao Damas wrote:
Opening up your resolver so you can server roaming users, without
further protection, is, at best, naive.
From the standpoint of the organization whose security policy
includes the way their users do DNS resolution, it is better than
nothing, and this document's "best practices" pretty much limit them
to nothing. For a non-ISP, ingress filtering will not help at all
(even though it should still be implemented, and customers should
urge their ISPs to implement it). IP-based authentication does not
work for mobile users. Interface-based authentication does not work
for mobile users. TSIG and SIG(0) does not work for mobile users
until it is implemented in their computers, which the draft admits it
is not for the vast majority of users.
If the document doesn't want to deal with those organizations, it
needs to say so in the introduction and again in the Security
Considerations section.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf