IETF Logo Mail Archive

Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 25 April 2019 11:34 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C92A41201A4 for <acme@ietfa.amsl.com>; Thu, 25 Apr 2019 04:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9pDHl_U3ojco for <acme@ietfa.amsl.com>; Thu, 25 Apr 2019 04:34:31 -0700 (PDT)
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 093D51201E8 for <acme@ietf.org>; Thu, 25 Apr 2019 04:34:31 -0700 (PDT)
Received: by mail-ed1-f52.google.com with SMTP id k92so18814985edc.12 for <acme@ietf.org>; Thu, 25 Apr 2019 04:34:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ne2HDMwHLSEch3fhAOIfQTH3avEHmnxcG4o2c640SpE=; b=LRurrNMRnj16QBJZyHkud99eg67S0ccb6Bdb8V56RUeYSyrhtZ4nLQVFdh/v+iZxv4 8a9tI42kHZ3fC2XTDXRp76iCSYjuBOoc/1u2DfaGBlUYLscCVTYyUyhKWtr4wHzZcz37 /PAxuYmXmuMfyrc7kEMGcN1v1134rT4Cs7UPCnPBJ/ld5Vk4g0UW6LZEQF2k9pYPG0hn okyKMZtk1nrT+9tPkZz7t/QkbX+xPdQusEed6+eMrhkLcN+X0k4aMYt4dGZYKBjgv4ax b1AFBZzmeoG4tIB9hiozyTed8FHE1rCVnCSq2CcZwgqlap3QR76wHaArGjX2HN6QltX2 2r7Q==
X-Gm-Message-State: APjAAAWY8vTYoa/0gWBmYS4doTnKbLj9h476oRhtULaAGxVmgeBryoSK Zgb6DEbU+3KlacymDS0/teu1NHtr
X-Google-Smtp-Source: APXvYqwLeUOLtQBFAB42fZd+z9xvDT/krxDpzWmrbXf2F+DuOGxk/Jzb6pOcDqtquy43X1fBHOD6/w==
X-Received: by 2002:a17:906:b291:: with SMTP id q17mr19508801ejz.56.1556192069174; Thu, 25 Apr 2019 04:34:29 -0700 (PDT)
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com. [209.85.221.44]) by smtp.gmail.com with ESMTPSA id c4sm85889ejo.51.2019.04.25.04.34.28 for <acme@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Thu, 25 Apr 2019 04:34:28 -0700 (PDT)
Received: by mail-wr1-f44.google.com with SMTP id g3so29809387wrx.9 for <acme@ietf.org>; Thu, 25 Apr 2019 04:34:28 -0700 (PDT)
X-Received: by 2002:adf:eb89:: with SMTP id t9mr26846035wrn.109.1556192068589; Thu, 25 Apr 2019 04:34:28 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR18MB28457CCBEF6FFE2B70E286FCC3250@MN2PR18MB2845.namprd18.prod.outlook.com> <20190424142331.GA502878@LK-Perkele-VII> <CAErg=HFZSo5XF8x9WtC=5tCcXFN3xweg2ewMZSZwh0ON8kWaNw@mail.gmail.com> <20190424173439.GA503906@LK-Perkele-VII> <CAErg=HF2jF_VXYMf9h7Fwv0kM-7nfA-Z5a98R9BSg1JOxTC8WA@mail.gmail.com> <20190425062739.GA508605@LK-Perkele-VII>
In-Reply-To: <20190425062739.GA508605@LK-Perkele-VII>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 25 Apr 2019 07:34:17 -0400
X-Gmail-Original-Message-ID: <CAErg=HHO+=oy_jXOJbi+_OU34A+-5du6gtSa3pcqDWdhUOaiYw@mail.gmail.com>
Message-ID: <CAErg=HHO+=oy_jXOJbi+_OU34A+-5du6gtSa3pcqDWdhUOaiYw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Corey Bonnell <cbonnell@outlook.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000735f0f05875933a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/p2Qs4EGTM5zGpXw0ympewH1oxSo>
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 11:34:34 -0000

On Thu, Apr 25, 2019 at 2:27 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Apr 24, 2019 at 01:48:24PM -0400, Ryan Sleevi wrote:
> > On Wed, Apr 24, 2019 at 1:34 PM Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> >
> > > > If that's roughly correct, would you agree a possible mitigation
> > > > (notwithstanding complexity concerns) 'could' be the use of a client
> > > hello
> > > > extension, echo'd by the server (thus confirming it understands the
> > > > protocol, and is not merely 'dumb' parsing but an active participant
> in
> > > the
> > > > TLS handshake), that indicates the IP being verified?
> > >
> > > The server must already acknowledge the IP address being verified.
> > >
> >
> > I'm not sure how this conclusion is reached. Could you help me understand
> > more?
>
> The validation certificate contains the IP address being verified
> in the SAN extension.
>
> > > And that mitigation does not work. If the NAT does not know about
> > > TLS-ALPN, it will not know about whatever extension that would be,
> > > and thus just copy it through straight to attacker, who can then
> > > freely reply.
> >
> >
> > I'm not sure why you say this. Your original threat model was that the
> TLS
> > SNI NAT box does something 'sensible' in the absence of SNI - and that
> the
> > attacker would not be able to terminate the handshake if SNI were absent.
> > If the proposal were to omit the SNI, while still making sure it's bound
> to
> > the request (via a separate extension), then as long as the TLS SNI NAT
> box
> > does the sensible thing for an SNI-less request, there's no additional
> > privilege.
>
> What are the consequences if the server just takes that address without
> checking (echoing the extension, with whatever is in it)?
>
> TLS-ALPN with domain names is pretty robust security-wise against
> servers and middleboxes doing wrong (but sensible) things.


I’m still struggling to build up a cohesive threat model for your concerns.
Perhaps you can try writing one up, for folks who haven’t read this thread
- and this might help folks like me who have read this thread.

Where I struggle is that the threats seem to continually shift through each
message, but perhaps  I’m not understanding. For example, a middlebox that
blindly echoes TLS extensions means it is terminating TLS, not merely
dispatching on it. The security model of TLS-ALPN is, as discussed during
that process, fundamentally undermined if the server starts echoing the
ALPN - which is why the ALPN draft warns against it.

I’m trying to understand what “bad but legitimate” behaviors you see,
because I doubt we can, will, or should solve for “bad and violating
existing TLS invariant” behaviours. We should be careful to balance how
many hypotheticals here, as unless we have a concrete threat model, we’re
making protocol authors do unreasonable and undocumented dances.

And in CABForum BRs, fradulent IP address certificate is quite bad, as
> it allows (at least in rules) getting fradulent DNS certificates for
> any domain pointing to that name (due to existence of method 8).


I think that is largely orthogonal to this discussion. There is no need for
a certificate - any “technical control” over the IP is sufficient for that
purpose. If we’re countenancing servers that don’t do something sensible
for SNI-less requests, then that’s already an issue, since CAs also aren’t
required to use TLS-ALPN.

> If the issue is that the TLS SNI NAT box is *only* secure in the context
> of
> > DNS - and maybe it does something sensible absent an SNI, and maybe it's
> > terrible and fundamentally insecure absent an SNI - then what we're
> saying
> > is middleboxes are evil and fundamentally insecure ;)
>
> The reason for distinction between DNS and IP here is because of the
> difference in how TLS-ALPN works with DNS and IP versus how clients
> works with DNS and IP.
>
> Consider TLS-SNI. That difference in behavior renders it insecure
> w.r.t. such middleboxes for both DNS and IP. Yet I do not think anybody
> would blame the middleboxes for this issue, they blame TLS-SNI instead.


I’m still not confident I have a clear understanding of your concerns, and
that’s concerning if only because it sounds like you believe there are
critical, unaddressed security issues with the draft, and it’s unclear how
to move forward or address them. It appears the concerns are shifting in
the messages, but it’s entirely likely I’m missing some metapoint you’re
making.

Do you have suggestions on how to address the issues you see? That might
also help make it clearer.

v2.23.0 | Report a Bug | By Email