# IETF111 ADD WG *draft* Session Agendas ## ADD Chairs & AD * AD: Eric Vynke * Chairs: Glenn Deen, David Lawrence ## Session link, minutes, jabber * [Meetecho](https://meetings.conf.meetecho.com/ietf111/?group=add) remote participation * [Minutes](https://codimd.ietf.org/notes-ietf-111-add) * [Meeting chat](xmpp:add@jabber.ietf.org?join) ## IETF 111 ADD Session Times Add has a single 2hr session scheduled for: * Friday July 30, 12:00-14:00 PDT (UTC-7) 1900-2100 UTC # Agenda 12:00-14:00 PDT Friday ___ ## Welcome * 5 minutes * [NOTE WELL](https://www.ietf.org/about/note-well.html) * Scribe selection * Agenda bashing *** ## Drafts ### 1. Discovery of Designated Resolvers (DDR) * [draft-ietf-add-ddr](https://datatracker.ietf.org/doc/draft-ietf-add-ddr/) * 10 minutes + 10 minutes Q&A ### 2. Analysis of DNS Forwarder Scenario Relative to DDR and DNR * [draft-stark-add-dns-forwarder-analysis](https://datatracker.ietf.org/doc/draft-stark-add-dns-forwarder-analysis/) * 10 minutes + 20 minutes Q&A ### 3. DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR) * [draft-ietf-add-dnr](https://datatracker.ietf.org/doc/draft-ietf-add-dnr/) * 10 minutes + 5 minutes Q&A ### 4. Split-Horizon DNS Configuration * [draft-reddy-add-enterprise-split-dns](https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/) * 5 minutes + 5 minutes Q&A ### 5. Discovery of Encrypted DNS Resolvers: Deployment Considerations * [draft-boucadair-add-deployment-considerations](https://datatracker.ietf.org/doc/draft-boucadair-add-deployment-considerations/) * 10 minutes + 10 minutes Q&A ## Other Discussion Topics ### 6. Private IPs, DDR, and PR#11 * [See ADD list Thread](https://mailarchive.ietf.org/arch/msg/add/NYik5dhJyTS7QeTJxVQACyCWOWo/) for background discussion * 5 minutes background slides + 15 minutes discussion as needed. * Question posed by EKR for discussion: > The general assumption for the DDR threat model so far is that: > > 1. (presumably because DHCP is secure in some way). If that's not true, > then I think we can agree that DDR does not provide much additional > security benefit because the attacker can just substitute their own > resolver [0]. > > 2. Either the home network or the ISP network is insecure, otherwise > you don't need DoX. > > OPPORTUNISTIC MODE > So, first, its not entirely clear to me what the Opportunistic mode of > S 4.2 provides. In this scenario, presumably the client will be doing > TLS to the CPE (because otherwise the IP address would be the > resolver's public address), which means that we are concerned with the > attacker controlling the home network. So, in this scenario, we are > only getting value if you have a network in which: > > 1. The attacker can *see* traffic not destined for their IP address > (otherwise there's not much point in encrypting). > 2. The attacker cannot forge traffic from another IP address> > (otherwise they can just impersonate the CPE because there > is no certificate). > > Are there an appreciable number of networks with these properties? If > so, can we write down where that happens and put it in Security > Considerations? If not, we should consider removing this mode. --- ### Planning & Wrap up * 5 min - Wrap up + Future Planning ### As Time Permits ___