* Paul Vixie [2014-07-06 19:29]: > Matthäus Wander wrote: >> * Paul Vixie [7/5/2014 7:47 PM]: >>> Matthäus Wander wrote: >>>> DTLS works on top of UDP (among others) and thus can pass CPE devices. >>> no, it cannot. DTLS does not look something that the CPE was programmed >>> to accept; thus in many cases it is silently dropped. >>> >> >> DTLS can be used on top of UDP. CPE devices allow outgoing UDP sessions >> to arbitrary ports. If they didn't, many online games and VoIP >> applications would not work. > > it's possible to find single counter examples to almost any assertion.
My point is that for a significant portion of Internet users, e.g. residential, HTTPS tunneling is not necessary. HTTPS tunneling should not be mandatory if it comes with disadvantages to a large user base who don't need it. The extra HTTPS layer suggests negative performance implications compared to a tailored protocol (maybe negligible, maybe not). Requiring TCP/443 is a dealbreaker when the port is already occupied by a small business web server or by an administration interface on a plastic device. > however, consider RFC 2671 (EDNS), published fifteen years ago. because > it changes the format of a UDP/53 datagram, there is silent loss across > most CPE boundaries. > > [...] > > that fix is not going into the O(10^9) CPE devices now in place, ever. > > if we can't get this right for EDNS in 15 years, my bet is that another > 15 (or 150) years of trying won't produce better results. in fact, by > jim gettys and dave taht i've been made to understand that the world's > CPE problem is much worse than i knew. we might be able to fix it for > the next billion devices some day, but the devices shipping today are > still crippled. Agreed. > incentives are such that a CPE provider hopes to sell web access, not > internet access. > > your counter-example of DNS gaming does not change the treatment now > accorded UDP/53 at the internet edge. if you seriously think that a DTLS > solution can be universally deployed, including in hotel rooms, home CPE > environments, coffee shops, and mobile, then you and i are having a > "same planet, different worlds" experience, and i wish you well on your > walk. I didn't mean to imply that a DTLS solution can be universally deployed. I'm just not convinced that mandatory HTTPS tunneling built into a new DNS protocol is the appropriate solution here. My experience is that HTTPS tunneling is unnecessary in most (not all) networks. If I want to use SSH or VoIP in one of those crippled networks, I need a generic tunneling solution anyway. Admittedly, if I only need the web in a crippled network then encrypted DNS over HTTPS is a plus. That use case seems very narrow. Regards, Matt
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
