IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11

Ben Schwartz <bemasc@google.com> Wed, 07 July 2021 21:18 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76A3B3A29AB for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 14:18:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8l3kcweF4n9n for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 14:17:56 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7B0D3A2868 for <add@ietf.org>; Wed, 7 Jul 2021 14:17:55 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id i8so4642072wrp.12 for <add@ietf.org>; Wed, 07 Jul 2021 14:17:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uuvcpIQp7Zi6HtrCLskEYp+cWZOWHbB4DKkAEA8VxQc=; b=QGwy2deKls4UBskcTVBx67jdv5x+HiouiCXtinlfdyeQCCmRpwdSJCC68hyKXMZrvJ lyfesehr4N1rkbQLinoWdAljhcdRzZyENUjgXuSXgrIUvlROHAnhbEGNTlpIizAFdrmi 8XdZsW8tWpcSS6cNZwEZA3+MlsRWcmBRSTrgSOWHYD+jqWPh0HrEQ14Eua8OQOY0KNOz SVEC3zJw/tAGotWoUlpzJnoNOkME7ukyTJgR2SeOJ6wfXpmGR12F/KPe7V9+PENvA8Iz 3PSJk1Sy/X9Uh+oV6E2jc1LKf/IkjIean0j6kTlJnIFdB5L8JokTokZIBUuDtmLONONe YJWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uuvcpIQp7Zi6HtrCLskEYp+cWZOWHbB4DKkAEA8VxQc=; b=siVFC0Qu5wEbhAVV5v8+ynWfO6YaxxuIVSLAjhDI9qkyA7PCmAaWXimz9tfxA4Wk2o UssvZR8wi1dV8P+E5H4oMZtYXPwmYMLcqjBJeQfwpyHTEQmFNubuhxo03++WBuzrYEXc BfPZzaBzN22qqwJTI/ByXJtmgqwnkwaYO/Y1b4Zqrp78Kq9XnjVJWZRueJRWNyZ/3VhT CMmFXiUFLO1mnsvDejrNmi0bAXI5/Qqjx8A6M0Aw2LSPAiPO0k0pLSi4nOUNEM31gk16 GoprUyzaq0MeNwmEssMx+7AJguiY8CUDq3NQEuvv/JEjovkuuD0DSdj8eVPnwrAsGXFT c80Q==
X-Gm-Message-State: AOAM532H7Ytl9fbByTa0nHmpnBE4OO2l1+YPttBepx5t9WZt+5pFntPk J4hWO1sgKomje1Jjk/bSwU2ukBvKTsLg6lRCQh4mLA==
X-Google-Smtp-Source: ABdhPJxkuGBJpIk8jQ/10Dh+mV6R8oDMChMOxTjd7u060W2lfmpO1TdeOZQRB9QZGj+2p6yop8ZkVOk4YJTTpehOblg=
X-Received: by 2002:adf:f1c9:: with SMTP id z9mr2427781wro.159.1625692672702; Wed, 07 Jul 2021 14:17:52 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com> <MW2PR00MB03470E2B9FB76B4BB2E2CDD7FA1A9@MW2PR00MB0347.namprd00.prod.outlook.com> <6C328F58-80D0-48BF-A59C-B09F7EDC7B60@nbcuni.com>
In-Reply-To: <6C328F58-80D0-48BF-A59C-B09F7EDC7B60@nbcuni.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 07 Jul 2021 17:17:41 -0400
Message-ID: <CAHbrMsCqaQ8k74PwW9=KN=r_a8eQ8bLiyfr0cSMaTix8Qi8C8w@mail.gmail.com>
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Cc: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, "ekr@rtfm.com" <ekr@rtfm.com>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000004ab15f05c68f1264"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/592I-hRyfv8D62nMQ--IWqzwX2o>
Subject: Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 21:18:01 -0000

I agree that this topic is worthy of agenda time.  I would be happy to
contribute some slides, perhaps in collaboration with someone who's argued
the opposite side.

On Wed, Jul 7, 2021 at 5:03 PM Deen, Glenn (NBCUniversal) <
Glenn.Deen@nbcuni.com> wrote:

> This is an important discussion and I’m a little worried that it’s not
> getting enough eyes on it at the moment  – which is why there isn’t a lot
> of traffic discussing it – very possibly due to it being a popular vacation
> time in the US and elsewhere for summer and people busily on other
> drafts/things.   So making a big decision on list traffic alone at the
> moment might be a bit rushed.
>
>
>
> I do recall that previously the WG had discussed the scenario and it was
> important to an number of people and we’ve already had a lot of discussion
> that went into building up the requirements Doc around this.
>
>
>
> Suggestion:   Before anything gets even seriously considered for removal,
> we should discuss the proposition during the ADD session for IETF111, and
> in any post IETF111 list traffic that discussion may trivver.   Is
> someone(s) willing to put together a couple of slides documenting the
> scenario at IETF111?
>
>
>
>
>
> -glenn as ADD co-chair
>
>
>
> On 7/7/21, 9:46 AM, "Add on behalf of Tommy Jensen" <add-bounces@ietf.org
> on behalf of Jensen.Thomas=40microsoft.com@dmarc.ietf.org> wrote:
>
>
>
> > Are there an appreciable number of networks with these properties? If
> so, can we write down where that happens and put it in Security
> Considerations? If not, we should consider removing this mode.
>
>
>
> Just my 0.02: I would support removing this whether in PR#11 or DDR as it
> stands. The reason we added this “same IP is allowed without verification”
> mechanism was in response to WG feedback that expecting ecosystem members
> to accomplish this on our own was unreasonable (the authors originally said
> “we leave that to DoT knocking which is already suggested in RFC7858”).
>
>
>
> I see Michael already commented on this; it would be useful to hear more
> WG commentary on this point. I was under the impression that there is some
> subset of network operators who found that useful. If not, we should
> revisit.
>
>
>
> Thanks,
>
> Tommy
>
>
>
> *From:* Add <add-bounces@ietf.org> *On Behalf Of *Eric Rescorla
> *Sent:* Thursday, July 1, 2021 3:18 PM
> *To:* ADD Mailing list <add@ietf.org>
> *Subject:* [EXTERNAL] [Add] Private IPs, DDR, and PR#11
>
>
>
> I've been spending some time thinking about PR#11 and trying
> to figure out the threat model where it brings value. This
> message is an attempt to get to a better understanding. As
> should be clear, I'm a little confused, so if people want
> to tell me why I'm wrong, that would be helpful.
>
>
> First, let's start with what I take to be the network topology:
>
>
>                    ISP Resolver
>                     192.0.2.1
>                         |
>                         | <- ISP Network
>                         |
>                     192.0.2.100
>                    CPE/DNS Proxy
>                      10.0.0.1
>                         |
>                         | <- Home network
>                         |
>                      10.0.0.100
>                     Users device
>
>
> We have the ISP's resolver with a public address of 192.0.2.1.  The
> user has some sort of CPE with an external address of 192.0.2.100 and
> an internal address of 10.0.0.1. The user's device has an IP of
> 10.0.0.100. When the user's device does DHCP, it gets the address
> 10.0.0.1 for its resolver, presumably because the CPE intends to proxy
> or cache DNS, otherwise it could just serve the ISP's resolver address
> (192.0.2.1) in DHCP.
>
> The general assumption for the DDR threat model so far is that:
>
> 1. The user's device gets the address of its resolver securely
> (presumably because DHCP is secure in some way). If that's not true,
> then I think we can agree that DDR does not provide much additional
> security benefit because the attacker can just substitute their own
> resolver [0].
>
> 2. Either the home network or the ISP network is insecure, otherwise
> you don't need DoX.
>
> OPPORTUNISTIC MODE
> So, first, its not entirely clear to me what the Opportunistic mode of
> S 4.2 provides. In this scenario, presumably the client will be doing
> TLS to the CPE (because otherwise the IP address would be the
> resolver's public address), which means that we are concerned with the
> attacker controlling the home network. So, in this scenario, we are
> only getting value if you have a network in which:
>
> 1. The attacker can *see* traffic not destined for their IP address
>    (otherwise there's not much point in encrypting).
> 2. The attacker cannot forge traffic from another IP address
>    (otherwise they can just impersonate the CPE because there
>    is no certificate).
>
> Are there an appreciable number of networks with these properties? If
> so, can we write down where that happens and put it in Security
> Considerations? If not, we should consider removing this mode.
>
>
>
> PR #11
> The idea with PR#11 seems to be to bootstrap up from a local IP
> address issued via DHCP to some other address. PR#11 doesn't do that
> great a job of describing the setting, but I'm assuming the scenario
> is that we want to start from a situation in which we have a CPE-based
> proxy and move to a situation in which the user's device talks directly
> to the ISP resolver. Otherwise, presumably, we could just make do
> with the mode in S 4.2. Is this right or am I missing something?
> And the reason we're not just vending the ISP's resolver directly
> via DHCP is that the CPE isn't upgradeable or potentially under
> the user's control and not the network's?
>
> So, first, what threat model are we concerned with:
>
> 1. If it's control of the home network, then why can't the attacker
>    block the _SVCB record between the user and the CPE stopping
>    them from upgrading?
>
> 2. If it's control of the link to the ISP, then why can't the
>    attacker just block the resolution of the _SCVB record between
>    the CPE and the ISP's resolver? Maybe the CPE is using DoX,
>    but we're trying to protect against *future* compromise
>    of the user's network?
>
> Can we get this documented before we start designing mechanisms?
> That would also help understand the effectiveness of the 5 minute
> timeout.
>
>
> Finally, assuming I've understood things correctly, reaching through
> the CPE in this way seems like it has the potential to bypass any
> CPE-specific filtering that the user has has installed. Suppose I have
> some CPE that uses the ISP DNS but filters out certain names; if the
> ISP posts a _SVCB record that directs me to their resolver, doesn't
> that cause that filtering not to work?
>
> -Ekr
>
> [0] Modulo cdisco-style steering where the address is matched up
> against a trusted list.
>
>
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email