On Fri, 15 Mar 2019 at 14:37, Ted Hardie <ted.i...@gmail.com> wrote: > >> The past five years have not been the IETF seeking to become a king or > king-maker. They have been spent responding to an attack while still > building out the facilities of the network. I am glad to find you a ready > participant now, as there is still work to be done. But I do not believe > we have said that you may not have these facilities; the new methods simply > mean you must have a relationship with the users and devices on your > network sufficient to effect configuration to use them. An on-path > adversary does not, but you do. Yes, that adds a step and some complexity, > but dealing with a new class of attack was never likely to be free. >
This, again, conflates users with attackers. I'm going to take a stab at restating the positions of several people in this thread, Paul included, because it really seems like the argument is not understood. I have a relationship with my users and I can control the configuration of their *known* applications. I do not have a relationship with the malware author that is trying to steal their data, and cannot control the configuration of that (unknown) application. By running DoT on my borders and blocking all other DNS and DoT traffic, I can provide privacy for my users while still preventing malware from doing its thing. With DoH available at endpoints that my users want to reach using some other application, it is orders of magnitude more complex for me to block the malware while still allowing my users to reach those endpoints. Phrased another way, a DoH endpoint at the same IP address as a popular website gives malware the ability to resolve names I was previously able to prevent. The only recourse I know of, if DoH is adopted, is to proxy all traffic toward that example site (including requiring me to engage in a MitM decryption attack on my users' web traffic) in order to continue to prevent that malware from circumventing network security. And because I can't predict which web sites will launch their own DoH endpoints, that means I need to proxy (and decrypt) all web traffic in order to maintain the same level of security I can today. Somewhere up-thread it was suggested that there are other reasonable steps that a network/security operator can take to maintain the controls over resolution that we have today, but so far I haven't seen them enumerated anywhere.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
