IETF
dprive@jabber.ietf.org
Friday, November 18, 2016< ^ >
Joe Hall has set the subject to: openpgp
Room Configuration
Room Occupants

GMT+0
[00:26:53] bortzmeyer joins the room
[00:27:28] bortzmeyer has set the subject to: DPRIVE at IETF97
[02:32:22] danyork joins the room
[02:38:52] Francis Dupont joins the room
[02:42:10] Meetecho joins the room
[02:45:12] Koichiro Kishi joins the room
[02:45:13] John Border joins the room
[02:45:13] Mark Andrews joins the room
[02:45:15] Dennis Kort joins the room
[02:45:48] john bond joins the room
[02:47:15] bortzmeyer leaves the room
[02:47:47] Davey Song joins the room
[02:48:36] bortzmeyer joins the room
[02:51:17] <danyork> Hello, I'll be jabber-scribing.  
[02:51:17] <danyork> Do we have anyone remote?
[02:51:26] <danyork> Please use "MIC:" in front of anything you would like relayed to the mic.  Otherwise I will assume it is just side chatter.
[02:51:36] <danyork> DPRIVE agenda: https://www.ietf.org/proceedings/97/agenda/agenda-97-dprive-00.txt
[02:51:49] <danyork> DPRIVE materials: https://datatracker.ietf.org/meeting/97/materials/#dprive
[02:52:44] <bortzmeyer> danyork: yes, three seats remote from you
[02:53:20] Suzanne joins the room
[02:53:35] Shane Kerr joins the room
[02:54:04] davey joins the room
[02:54:36] tale joins the room
[02:55:42] kal joins the room
[02:56:57] Shane Kerr leaves the room
[02:57:13] Shane Kerr joins the room
[02:57:15] <danyork> bortzmeyer: Ha! You can go to the mic yourself! ;-)
[02:57:39] <danyork> Sara Dickinson presenting https://www.ietf.org/proceedings/97/slides/slides-97-dprive-authentication-and-dtls-profile-for-dns-over-dtls-01.pdf
[02:58:03] <danyork> Slide 2
[02:58:19] <danyork> Slide 3- Remaining issues
[02:58:24] Moritz joins the room
[02:58:46] Shoji Noguchi joins the room
[03:00:31] <danyork> Slide 4 - Remaining issues
[03:00:49] Andrew Sullivan joins the room
[03:01:01] Shane Kerr leaves the room
[03:01:04] <bortzmeyer> RFC 7354 is probably an error ("Update to the Registrant Information for the Digital Video Broadcasting Project...")
[03:02:11] <danyork> Slide 5 - Lets make DNS great again!
[03:02:44] Shane Kerr joins the room
[03:02:57] <Suzanne> @danyork, too soon….
[03:04:05] <Suzanne> Paul Hoffman at the mic
[03:04:14] <Andrew Sullivan> I also have reviewed, actually.  I do have a couple responses to the open questions.  I need to write up for list
[03:04:38] Shane Kerr leaves the room
[03:04:42] Shane Kerr joins the room
[03:05:40] <Shane Kerr> I don't think the stub to resolver is solved. We still have the bootstrapping problem of configuring the actual devices in an easy way, right? :)
[03:06:18] <bortzmeyer> Shane Kerr: adding a key in resolv.conf with vi is not easy?
[03:06:29] <Andrew Sullivan> vi doesn't work on my phone
[03:07:16] <danyork> Noting for the record that slide 5 is really referring to RFC 7435 - https://tools.ietf.org/html/rfc7435
[03:07:19] <Andrew Sullivan> I mean, maybe I need a different phone.  But still :)
[03:08:02] <danyork> Any other reviewers?
[03:08:25] <bortzmeyer> Andrew Sullivan: on an unrooted android, you have no choice of resolver, anyway
[03:08:31] shane_kerr joins the room
[03:08:43] <Davey Song> yes. 7435 not 7354
[03:09:07] <danyork> Slides are in PPT at https://www.ietf.org/proceedings/97/slides/slides-97-dprive-edns0-padding-profiles-00.pptx
[03:09:29] <danyork> Alex Mayrhofer presenting
[03:09:53] <Shane Kerr> FYI, dfk is doing some research in trying to look at query sizes & the accompanying response size to try to figure out what reasonable recommendations to hide user information.
[03:10:12] <Shane Kerr> whoop,s I meant dkg
[03:10:26] <Shane Kerr> Got my three-letter names confused. :-P
[03:14:43] shihui hu joins the room
[03:14:57] <Davey Song> padding the DNS massage may cause large response packets , right ?
[03:15:34] <Shane Kerr> Padding makes both queries and responses bigger.
[03:15:38] <bortzmeyer> Davey Song: that's the point :-) We cannot "unpad" (reducing the size)
[03:15:43] <danyork> Dave - yes
[03:15:52] <danyork> s/Dave/Davey/
[03:16:10] <bortzmeyer> Davey Song: padding is always using more network capacity
[03:16:38] shihui hu leaves the room
[03:16:38] Olafur joins the room
[03:16:40] shihui hu joins the room
[03:17:40] <Shane Kerr> Paul Hoffman: Surely this is on the final packet?
[03:17:42] shihui hu leaves the room
[03:18:09] shihui hu joins the room
[03:18:43] <Shane Kerr> Adding the padding packet at the end of the processing is not complicated, although it may be tricky for some existing implementations.
[03:18:58] shihui hu leaves the room
[03:19:00] <Davey Song> hummmmm
[03:19:05] <bortzmeyer> You can also deduce the QNAME for the size of the response
[03:19:12] <bortzmeyer> s/for/from/
[03:19:21] Shane Kerr leaves the room
[03:19:28] <Andrew Sullivan> It would help me if people spoke clearly into the mic
[03:19:30] Shane Kerr joins the room
[03:19:38] Shane Kerr leaves the room
[03:19:42] Shane Kerr joins the room
[03:20:12] <danyork> Paul Hoffman at mic
[03:20:17] <danyork> Sara Dickinson at mic
[03:20:38] <danyork> Allison Mankin at mic
[03:21:22] <danyork> DKG at mic
[03:21:26] <Shane Kerr> Port 512 for DNS over TLS at size 512?
[03:21:36] <Shane Kerr> Port 1500 for DNS over TLS at size 1500....
[03:21:37] <Shane Kerr> :-P
[03:22:11] <danyork> John Levine at mic
[03:22:43] <Shane Kerr> hummmmm
[03:23:00] <Shane Kerr> I think having an informational document covering all possible options makes sense.
[03:23:11] <Shane Kerr> And possibly a separate, pointed document with the best practices as recommendations.
[03:23:14] <Dennis Kort> hummmmm
[03:23:16] <john bond> hummmmm
[03:23:21] <Shane Kerr> hummmmm
[03:23:22] <Dennis Kort> hummmmm
[03:23:22] <John Border> hummmmm
[03:23:23] <Mark Andrews> hummmmm
[03:23:26] <Shane Kerr> hummmmm
[03:23:27] <Shane Kerr> hummmmm
[03:23:28] <Shane Kerr> hummmmm
[03:23:31] <Andrew Sullivan> with the proviso that those who want to adopt will review & work on?
[03:23:45] <bortzmeyer> Andrew Sullivan: speaking for myself, yes
[03:24:08] <danyork> Remote folks - if you could please do "hum yes" or "hum no" or something like that, it would be great.
[03:24:09] <Shane Kerr> For me as well.
[03:24:19] <Shane Kerr> THERE IS ONLY HUMMMMMMMM YES
[03:24:21] <Shane Kerr> :-P
[03:24:32] <danyork> Sometimes there is lag time that makes a generic "hummmmmmmm" hard to understand. ;-)
[03:24:41] <Shane Kerr> Actually the "Hum" button has no additional information.
[03:24:54] <danyork> Oh, you're using the Meetecho Hum button
[03:25:04] <danyork> Interesting - yes, that would be hard.
[03:25:34] <Shane Kerr> @danyork: probably the jabber scribe should say "hums after this are for yes"
[03:25:37] <Shane Kerr> And so on.
[03:25:38] <Meetecho> danyork: yep we've talked about this with John Klensin as well, that part of the UI needs revising (or getting rid of completely :) )
[03:25:42] <danyork> Stephane Bortzmeyer presenting - https://www.ietf.org/proceedings/97/slides/slides-97-dprive-the-next-step-for-dprive-01.pdf
[03:25:43] <Shane Kerr> Makingn your job harder. :(
[03:26:27] <Davey Song> hummmmm
[03:26:30] <Davey Song> yes
[03:26:37] <Davey Song> like this?
[03:27:12] <Shane Kerr> @Stephane: I think the scaling properties of resolver-to-authoritative may mean that DNS-over-TLS is non-optimal. I don't know this, but it seems possible.
[03:27:41] <danyork> We're up to slide 10 in Stephane's slides (it appears he used PPT with builds ... which got flattened into a longer PDF)
[03:27:47] <Shane Kerr> Independent of the authentication problem.
[03:27:54] <danyork> Slide 12
[03:28:02] <danyork> shane - is that for the mic?
[03:28:20] <Shane Kerr> @danyork perhaps after Stephane finishes with his slides.
[03:28:24] <Shane Kerr> I will ask explicitly, thanks!
[03:28:31] <Shane Kerr> Ask you explicitly, I mean.
[03:30:56] <danyork> DKG at mic
[03:30:59] <Shane Kerr> Okay, @danyork can you please raise my comment at the microphone?
[03:31:04] <danyork> will do
[03:31:35] <Shane Kerr> Also note that I think this is important work and support adoption. :)
[03:31:54] <Suzanne> "The Curse of the Deployed Base" :)
[03:31:59] <danyork> Shane - your comment is this: I think this is important work and support adoption. I think the scaling properties of resolver-to-authoritative may mean that DNS-over-TLS is non-optimal. I don't know this, but it seems possible. Independent of the authentication problem.
[03:32:08] <Shane Kerr> Yes!
[03:32:18] <Shane Kerr> Much appreciated!
[03:32:57] <danyork> Paul Hoffman at mic
[03:33:33] Andrew Sullivan leaves the room
[03:33:43] <Shane Kerr> dkg convinces Paul Hoffman that security is worth the cost! :-D
[03:35:06] <Shane Kerr> draft-hoffman-dns-fig-leaf
[03:35:17] <danyork> :-)
[03:37:41] <danyork> Olafur Gudmundsson at mic
[03:37:45] <danyork> Andrew Sullivan at mic
[03:37:57] Shane Kerr leaves the room
[03:39:21] <danyork> Allison Mankin at mic
[03:39:45] Yoshiro Yoneya joins the room
[03:39:55] Andrew Sullivan joins the room
[03:40:38] <Andrew Sullivan> I was already talking too long, so I didn't want to go on about it, but there's another thing I worry about here, and that is various differential service along the lines of "you must be this tall" we discussed in the plenary the other night
[03:40:42] shane_kerr leaves the room
[03:40:43] Shane Kerr joins the room
[03:41:23] <danyork> John Dickinson at mic
[03:41:26] <kal> hmm. to allison's comments, simply connecting to those controversial authoritative servers may be enough to breach the user's privacy
[03:41:40] shane_kerr joins the room
[03:41:52] Shane Kerr leaves the room
[03:41:57] <danyork> ? (from ISC) at mic
[03:42:00] Shane Kerr joins the room
[03:42:02] <shane_kerr> Mukund
[03:42:06] zyxbac joins the room
[03:42:15] <danyork> thx
[03:42:21] <Davey Song> DNS is design for dynamic. it is intuitive to think that to deliver the TLS keys via DNS to resolver
[03:44:31] <Shane Kerr> @kal: true, although it may be possible to convert to such a mode using TLS in a way that is not visible to observers?
[03:45:14] <Olafur> I hate to say this but we should not rule out IPSEC as part of the potential solution space  
[03:45:34] <Shane Kerr> Olafur - it's not crazy. Paul Wouters gave a presentation about this in Berlin, IIRC
[03:45:37] <kal> only if the branch in path from proxy/tunneling solution commences after the reach of the observor
[03:46:38] <Shane Kerr> @kal - a good reason to start at the root. ;)
[03:46:57] <danyork> Jim Reid at mic
[03:47:07] <danyork> Tim Shepard at mic
[03:47:27] <danyork> (Yea for Sara's tutorial ... that got Tim interested in coming here!)
[03:47:48] <kal> agree with Tim. that was my concern
[03:48:32] Shane Kerr leaves the room
[03:48:35] <kal> in a world where the TLD now represents a single entity. simply seeing the delegation  path may be enough
[03:49:42] <Olafur> How does a Auth server advertise its privacy "availability" ? I guess we need something in the DNS  (A)
[03:50:08] <Andrew Sullivan> It merely tells you that they're a botnet attempting to cause my day to get worse :-)
[03:50:08] shane_kerr leaves the room
[03:50:47] <danyork> DKG at mic
[03:51:07] <Suzanne> @ajs don't take it so personally :)
[03:51:38] <Andrew Sullivan> Good point.  s/my/our :P
[03:53:47] <danyork> Mukund at mic
[03:54:33] <Andrew Sullivan> Surely arguing from the way the current system works is not that meaningful, given that the existing one is necessarily replaced by this
[03:54:43] <Andrew Sullivan> since the use case is actually impossible to address today
[03:55:22] Shane Kerr joins the room
[03:55:43] <Olafur> browsers want DNSSEC answers in-band so they can validate the answers. Thus the DNS traffic over port x53 may decrease over time
[03:56:10] <Andrew Sullivan> It seems that the engineering at the mics answers the question the chairs were putting, no?
[03:56:51] <danyork> Dan York (me) at mic
[03:57:03] Shane Kerr leaves the room
[03:57:13] <danyork> Sara Dickinson at mic
[03:57:22] shane_kerr joins the room
[03:57:37] <danyork> Andrew Sullivan: Well, I was feeling we were during our usual diving into ratholes.
[03:57:45] <Andrew Sullivan> also true
[03:58:19] Dennis Kort leaves the room
[03:58:24] shane_kerr leaves the room
[03:58:24] Dennis Kort joins the room
[03:58:32] <danyork> Olafur at mic
[03:59:09] shane_kerr joins the room
[04:00:12] <danyork> Joel Jaeegli at mic
[04:00:22] <danyork> First hum will be YES for the working group on this topic
[04:00:27] <Davey Song> hummmmm
[04:00:30] <Andrew Sullivan> "going to sleep" doesn't work
[04:00:31] <Mark Andrews> hummmmm
[04:00:31] <John Border> hummmmm
[04:00:33] Shane Kerr joins the room
[04:00:33] <john bond> hummmmm
[04:00:33] <shane_kerr> hummmmmmm
[04:00:34] <Dennis Kort> hum yes
[04:00:36] <Davey Song> yes
[04:00:45] <danyork> Second hum to go to sleep
[04:01:02] <danyork> Third hum to drop this entirely
[04:01:54] <danyork> Chairs summary: Strong hum to work on this. Lighter hum to sleep. No hum on dropping.
[04:01:58] Andrew Sullivan leaves the room
[04:02:14] <danyork> Terry Manderson (AD) at mic - asking for more discussion on mailing list
[04:02:49] <danyork> Chairs wrapping up the meeting.
[04:02:53] Moritz leaves the room
[04:02:56] Mark Andrews leaves the room
[04:02:57] zyxbac leaves the room
[04:02:58] kal leaves the room
[04:03:13] Shane Kerr leaves the room
[04:03:13] Francis Dupont leaves the room: Computer went to sleep
[04:03:16] shane_kerr leaves the room
[04:03:24] Suzanne leaves the room
[04:03:27] Meetecho leaves the room
[04:03:52] Dennis Kort leaves the room
[04:03:53] Davey Song leaves the room
[04:03:53] john bond leaves the room
[04:03:53] Koichiro Kishi leaves the room
[04:03:53] John Border leaves the room
[04:03:57] Shoji Noguchi leaves the room
[04:04:12] tale leaves the room: Disconnected: closed
[04:05:33] davey leaves the room
[04:05:54] Olafur leaves the room
[04:06:16] danyork leaves the room: Disconnected: closed
[04:06:34] Yoshiro Yoneya leaves the room
[04:16:09] Olafur joins the room
[04:20:06] tale joins the room
[04:20:14] bortzmeyer leaves the room
[04:21:37] Olafur leaves the room
[04:25:52] tale leaves the room: Disconnected: Replaced by new connection
[04:28:26] Suzanne joins the room
[04:44:19] Suzanne leaves the room
[09:47:02] Moritz joins the room
[10:09:01] Moritz leaves the room
[10:14:28] Moritz joins the room
[10:18:46] Moritz leaves the room: Replaced by new connection
[10:18:49] Moritz joins the room
[10:30:39] Moritz leaves the room: Replaced by new connection
[10:30:39] Moritz joins the room
[12:05:17] Moritz leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!