Hi Michael, Just sharing my thoughts,
Yours, Daniel On Thu, Dec 1, 2022 at 8:56 PM Michael Richardson <m...@sandelman.ca> wrote: > In re-editing I found that the section 7.1 is a bit vague about where the > Notifies go. Ray Hunter please comment. > > > https://www.ietf.org/archive/id/draft-ietf-homenet-front-end-naming-delegation-22.html#name-securing-the-synchronizatio > > Since the Synchronization Channel is from the DM->HNA, it can't be issued > there. It must therefore be the case that the zone update Notifies go into > the Control Channel. > > In my opinion the Synchronization Channel is initiated by the DM and follows AXFR over TLS (9103). To my understanding NOTIFY, SOA exchange may be protected by TLS or not. Of course if the TLS session has not been established by the DM the NOTIFY cannot be protected. But the text below doesn't say this, and is pretty wishy-washy about about > whether TLS is used or not. It could very well be the case that Notifies > are > *not* protected at all. > Since the Control Channel is not a regular DNS channel, and likely is port > 853 DoT, it seems unlikely that a Notify to port 53 would go the right > place. > OTH, bringing up DoT just to send the Notify might be considered by some > to be > overkill. TLS resumption tickets to the rescue is my opinion. > > I'm looking for objections to: > > 1) Notifies go across the Control Channel (DoT) > While I do see the point in re-using the control channel, I do not think we should recommend this. Firstly it mixes the following channels, so if we find another way to set the DM / HNA configuration we will always have to handle the Notify. I also believe that changes 9103, and I believe that would be good if we could re-se implementation of 9103 without modifications. It might be good to mention the Notifies may also take the control channel - just leaving this as a potential possibility. > 2) They are always sent in TLS. > > I am inclined to say that we should rely on 9103 as much as possible and the price of a non encrypted NOTIFY can be acceptable. If that is not the case, the control channel may be used - which should be agreed out-of band- by the two parties. This means that the text will get moved around a bunch. > > > > The text as it appears now: > > > ## Securing the Synchronization Channel {#sec-synch-security} > > The Synchronization Channel uses standard DNS requests. > > First the HNA (primary) notifies the DM (secondary) that the zone must be > updated and leaves the DM (secondary) to proceed with the update when > possible/convenient. > > More specifically, the HNA sends a NOTIFY message, which is a small packet > that is less likely to load the secondary. > Then, the DM sends AXFR {{!RFC1034}} or IXFR {{!RFC1995}} request. > This request consists in a small packet sent over TCP (Section 4.2 > {{!RFC5936}}), which also mitigates reflection attacks using a forged > NOTIFY. > > The AXFR request from the DM to the HNA MUST be secured with TLS > {{!RFC8446}}) following DNS Zone Transfer over TLS {{!RFC9103}}. > While {{!RFC9103}} MAY not consider the protection by TLS of NOTIFY and > SOA requests, these MAY still be protected by TLS to provide additional > privacy. > > When using TLS, the HNA MAY authenticate inbound connections from the DM > using standard mechanisms, such as a public certificate with baked-in root > certificates on the HNA, or via DANE {{?RFC6698}}. > In addition, to guarantee the DM remains the same across multiple TLS > session, the HNA and DM MAY implement {{?RFC8672}}. > > The HNA SHOULD apply an ACL on inbound AXFR requests to ensure they only > arrive from the DM Synchronization Channel. > In this case, the HNA SHOULD regularly check (via a DNS resolution) that > the address of the DM in the filter is still valid. > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet > -- Daniel Migault Ericsson
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
