IETF Logo Mail Archive

Re: [Add] Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)

"STARK, BARBARA H" <bs7652@att.com> Mon, 11 October 2021 13:10 UTC

Return-Path: <bs7652@att.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4367F3A091C for <add@ietfa.amsl.com>; Mon, 11 Oct 2021 06:10:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQosxu9bg70b for <add@ietfa.amsl.com>; Mon, 11 Oct 2021 06:09:54 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8D183A0917 for <add@ietf.org>; Mon, 11 Oct 2021 06:09:54 -0700 (PDT)
Received: from pps.filterd (m0049297.ppops.net [127.0.0.1]) by m0049297.ppops.net-00191d01. (8.16.1.2/8.16.1.2) with SMTP id 19BCWk4x032374; Mon, 11 Oct 2021 09:09:52 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049297.ppops.net-00191d01. with ESMTP id 3bmncas44t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 11 Oct 2021 09:09:51 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 19BD9owH012526; Mon, 11 Oct 2021 09:09:50 -0400
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [135.47.91.189]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 19BD9jwi012360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 11 Oct 2021 09:09:45 -0400
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [127.0.0.1]) by zlp30483.vci.att.com (Service) with ESMTP id 3F0154005951; Mon, 11 Oct 2021 13:09:45 +0000 (GMT)
Received: from GAALPA1MSGED2CC.ITServices.sbc.com (unknown [135.50.89.134]) by zlp30483.vci.att.com (Service) with ESMTP id 17AE74005950; Mon, 11 Oct 2021 13:09:45 +0000 (GMT)
Received: from GAALPA1MSGEX1AB.ITServices.sbc.com (135.50.89.97) by GAALPA1MSGED2CC.ITServices.sbc.com (135.50.89.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Mon, 11 Oct 2021 09:09:44 -0400
Received: from GAALPA1MSGETA01.tmg.ad.att.com (144.160.249.126) by GAALPA1MSGEX1AB.ITServices.sbc.com (135.50.89.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14 via Frontend Transport; Mon, 11 Oct 2021 09:09:44 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.170) by edgeal1.exch.att.com (144.160.249.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.14; Mon, 11 Oct 2021 09:09:30 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NKVjuvfwHBfX7MoS70V3noHveqKyevG/8lxOdtCcxlL7pZ2o1Rol4rb+VBDRgkP3ZPCY65TfXPjZ5NrIIzyTYg9tAjGbvrjKZNjZFnb72UvwG2YoxbQow7M9auRY0b2t9H8eCnYjkH6mzL2NRTHvB8hdXBO6ianMeU57+DTLuJKc8Bnct6C/RF4pYzP460tuMT7cdUS/jMEOMAoThSZicSJe1uiMwfHQkXJkpa0CO5390G5hNRVYfmhnxgWf4lZXDA3xX6nd0xtyxHOt4eibvQJC1qmrQHriHdofSH5H2BuwKw8B6FI1zQzW22rs/1nkHu/CfIWO3ZiBprl6kATWTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9032JqrxVx5ltNMWmRWuE111jvhbrDbptKUFQZOU3+E=; b=hB5CDRAagbO6aabxVS7iZAhT/5niSM4RqMIjWTY88W7+LlqAGlY2f7f2GxdKDzxTByWj5wcZiI2flHsJm/brx4pjxu0/j9em+N+Q7wJBcRaVLLN27j88GjBFSrc4cSUwMql1TR+kIyeRczfPflGodOivS4/mbzjv8XsHoEjboNaQcNUM24JI1A8vtJXuR3qNtZFvdOcSX2UJgwgzkkDgII065xM1ME8RqE9M+Eqb/KOdrgEoCi7TJPrlzapXbFZDOozz1aQvznk8INbkWW3BrqiZRS7MUYtEIIpwtZYCAQtx5CfKi8WXn8ejSqLS1dXhynqGnmRgKWUxDASUr4vy0Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9032JqrxVx5ltNMWmRWuE111jvhbrDbptKUFQZOU3+E=; b=IO5L8IQnXdUniQYB26eyqqWtTkYSn1ZdjMJd8j+0Cp3HyZ+HyOy1zRHGyKzlCD5sQEPXxi6EFfzmUMQNh+zS08L3N2CATp6PDwITR+/vmFTkd03QYMV0xqKzLsEG1GASZvXKDY7t0gkFXsiPNP4QGfpECetHwQ2LKQ/81bP+nPY=
Received: from DM6PR02MB6924.namprd02.prod.outlook.com (2603:10b6:5:25f::7) by DM5PR0201MB3591.namprd02.prod.outlook.com (2603:10b6:4:7b::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.25; Mon, 11 Oct 2021 13:09:28 +0000
Received: from DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::ddec:9436:4971:5d1e]) by DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::ddec:9436:4971:5d1e%4]) with mapi id 15.20.4587.026; Mon, 11 Oct 2021 13:09:28 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Ben Schwartz' <bemasc@google.com>
CC: 'ADD Mailing list' <add@ietf.org>
Thread-Topic: Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)
Thread-Index: Ade7rM3E3juJPHUES+yMnDFbR8J3zACl9lAAABUppPA=
Date: Mon, 11 Oct 2021 13:09:28 +0000
Message-ID: <DM6PR02MB69240376B633BFCB7AC7F667C3B59@DM6PR02MB6924.namprd02.prod.outlook.com>
References: <DM6PR02MB6924A3C8D43C001C78994B01C3B19@DM6PR02MB6924.namprd02.prod.outlook.com> <CAHbrMsBQBu8fTeeHtvO=YCn_Af-PzZvHmZK=ErXEAf6U44VZjw@mail.gmail.com>
In-Reply-To: <CAHbrMsBQBu8fTeeHtvO=YCn_Af-PzZvHmZK=ErXEAf6U44VZjw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=att.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f499996a-3273-4d31-8748-08d98cb85b8e
x-ms-traffictypediagnostic: DM5PR0201MB3591:
x-microsoft-antispam-prvs: <DM5PR0201MB35919153CF641C055BBEF18AC3B59@DM5PR0201MB3591.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bK1FJ5ioV5o0w6WGWPLyKHM9wmoYDJ/FcnE1QBWlQFwhoe6NG83iguIaGa3d+foepXA4/2aMkUBxSSYmiyA8Pnd9glDyRU1sGVzmtyWZsSf2ErOUglKCWoxKTDLNdB56maIdWzBH9MoK1JDj7M89cosU9hGIjIzSQ4N2iWG9bDDByvz9ow2bntSrzErsDug5HcFnlLlStSkf+Tb2j55AqJX/x2h4fUXLSY8K5P1bqNF3GRqsUWWj9bOM3HGzYL7kzqgfGlOyk+IxCoTM5WQ1Xkruues8/O2v+0AUPlSsc2viaJJolP5V0cz8qqU8ZI/Bk1j+GQUuMt19KWgtvNTEzOh6OqrbPOiueMRd9w2W46qvhG+u5C5iZDlzrXhToHcxtuVL2e7kTUkhfKKESWXUZbeiAHu5vCF5ZDExt3vyBOcWqwH4l3mkESpb5V1e7tWczAeg39H48DliDDW8ZZb3CW29JJU81EmzdlIbF5c54CCZteXmHgj2m0gipMqYi8ttKowJ/BmG+ZPeYH7aWGZmUHkpqX08o2QxZrU5HQH84zo78sw/4qCzFEO/pp4I2VqokwsqJTfFppgugtqcO20o1Z5EvLVIG3TDNS+F1yGyJSjf8kvXvAyHCkKK4i121Rn3a1m8GEaY7aLkdqpcZkT2N1YjDA9cgCeadIIpMqj6L2MCKdUquKayx9xCqYbMxeUhJIokbGzcdC0S/wENPIeoaq/WrdgBUPlOhT8rv6qp35ZmpYoh4SzFDtw0nKFPSc09xAQGGLfOI3tWTlyRxtob6FjJroYcxHYAWThr++g+lcQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR02MB6924.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(53546011)(6506007)(26005)(508600001)(15650500001)(55016002)(966005)(9686003)(7696005)(71200400001)(122000001)(5660300002)(6916009)(52536014)(2906002)(38100700002)(83380400001)(64756008)(8676002)(82202003)(316002)(186003)(76116006)(166002)(8936002)(38070700005)(33656002)(86362001)(66446008)(66946007)(66556008)(66476007)(4326008)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /OEy+JsZ3RTzn8uILn0fWlaRNu/pg8dlPlozA6LMkRkBrMvkWFK39YWfFHG2qea9i6/oIPv+EFEugXDOLpDqFhUq5KUO7DcMgkj2swi6ZWLGvuatRRcn7UYm7y6DLUWOnpMxoRFgn7ObrzLMff4n9BvvStyMGJp6osOICz8j6dRPAhp/mgiq5/VU4eBGcwXo7wtArQeSlmk+auMyBzUVKKfMB2BGiBpF/eEHB5DjJvqkDbsIEAI81wPNWztMuovTn42tsWHUS3KDefN0/1nnPVsov/EApFrkuw6Bm3oUk3h3P0SjKnL33Zy3B/zLDO6PCPNKZVAmsPNINDSm/16uMfI2ouYgoni6nTOK+/dpZoaIJoRexoEpGOcEHaezu0zlLuv7pgwqD73R0O0q50oQWbREM+w4DF3LQMGFjs5tN3sdp/+F0Mi97q0fppxYCE3/mU6yBgww1sYXvA7BAK6zolbu/TbzWuMLGRIwhRq0ADokFwYwUDSlYSxAt/pdVM/wXBaX+T5x0DuCIzfLQwSaoqdl8cpQa2Jx7tz73WJKa5uzUPiw+VzCmNNMuZJG5SlzT21DsCa/luUJMt+WCrRYPe8Cc5Mue934aNNEtNivJyMwKa+3UfMG4vtsdcDn64Cg6tp6/DRBtEHqJLcJvGEHjkZwtnrQIKge6KWo1jINHP4QjaTltvXnOFEjw/K2jvVgUoHJQb1rGlhjrKwUuNi3jwmNKD3IB9lluNZWHA3opKyxXvGBure54IWRp67aiz/AveBR8C4SUWE5jJjs8Pb6dxACsAVR+1KaRRa8cQlAnbFQBlKGOvY3RC930QoTsANU8fAlWdIMApN1YcRhrXJQqcdYfKmM7bYnkGeTxwA8Hr8CbCZN4OE6FZYbyMHsBUXnWwd8mzKzC8ez3Po2r/SM9mOTQSEcr0ocm3H24VXqoEGcrSb5L5eIFl7oM+zF5ENe55rPvITptFMQihnWHI6X+pwdc3Y5OVH+B+TJ/ZA3ZcjoqRMK0JVDXorKkZXjQt9wZv+j5kbBBx6VNEJCwBPR7Z3fcTF0GA0K2WoK3JQ2+Uu4y/OnvrVbfN0Lpw3L2RpDntBRmJEcbPr63aLIDayFfXDwV+PGqmnzpDPZU/XKWTHcK9mO8VX9y7TgEvRIpCxJijjX3zvv1xUUrkWwoJosQ3mFXyFK/UMITnI4UDbEe5mJL67m9CdiUxTa2SRqa4+Xx+96Khqawl4OYFlhn4CwGladoDIPiObuZgSrps9IL5ZMLiX6cDKnAtK+GcskzQp5XWGd7S0JHnzu69EwOmKMMgJbpl4rnXJwNsp8jCGGmr8=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR02MB69240376B633BFCB7AC7F667C3B59DM6PR02MB6924namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR02MB6924.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f499996a-3273-4d31-8748-08d98cb85b8e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2021 13:09:28.6339 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y+0h6pTDQAZ6vHqjjFOU/Xj9WnvkRoeetVwLHOox9egHEGjQHeNh23pUXFF2HagF
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0201MB3591
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 3FB6B2C3C697FB5B9E0FA0B85D67059EC34DF0FFE173B0B3ABFAD4FD0A423CA52
X-Proofpoint-GUID: 4oK23vFsFi3nHEezRqPugFKrXbnjd2du
X-Proofpoint-ORIG-GUID: 4oK23vFsFi3nHEezRqPugFKrXbnjd2du
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-10-11_04,2021-10-07_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 clxscore=1015 phishscore=0 lowpriorityscore=0 impostorscore=0 suspectscore=0 adultscore=0 malwarescore=0 bulkscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110110076
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/DCPsyDzEypyV0cHlm_OeQrIMHXA>
Subject: Re: [Add] Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 13:10:01 -0000

In-line with <bhs2>. Just one question, though, so no need to look far.
Barbara

From: Ben Schwartz <bemasc@google.com>
Sent: Sunday, October 10, 2021 9:07 PM
To: STARK, BARBARA H <bs7652@att.com>
Cc: ADD Mailing list <add@ietf.org>
Subject: Re: Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)

 If the DNS forwarder is identified by a public address (IPv4 or IPv6), then it could get a TLS certificate for that IP address.  A client policy that doesn't require authentication in this case, even though authentication is possible, would be a much bigger departure from baseline DDR.  I would prefer not to describe that behavior in this draft.

<bhs> When you say "[the DNS forwarder] could get a TLS certificate for that IP address", are you saying it would be possible for a gateway to get a PKI CA-signed certificate every time it gets delegated an IPv6 prefix (and subsequent renewal)?

I misspoke.  Let me try again:

In DDR, the Encrypted Resolver must hold a certificate that covers the IP address of the Unencrypted Resolver unless the resolvers have the same IP.  Thus, if the gateway uses a public IP address, and is actually a forwarder, then the upstream resolver must return a certificate that covers the gateway's IP address.

<bhs2> Oh good! So by "covers", do you think it would be acceptable to have the certificate contain the IPv6 prefixes AT&T uses to delegate prefixes to wireline customers? Like 2600:1700::/28 and 2602:300::/24?

This is not the same as placing a PKI certificate on the gateway.  (I don't know if it's easier or harder.)

...
So if a client is provided a private IPv4 DNS server address and a public (GUA) IPv6 DNS server address (and, BTW, both reply with identical resolver.arpa info), will the relaxed-validation client prefer IPv6 and not upgrade because the IPv6 address is a GUA? Or will the relaxed-validation client try the private IPv4 address (also?) and do the DoH upgrade?

I think it will do the upgrade, via the IPv4 server.

I'm ok not worrying about people with static public IPv4 address assignments (assuming the same argument that a certificate isn't realistic). That's a small population. But is it really not possible to explore allowing "same IPv4 subnet" or "on-link IPv6 prefix"?

Let's consider two clients, one implementing "baseline DDR" and one that relaxes validation as you've described.  They are on a v6-only network whose DNS server has a public IP and is "on-link" according to some criterion.  A DDR query tells the client to use a "far away" designated resolver.

If the local DNS server is actually a forwarder, then it is arguably safe to upgrade without certificate validation.  However, the client doesn't know whether this server is a forwarder.  It might actually be a full resolver.

Suppose there is an active attacker close to the "far away" designated resolver.  The "baseline DDR" client enforces certificate validation, so it detects this attacker and continues to use the local (full) resolver.  As a result, the attacker (who is far away) cannot see or modify most/any of the user's queries.  The "relaxed" client sends all their queries straight to the attacker.

This seems like a much larger departure from the baseline DDR security model than anything contemplated in this draft, so I would prefer not to combine it.  However, this situation is important, and should be mentioned in the draft.  I've added the following paragraph in the pull request [1]:

> IPv6-only networks whose default DNS server has a Global Unicast Address are out of scope, even if this server is actually a simple forwarder.  If the DNS server does not use a private IP address, it is not a "legacy DNS forwarder" under this draft's definition.

[1] https://github.com/bemasc/ddr-forwarders/pull/3

v2.23.0 | Report a Bug | By Email