Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-ddr-01.txt
Tommy Jensen <Jensen.Thomas@microsoft.com> Thu, 17 June 2021 05:18 UTC
Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F8063A0940 for <add@ietfa.amsl.com>; Wed, 16 Jun 2021 22:18:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.786
X-Spam-Level:
X-Spam-Status: No, score=-2.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hn9NCv-uGDYQ for <add@ietfa.amsl.com>; Wed, 16 Jun 2021 22:18:13 -0700 (PDT)
Received: from outbound.mail.eo.outlook.com (mail-oln040093003008.outbound.protection.outlook.com [40.93.3.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9356D3A093C for <add@ietf.org>; Wed, 16 Jun 2021 22:18:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CSmHs/hXLmkXwELcL7PipSddZNQaLX0ylXNbePyOFeNFva2fS1MIn81cGxutcTzD+5FhwxRhrCeEwkHCizMQK4Bnp1HYEFr4YGry6umnFxePZl6446k0W2fsHGNB2sTW4RuzOknDrqLeNoi3dsAluvQxaMGeXprBAV0mtO08tEUJuLUXbDZ51iypoPIasy5R/Vm9BI20W4xBC8waWcpRSHAo+++iB6X57+cxHlajJMB5NKGk8FHV2zYNtbjTLNDkPnY4DcmWNI9B3YApP8CF+ffG/DZ3bk1IsXv6MX6rmYJ5Zredt55kmSw3pzp09CyY8ui7ieKLP44SHv78Vf23vg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=w6bKehq1HadeUlqhsO8X3/fHJf8dIDAYUw2jdwNa60U=; b=HeLyEz5yXka2vFCuogfjbWT5mjj1wdBr3+rrNzMl6GY4iFIUS0l9djdUptxamfxBzGjg9eJes7+WN0V4rZg6U0Pj/FJx84SzM9xCcIVrLsTCD0ny/UYwe9tQkd3/libAsqFc52Qner0Fx4MCPVsfDuzf0Po9sJw5nsZYn+GtdkAishU4Zxl5qB01nGfhmuuaVpQvapYCcRBCBk/nRZ3XUrwCf3ySkdK0f/y1mKNw0K4VGFbKDa0BIGXUNJ5/mb84+sOApClYr65hp6fcnpSRG5VUAAbicp/dcCAGfm6SfMQcjq4Vvl42wiU6X+fnpBYcnki87MZI7Q0asTs6UuEfvQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=w6bKehq1HadeUlqhsO8X3/fHJf8dIDAYUw2jdwNa60U=; b=XUG3EBRAGGTRXol+Kw4By9IjmlbUIYNi0+OXzj1s+Mcff2FI0tZK/fuRYqZvnK/KK9UzaVbvY8ZiCZRmd9BmBXGYZw4Mk7WLe0aKluXmIkCs9AW0cMFGWiYAkJTPUaFE5bJmmY2nefKfXGdsd4ydCiFkUjCRp4OdVKgoiu+gTXo=
Received: from SN6PR00MB0351.namprd00.prod.outlook.com (2603:10b6:805:c::18) by SA1PR00MB1124.namprd00.prod.outlook.com (2603:10b6:806:1af::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4275.0; Thu, 17 Jun 2021 05:18:11 +0000
Received: from SN6PR00MB0351.namprd00.prod.outlook.com ([fe80::ecb4:5f16:739e:c575]) by SN6PR00MB0351.namprd00.prod.outlook.com ([fe80::ecb4:5f16:739e:c575%7]) with mapi id 15.20.4286.000; Thu, 17 Jun 2021 05:18:11 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: "bemasc=40google.com@dmarc.ietf.org" <bemasc=40google.com@dmarc.ietf.org>
CC: "chris.box.ietf@gmail.com" <chris.box.ietf@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] [EXTERNAL] I-D Action: draft-ietf-add-ddr-01.txt
Thread-Index: AQHXYguDzndEH35LgEG/Yf/TFHajyKsWv3IAgAAF3HCAABHhAIAAfgoQgAAcvICAACj5UA==
Date: Thu, 17 Jun 2021 05:18:11 +0000
Message-ID: <SN6PR00MB0351D3B4C03A724BEEF85058FA0E9@SN6PR00MB0351.namprd00.prod.outlook.com>
References: <162371155812.25682.11014036541727314816@ietfa.amsl.com> <MW2PR00MB034747898A4CA25E614E3222FA319@MW2PR00MB0347.namprd00.prod.outlook.com> <CACJ6M15YaZBhJA8NHmau-K22wbS4QCFuQZx04daTMsNrCQ0rdQ@mail.gmail.com> <CAHbrMsCiCRpRhxhcp7Nryz05JgXr2+j5eAr6HOumPD0=sCHwvw@mail.gmail.com> <SN6PR00MB03517A0AB3B60916F6D8E556FA0F9@SN6PR00MB0351.namprd00.prod.outlook.com> <CAHbrMsB4XBgN1H+MSU7YUkx3bXDke7xT_YZGWY=JpJ8LsQDU3g@mail.gmail.com> <SN6PR00MB0351459E68629DA35E455828FA0E9@SN6PR00MB0351.namprd00.prod.outlook.com> <CAHbrMsBeKScUnBVbOA67AauqdiZQ2VnhSNShTLLtpJc-aMqm1A@mail.gmail.com>
In-Reply-To: <CAHbrMsBeKScUnBVbOA67AauqdiZQ2VnhSNShTLLtpJc-aMqm1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-06-17T05:18:08Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=875eabb2-a48e-457d-84aa-2e1f75e5c9c5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f1b5f691-0d08-457c-af45-08d9314f4cda
x-ms-traffictypediagnostic: SA1PR00MB1124:
x-microsoft-antispam-prvs: <SA1PR00MB1124D86738CB1957876758B6FA0E9@SA1PR00MB1124.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aNtpP9Y7SQS3Zv4pX/03pQ9fp3Y5HObBNy7aJD7h8dylwhcxXxmCtp4nGQDQUK3tmmvRgJ+wDoN6YQSC8u0M65p9Rk3RBXHSA5r+Gxt4iQU/NKI0iG2r1LTMstCEhwzGo4jAAcexnOIX7v4lEIlJ0MyyRFvu/7z9h1QwhxBKPuO/4Dz2vzsn1OzvP2JqftnwYWpiHelOF4tjx1ZwIs6oK1UBbXJHlNZwm0LkQlp6SddAOAsneHSzTuzs7d9Yfj3Sx3wvF31rFyIjpN9FvPedW194spPAjM5F8Rv8EULsspo9wrYBhyKdqAECrcIMsgi1qlgmCeUmECb5qeXnMaTyf+oG0X75LdeAhIP1iKEqIhy0I943y+Ytf8lx0LRR6l3sOZAvr2/+3ZOUyneIQL+5JH40S+VrfEuih7FDWepwLIyDrNdm4Sj3alA0u5x1P7ZcfLJZjhL9ZD6Mx6xGRK9xEskC7bkd1nujHfGnbS7aGfrXfqUE3ljTpYbVDGK5FGHBRomwTy+o/P0VkK2kxXG7bFYG2yWYkSgiEypsxnhSI4Vb1R8cqVDIMQ/LanBZ3Aa6DYCJMUSexmbWq0t6duJw3gGIhEluyj5cwAb7Gt8B2c2KLDrjNIaijr7wvgDiCBsSWXO3MAAbFbk1Bj1TAhIMlA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR00MB0351.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66476007)(66946007)(55016002)(66446008)(76116006)(66556008)(8990500004)(33656002)(316002)(2906002)(52536014)(5660300002)(54906003)(86362001)(64756008)(478600001)(83380400001)(9686003)(8936002)(8676002)(10290500003)(186003)(82960400001)(4326008)(38100700002)(7696005)(6506007)(53546011)(71200400001)(26005)(122000001)(82950400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: t8e1tWcdNyI9/Jij4O5ui92pKxsIsg5v+jgrDOffeWKPNg0WKNIRw89wLeRvef6n4UMYgMdw0NI89PYdOLvq4RfY9xIEBLznHhLlApMHy0hL3QYSGB2I7Ozn8ap1VZkbmgFQD6x/6UgVuiGYz05ckDo7x6NqiSrUdoLq9HLVo80BhXExkmXucKdL/vP0CNdlUg9q8QdKivhyTjLJ1+IVd0mWcU8HPODfLqKEapm3Gumm+7/UB/MI3hOk00igXj6W4sQvlrVA9uwHIG9ACO1S/KwsYgIExlpgwfExZkOEJF6RIS5eGibGIilKZ/cNNMMjrE5wX3GW7V5cnWtblQ6GuA77NDqNVku8brRA4A2LRiZ517ABzz3jkLKoq2w9pGTEiMNTts370LUum9LKTepY9i+vGLEsLbMp4y9M40ys9QrmU+w9Ta06Yoja9RZyTuRxylbj8lCI2PE1A2MCRIlCEDXvJNCJ4oxfax5UB+Ol+MFbooIvznf0CQUZr3bMSDImpqSI37gCT6xa9fApLSt0nG3ttDQMsDRCETSmlWsJZoxRLPFEIgvigtfitFvbJUDv1AQtI3mczZbJVGUE3pDRpXpdlqT7P2wPr48sSphwnB10KK27YhEB8Gthvi4lfKROocrRQPPocN/bZBbRQPjGTCa8BVGTEK8D23pZpGLAtB9fKWnWceQgTY4GSzUXnhjXzSJZdA80MX9x+hlkLObjLKK5r5VjD8tjPXh+rYHgOslNpRSOfosKdqzlrfNd+hhfm3p4d76me+EhxqJHLnMevoozRBRnJDSeCaKNN2xxvVYvQv/r0tgXfPpfaH4nhfIEiabeudPuKxvg5aafyoUm2jOwkPUOV6TJPmY7Hel/NFJdiQtAZDE1RA0OspNmvGqhvcpEZAkcPV0HtEPBD2yTs5PiwmIQfqwLEGehfoNJNpH41ig+kUc9MsE9MhQT93B/Aj/voE+Xx7dTLd5oD9kf90kYizyPj1J/ja17ZnkAeO0IpvHJwFwRHaHtgjMy+HIetr4bgeS9IUvx0fSnH7k1tQGH0Src8MO+deOHVPil+oW4Q3nbj8gRCO/kRQ65htzWi0sWiFFStTWNHGd7Kj9PMU202Gcm+Z/yAGVlu4rwMf+YoCw4xro+Y9DtQQynTW/5C625Fexmnzp8YMeKByyTN43hFPaeT2eN+KDW3ns/75QrS6mCKFYVJMX8naXkTHDOfFxRIM8xchum1oNLNnhsrLpGMXlzX+zkukY5rgtrFnFmaNtrg85ifisz9iifbZI6bkjkEANDYoJF+ztl1RuKsWW1I7jhag8Ai6e+/r578GJakAmrGJdv4bVNGI5oKGCF
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SN6PR00MB0351D3B4C03A724BEEF85058FA0E9SN6PR00MB0351namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR00MB0351.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f1b5f691-0d08-457c-af45-08d9314f4cda
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2021 05:18:11.0723 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kmiXvNV89vGoM1ZUxv1CtcZUOgFwfzgGhxD9+zBIJTgJ0YzF3qBYoI8sQVxNK7XAAcwbZPFK5eWiAxSCWL33gA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR00MB1124
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2JQch18JZlazR6B-_tOPwMb7JLQ>
Subject: Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-ddr-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2021 05:18:20 -0000
> When there is an on-path attacker and the unencrypted resolver is identified by a private IP, DDR-01 results in an encrypted connection to an unintended party. It results in an encrypted connection to the exact same IP address the client would have otherwise sent unencrypted traffic to anyway. The attacker must be present for all traffic it wants to see/manipulate in both cases. PR#11 adds the ability for this to occur but to a different, possibly off-network, IP address and will continue reaping the benefits for some amount of time after leaving the local path. I argue that is a significantly worse security posture. > For example, in DDR-01, an on-path attacker can point all requested domains to attacker-controlled IPs with long TTLs, allowing them to stay on-path for application traffic long after the DNS attack is over. Assuming you mean an attacker on the encrypted path, this requires that either the client establishes and uses a connection to an attacker’s encrypted resolver or that an attacker compromises the encrypted resolver itself, becoming the endpoint (ignoring an attacker who can break TLS, as that attack renders all mechanisms we have moot). The former is prevented by the IP address validation (and scope limiting DDR to those identities a TLS cert can cover); the latter is unrelated to the discovery mechanism used to connect to the encrypted resolver. No discovery mechanism will protect a client against an attacker taking over their recursive resolver. > I think a similar dynamic applies here. DV versus OV is resource-cost prohibitive: one is harder than the other. DNR versus PR#11 is time-cost prohibitive: one would be possible right away and the other will be possible eventually. Meaning as time goes on and CE/CPE are sold supporting DNR, networks will be able to advertise whatever encrypted resolver config they want over DHCP/RA without any additional bootstrapping needed by (or attack vectors exposed to) clients. As the same time goes on, the costs of DV versus OV remain the same in ratio (manual verification is always going to be much harder/expensive than automatic). You’re correct that both PR#11 and DV certs are examples of weaker security postures in the hopes of increasing encryption adoption. However, one is to bring encryption that would otherwise never occur (as the OV bar is too high for many “mom and pop” size domain owners); the other is to bring encryption that could otherwise eventually occur (the 85% problem is rooted entirely in the inability to modify CE/CPE right away faster than hardware turnover in the wild). In fact, I think this is a great example of why DDR and PR#11 should remain separate. The strength of the ownership guarantee provided by each ownership verification method are significantly different; the same is true for DNS encrypted resolver discovery. One could say the end user will only see “green padlock” or “secure DNS” but under the hood they are very different mechanisms. Why define them together in a single bucket? Thanks, Tommy From: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> Sent: Wednesday, June 16, 2021 6:50 PM To: Tommy Jensen <Jensen.Thomas@microsoft.com> Cc: chris.box.ietf@gmail.com; add@ietf.org Subject: Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-ddr-01.txt On Wed, Jun 16, 2021 at 8:36 PM Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote: ... > In PR #11, private IP upgrade is additionally vulnerable for a short time window after an on-path attacker ceases to be on-path. This is the difference in security bar I am objecting to. DDR as it stands will never result in an encrypted connection to an unintended party (assuming certificate ownership is secure, the same bar set for general HTTPS usage). When there is an on-path attacker and the unencrypted resolver is identified by a private IP, DDR-01 results in an encrypted connection to an unintended party. Your PR undoes that promise in a way that can only be limited, not eliminated. I don't think it's nearly so clear-cut. For example, in DDR-01, an on-path attacker can point all requested domains to attacker-controlled IPs with long TTLs, allowing them to stay on-path for application traffic long after the DNS attack is over. If the client uses any insecure protocols (e.g. HTTP), of course much worse attacks are possible. > If PR #11 enables significantly broader use of encrypted DNS, as seems likely, I think it would represent an improvement to overall security. I whole-heartedly disagree with this mentality. Encryption alone is not equal to security. The modern web is powered almost entirely by Domain Validated certificates. Unlike the classic Organization Validated certificates, these are highly vulnerable to a transient on-path attacker, who can instantly acquire certificates and persist their attack for months. Nonetheless, the modern web, where a majority of traffic uses HTTPS with DV certs, is much more secure than the old web where 10% of sites used HTTPS with OV certs, and 90% were unencrypted. I think a similar dynamic applies here.
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- [Add] I-D Action: draft-ietf-add-ddr-01.txt internet-drafts
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… sanjay.mishra
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… sanjay.mishra
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Chris Box
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… tirumal reddy