Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-ddr-01.txt
Ben Schwartz <bemasc@google.com> Thu, 17 June 2021 01:49 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C71E3A12C4 for <add@ietfa.amsl.com>; Wed, 16 Jun 2021 18:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Unh9by1jEUwu for <add@ietfa.amsl.com>; Wed, 16 Jun 2021 18:49:51 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE0633A12C1 for <add@ietf.org>; Wed, 16 Jun 2021 18:49:50 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id o3so4745627wri.8 for <add@ietf.org>; Wed, 16 Jun 2021 18:49:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MZNKx3jawFBPlqJhtNGqVPw8ZfweCCQ85Ozjtrl7asE=; b=Bnm77/U1//Ilw/v+U9Of897ZFH05Y1w/5mC97AwJGQnA5nr+g3Sof5oT8Ag2XCeULc yDKaJvQDvt68rAetFIBAYXFdAY19uwTH96sROhnNxk+5/YABV6u42+4ZLq5PJ7WULHye zVtCboh+yrdHlPRR+uUjEeLTwcmLlqWAVKvIcKoAUt2QNaXkAOQHBM3irFu1MU5KPMK5 zI+gZEkYvGLi65cRBtRtDToNB5Kq2erexM0xYypQFhixLKF97ynfVH/+DLnyHxRfo8nM /UL3PIyxA7g5JR4FffnxEpWQEKgRTIY76gmhJGltLLg9oid8CSzEj/Hz9zv7S3LEILkW JnTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MZNKx3jawFBPlqJhtNGqVPw8ZfweCCQ85Ozjtrl7asE=; b=S/S8PNUxYfymHTcJ80XDMPyQijs5rx7xq542oAoeoO146mTvQI96w+RolK9t+aAAeb efYLNRQSeu8ube418UZTeBhHi6i2iiJ6sqVUqjQK0Pts3F2QSAJdzQ4jXXzcGbc/ayI1 DJJKWmYszwR6X3sB0/uL8wfcaP/nNQJgULhmKh42/CB/WF9VgNks/ycUqCvc98WE0/DZ shhnlX9/Bz/pOioKo7x2G5VSo8xKk3gcmwreEViM3fbz/Hsk/wjiPo7RLjhnATvbsy31 zRi3XarNfoSPpOy8Rs7gatomMrw04qzXjpvQpbIUxzEIhq+1fJZDXQnWFtY7uPAHCaZx tYSA==
X-Gm-Message-State: AOAM531aCVHnCM38pOkSx2BddLwzQkLjNh9bqfkb0k8OPsoxvt7EaWMm OSGTXnGSKEMPEo7bQslAqUYNvWN595K4azlwp8Q3Fw==
X-Google-Smtp-Source: ABdhPJznjbPYhOxmOe/4/i/nuzcHuxk8qhxJucFwhLihsJa3uVvUSs78lW9C/FmpcRzPKosr1nmLE2S+xp50q90+yEc=
X-Received: by 2002:a5d:658a:: with SMTP id q10mr2483192wru.258.1623894588461; Wed, 16 Jun 2021 18:49:48 -0700 (PDT)
MIME-Version: 1.0
References: <162371155812.25682.11014036541727314816@ietfa.amsl.com> <MW2PR00MB034747898A4CA25E614E3222FA319@MW2PR00MB0347.namprd00.prod.outlook.com> <CACJ6M15YaZBhJA8NHmau-K22wbS4QCFuQZx04daTMsNrCQ0rdQ@mail.gmail.com> <CAHbrMsCiCRpRhxhcp7Nryz05JgXr2+j5eAr6HOumPD0=sCHwvw@mail.gmail.com> <SN6PR00MB03517A0AB3B60916F6D8E556FA0F9@SN6PR00MB0351.namprd00.prod.outlook.com> <CAHbrMsB4XBgN1H+MSU7YUkx3bXDke7xT_YZGWY=JpJ8LsQDU3g@mail.gmail.com> <SN6PR00MB0351459E68629DA35E455828FA0E9@SN6PR00MB0351.namprd00.prod.outlook.com>
In-Reply-To: <SN6PR00MB0351459E68629DA35E455828FA0E9@SN6PR00MB0351.namprd00.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 16 Jun 2021 21:49:35 -0400
Message-ID: <CAHbrMsBeKScUnBVbOA67AauqdiZQ2VnhSNShTLLtpJc-aMqm1A@mail.gmail.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
Cc: "chris.box.ietf@gmail.com" <chris.box.ietf@gmail.com>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000001e93f405c4ec6c8a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/B5Nc_7DrICKMKcAEBDZ5pf61xpM>
Subject: Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-ddr-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2021 01:49:55 -0000
On Wed, Jun 16, 2021 at 8:36 PM Tommy Jensen <Jensen.Thomas= 40microsoft.com@dmarc.ietf.org> wrote: ... > > In PR #11, private IP upgrade is additionally vulnerable for a short > time window after an on-path attacker ceases to be on-path. > > > This is the difference in security bar I am objecting to. DDR as it stands > will never result in an encrypted connection to an unintended party > (assuming certificate ownership is secure, the same bar set for general > HTTPS usage). > When there is an on-path attacker and the unencrypted resolver is identified by a private IP, DDR-01 results in an encrypted connection to an unintended party. Your PR undoes that promise in a way that can only be limited, not > eliminated. > I don't think it's nearly so clear-cut. For example, in DDR-01, an on-path attacker can point all requested domains to attacker-controlled IPs with long TTLs, allowing them to stay on-path for application traffic long after the DNS attack is over. If the client uses any insecure protocols (e.g. HTTP), of course much worse attacks are possible. > If PR #11 enables significantly broader use of encrypted DNS, as seems > likely, I think it would represent an improvement to overall security. > > > > I whole-heartedly disagree with this mentality. Encryption alone is not > equal to security. > The modern web is powered almost entirely by Domain Validated certificates. Unlike the classic Organization Validated certificates, these are highly vulnerable to a transient on-path attacker, who can instantly acquire certificates and persist their attack for months. Nonetheless, the modern web, where a majority of traffic uses HTTPS with DV certs, is much more secure than the old web where 10% of sites used HTTPS with OV certs, and 90% were unencrypted. I think a similar dynamic applies here. >
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- [Add] I-D Action: draft-ietf-add-ddr-01.txt internet-drafts
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… sanjay.mishra
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… sanjay.mishra
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Chris Box
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Tommy Jensen
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… Ben Schwartz
- Re: [Add] [EXTERNAL] I-D Action: draft-ietf-add-d… tirumal reddy