Re: [Add] ECS privacy concerns, alternatives?
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 17 April 2019 19:18 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2B9120308 for <add@ietfa.amsl.com>; Wed, 17 Apr 2019 12:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Edy3jLacW1XY for <add@ietfa.amsl.com>; Wed, 17 Apr 2019 12:18:19 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEBA01200B8 for <add@ietf.org>; Wed, 17 Apr 2019 12:18:18 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id w5so28616996qtb.11 for <add@ietf.org>; Wed, 17 Apr 2019 12:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hZ6wk0gEHXV0ai8GlTnjbhWdK7pxtJkqTKFfKLZ188c=; b=hhhiuKDkn/ldtittGVL2njTJJExqV579MfBtHho0zQGoYnm9TDTdq2/aGRx0B9T3rf XYtAIZFoU4WNDZpcU4SucPKQEDwQI6Y2LhGipNV8EvfsTHL7XlTwwq1Y/XJDhK2y4lfI tX98uPzGX4+ObKE1QxblmRjuBvewKBnQPAIpoUAriQ4n84mpOaaC9FmyPpcyzh6vE0eG b7nk2NoSVQTC67Eqt5hp5YvjASMydgkxu6zuTyZlE469hvig+AeHN0kPsx3SMJwKOqR2 7UwOc+Dima7FA/u2VDP+oe60xzgtl2cDSzj6p+pCveq5FlHru0TsvVOw2lM+xT4Sp2+1 OYwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hZ6wk0gEHXV0ai8GlTnjbhWdK7pxtJkqTKFfKLZ188c=; b=d5e+8ZqvM3nFIU9rnI/UPXr7DUU6Z8wXmxnDNjh0wn6QOz3Jas2q4RXvfNxX8MzWAT 6zam0g3MCFCEDKZhoPHW6uCGLpkhhvoxWb4hQfbc0sDeYII7v/boqRQ3yrvR8vROi4kF jrGnhU0u649HQMzQpxuSHJUa6iR0uz/cqgZZUcRM/ocCX3puaGozTphqoXI4LGhnyoSk 9gHQ/10+8ndrYI4ffw0LzoNlkp9AjzdFsncfD4G6c3WuAiBhErgRQgMH2cRAIiPrXhjJ sDgtRCWjvxkyVCqSV1dQaCVfi8oLIYvLYk1NDBjrYSZxgr2z80EKgvxohEwl62BalppV eWhg==
X-Gm-Message-State: APjAAAVKwsqITPKXVXoPHxYN6DhsnGfeW3OHaWofMsGfQ3h+nHet8rwd cz1IWbPF4klfK7NnjHr73+q/DJj3xeGbsuD01e4=
X-Google-Smtp-Source: APXvYqwuC/fln55k/ofyvwmdkLfPdwF4qcf0bI5oPd4RxyiU/9bQ7s7eAtrESjrgTxk4Zvf8vyEri3vV3lte/vu+AFA=
X-Received: by 2002:ac8:2b83:: with SMTP id m3mr74999051qtm.305.1555528698061; Wed, 17 Apr 2019 12:18:18 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <21C5261E-9DE0-4CFD-A949-6E91DD0C2552@cable.comcast.com> <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com> <CAH1iCiqPqWCEmT0DSyzu-DRtna_p1SZXuiK15HHyTrjnX1iUaA@mail.gmail.com> <CAKC-DJgmb1J281Z2j4q1NbBgf+S5PmvkJfXPDkhfX_sT6cn_PA@mail.gmail.com> <CAH1iCiqMOJ0M1EiGKORf2VKysFEtWV69tP2G+W6M9CEPzf4QWA@mail.gmail.com> <E2CD69F8-1B6F-493F-B18E-918B4855E075@hopcount.ca>
In-Reply-To: <E2CD69F8-1B6F-493F-B18E-918B4855E075@hopcount.ca>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 17 Apr 2019 12:18:06 -0700
Message-ID: <CAH1iCiqOLAtCTGavfAe2cq6biwh1+QgMbPcm-g-=2k8m=v3esw@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Erik Nygren <erik+ietf@nygren.org>, "Livingood, Jason" <Jason_Livingood@comcast.com>, "add@ietf.org" <add@ietf.org>, "Plonka, David" <dplonka@akamai.com>, Peter Saint-Andre <stpeter@mozilla.com>
Content-Type: multipart/alternative; boundary="0000000000007c68f60586bebf11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/D_eoqhhz0m0sNzSW2fWdt_mcjCY>
Subject: Re: [Add] ECS privacy concerns, alternatives?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 19:18:22 -0000
On Wed, Apr 17, 2019 at 11:35 AM Joe Abley <jabley@hopcount.ca> wrote: > On 17 Apr 2019, at 14:16, Brian Dickson <brian.peter.dickson@gmail.com> > wrote: > > Let's consider what the situation is, for authority servers. > > Some (not all, not none) are CDNs. Some (not all, not none) are not doing > ECS at all. Some (not all, not none) are doing ECS, but only using > "vanilla" ECS functionality, via third-party IP->GEO databases/services. > > The potential trade-off(s), as I see them, are: > > > So, to briefly join the threads just as further illustration to what I'm > talking about, what you're doing here looks a lot like trying to engineer a > solution for people you don't know based on requirements you're guessing > at. This seems unlikely to converge on anything useful. > > Actually, on this point, I beg to differ. What I am trying to do is separate out two or three classes of problem/solution, and avoiding having a single solution (with more complexity and cost) imposed on the rest of the DNS authority service community. I am very happy to leave the specifics of the "secret sauce" behind the curtain. I'm trying to find a way of distinguishing the "secret sauce" folks from the vanilla flavor folks, prior to the "established phase", so that what "established phase" looks like might be different (e.g. encrypted or not). I'm trying to do that distinction, upstream of established phase, for the benefit of those not using any special sauce, so that the cost of "vanilla" doesn't rise to being the same as the cost of "special sauce". And, I am doing this based on the requirements of a substantial portion of the non-"special-sauce" constituency, that portion of which I represent, whose requirements I not only know, but am responsible for. The fundamental question is, for me, whether it is possible to determine whether a given authority provider requires encryption, based on the dependency it has on ECS (so that it can provide "special sauce") If the authority provider does not require encryption, I would like to facilitate that, rather than always require authority providers to offer encrypted transport. I'm completely open to mechanisms that facilitate this divergence. There is not yet (AFAIK) consensus regarding requiring recursive-to-authority encrypted transport, and in the absence of such consensus, believe it is imperative that both encrypted and unencrypted transport options be supported. The resolvers may choose not to send ECS over unencrypted transport, and as long as that is a supported mode (with whatever mechanisms are required), I have no problem with resolvers and authority servers doing whatever they want over their encrypted channels. (BTW, this isn't to say that we don't also represent a substantial number of zones that do want ECS. We do, and do want to offer and use encrypted transport for those.) I am happy to lead any standardization effort (i.e. doing an internet draft) for the "geo" alternative to "ecs", and am also happy to let the "geo" thing go, as long we can discuss whether a "no-ecs, no encryption" option might be feasible. The "no ECS requirement" I'm speaking of, represents about 40% of the DNS zones served globally, who are our customers. That we are one provider with that customer base isn't as relevant, so much as that there are 40% of the zones with no need for ECS, and that the interaction between public resolvers and authority servers should be, IMHO, negotiable with respect to encrypted transport. > Being able to separate away 99% of the resolution problem in the lifetime > of a session ("established phase") into something that can be said not to > have any privacy or access control concerns beyond those that already exist > in the service being used means that all of the traffic engineering > required there can continue to be done behind the curtain, engineered with > a full serving of commercial advantage and richly flavoured with special > secret sauce. I'm not saying this is without complication or is something > that exists today, far from it: but it at least puts the design and > implementation in the hands of the service architects who know what they > need and, crucially, the details don't necessarily need wide exposure and > standardisation. > I agree that there is no specific requirement for standardization within the "special sauce" community. I was hoping that there might be some interest and value in a standardized "special sauce Lite" over and above the "special sauce" community. If not, no big deal. > > If there's to be an impact on performance from privacy, e.g. from a less > sophisticated (even empty) set of available mechanisms available to do > traffic steering at response time, it seems like it'd be really nice for it > to be brief (e.g., "initialisation phase"). > I agree whole-heartedly. I also think that the "initialisation phase" represents one place where security is extremely important, specifically in validating the identify of the service end-point. A lot of trust regarding privacy is placed on the end-point, so it is important that that trust not be misplaced. But I think that is subject for a separate thread. Brian
- [Add] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Martin Thomson
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Jim Reid
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Manabu Sonoda
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Ray Bellis
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Daniel Stenberg
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] [Ext] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] [Ext] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] [Ext] Mozilla's DoH resolver policy Brian Dickson
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] Mozilla's DoH resolver policy Mark Andrews
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Salz, Rich
- Re: [Add] Mozilla's DoH resolver policy Ben Schwartz
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Geoff Huston
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] ECS privacy concerns, alternatives? Erik Nygren
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Paul Hoffman
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Hollenbeck, Scott
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] ECS privacy concerns, alternatives? Puneet Sood
- Re: [Add] ECS privacy concerns, alternatives? Erik Kline
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson