Ted,

On Sat, Dec 14, 2019, at 01:43, Ted Hardie wrote:
> On Fri, Dec 13, 2019 at 2:12 PM Erik Nygren <[email protected]>
> > Linking ALPN and port defeats the purpose of ALPN. 
> 
> Unfortunately, ALPN's native "discovery" mechanism is more-or-less 
> connect and see what the list is. That's pretty much what the original 
> respondents are trying to avoid. 

I think that you are conflating the protocol negotiation with discovery.  ALPN 
is a negotiation method, and what we are looking for here is discovery.  ALPN 
allows client and server to negotiate DoT and then be confident that the 
resulting connection truly is DoT.  ALPN might be useful in identifying a 
protocol, but we shouldn't be loading ALPN with other semantics as you propose.

The first question we are trying to answer with discovery is "does the network 
provide a DoT resolver?"  (The next question being "Where is it?"; a question 
that is at least partially answered by existing methods.)  You answer that by 
say "I have DoT" or "I have DoT *at this location*".  ALPN only factors into 
that process to the extent that you need to have some way to distinguish 
different protocols.  Erik points out that using ALPN as a component of the key 
tuple is potentially a valuable way of using it.  I agree.

There's a related question here about how the server is then authenticated.  
RFC 8310 is far too permissive in its definition of options to be of much use 
here.  For me, that's a far more interesting question than the one you pose.
 
> So, let's back up a step: are people interested in using DHCP and RA as 
> part of the discovery story here or not?

I am.

I tend to think that 
https://thpts.github.io/draft-peterson-dot-dhcp/draft-peterson-dot-dhcp.html is 
a reasonable start here.  Sure, it makes some assumptions, and leaves some of 
the harder 8310-style questions unanswered, but that's where I think we should 
be paying more attention anyway.

_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy

Reply via email to