IETF Logo Mail Archive

Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 25 April 2019 06:27 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32AA6120155 for <acme@ietfa.amsl.com>; Wed, 24 Apr 2019 23:27:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rk7vUUMumd8F for <acme@ietfa.amsl.com>; Wed, 24 Apr 2019 23:27:46 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42B7F1200FE for <acme@ietf.org>; Wed, 24 Apr 2019 23:27:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 895F813F40; Thu, 25 Apr 2019 09:27:43 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id ED73Yki2uK1s; Thu, 25 Apr 2019 09:27:43 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 060972309; Thu, 25 Apr 2019 09:27:39 +0300 (EEST)
Date: Thu, 25 Apr 2019 09:27:39 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Corey Bonnell <cbonnell@outlook.com>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <20190425062739.GA508605@LK-Perkele-VII>
References: <MN2PR18MB28457CCBEF6FFE2B70E286FCC3250@MN2PR18MB2845.namprd18.prod.outlook.com> <20190424142331.GA502878@LK-Perkele-VII> <CAErg=HFZSo5XF8x9WtC=5tCcXFN3xweg2ewMZSZwh0ON8kWaNw@mail.gmail.com> <20190424173439.GA503906@LK-Perkele-VII> <CAErg=HF2jF_VXYMf9h7Fwv0kM-7nfA-Z5a98R9BSg1JOxTC8WA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAErg=HF2jF_VXYMf9h7Fwv0kM-7nfA-Z5a98R9BSg1JOxTC8WA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Je_QczQru2lPleYjl61Z4X0dHoo>
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 06:27:49 -0000

On Wed, Apr 24, 2019 at 01:48:24PM -0400, Ryan Sleevi wrote:
> On Wed, Apr 24, 2019 at 1:34 PM Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > > If that's roughly correct, would you agree a possible mitigation
> > > (notwithstanding complexity concerns) 'could' be the use of a client
> > hello
> > > extension, echo'd by the server (thus confirming it understands the
> > > protocol, and is not merely 'dumb' parsing but an active participant in
> > the
> > > TLS handshake), that indicates the IP being verified?
> >
> > The server must already acknowledge the IP address being verified.
> >
> 
> I'm not sure how this conclusion is reached. Could you help me understand
> more?

The validation certificate contains the IP address being verified
in the SAN extension.

> > And that mitigation does not work. If the NAT does not know about
> > TLS-ALPN, it will not know about whatever extension that would be,
> > and thus just copy it through straight to attacker, who can then
> > freely reply.
> 
> 
> I'm not sure why you say this. Your original threat model was that the TLS
> SNI NAT box does something 'sensible' in the absence of SNI - and that the
> attacker would not be able to terminate the handshake if SNI were absent.
> If the proposal were to omit the SNI, while still making sure it's bound to
> the request (via a separate extension), then as long as the TLS SNI NAT box
> does the sensible thing for an SNI-less request, there's no additional
> privilege.

What are the consequences if the server just takes that address without
checking (echoing the extension, with whatever is in it)?

TLS-ALPN with domain names is pretty robust security-wise against
servers and middleboxes doing wrong (but sensible) things.

And in CABForum BRs, fradulent IP address certificate is quite bad, as
it allows (at least in rules) getting fradulent DNS certificates for
any domain pointing to that name (due to existence of method 8).

> If the issue is that the TLS SNI NAT box is *only* secure in the context of
> DNS - and maybe it does something sensible absent an SNI, and maybe it's
> terrible and fundamentally insecure absent an SNI - then what we're saying
> is middleboxes are evil and fundamentally insecure ;)

The reason for distinction between DNS and IP here is because of the
difference in how TLS-ALPN works with DNS and IP versus how clients
works with DNS and IP.

Consider TLS-SNI. That difference in behavior renders it insecure
w.r.t. such middleboxes for both DNS and IP. Yet I do not think anybody
would blame the middleboxes for this issue, they blame TLS-SNI instead.



-Ilari

v2.23.0 | Report a Bug | By Email