[Add] Three degrees of (administrative) separation
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 28 May 2019 18:57 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BBA12023D for <add@ietfa.amsl.com>; Tue, 28 May 2019 11:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQfM7k9-t8AK for <add@ietfa.amsl.com>; Tue, 28 May 2019 11:57:38 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 180EF1200CC for <add@ietf.org>; Tue, 28 May 2019 11:57:38 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id b11so9027570lfa.5 for <add@ietf.org>; Tue, 28 May 2019 11:57:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hRYuAn1rRe3I8mxpWmL8tT1NuoIILplyk79DuYqjFO8=; b=p5FczRp2I96YurafL0QgYwbZ6QfIZ4rDSaDO6OCTAxjoAUBbBLfHwadiuO6zKuY7e3 AAYQax1T6ocGp3B4H0qBA41keYsAXAi91DWgIgXsWhTWTWmRbbbpiDEqv6aEq854KpIb sFc89tMU+jorhNKTbyukfvkme5YzJd45q1HhA/hlk1BT4NIfyLBvKulFkkmPblJr1OyR EFwK+ip7qeV+nQzY7krznk4W+02wjycP1ZOzjiWBtavYEFuiibfOyKBTpXsJJUdPCtFZ 98YkH6tZx2hWKfL6iKGCvNIdERKa1pwbnLi0r3nHjVQtwNoICWk8IODpEgMt/mcfzVpq YqzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hRYuAn1rRe3I8mxpWmL8tT1NuoIILplyk79DuYqjFO8=; b=VrCXGFf+mqGAsCYu+R1wXIsO+n+NG2fl7leBQQH/70UslouE5AUpDULUdbcysDb+yk i6xUTfZ7jVsXRw72wLjdRQ6dmBZ87I/fe8wcheu+L4boytAKR4luAnI1U3nNUH4HpUha eU9xVCwRsKW8v+JhaJbfMdRALj5kCnBt3KldnRb6SkaH94MT/L9zDYfbu9b1E+4HSZi+ hPB2ev05L92S64lhzRRaw1icaAvqFUJLqVoZzZlKP67QMVFvkWfQ/bJ4C0B2dGpmCnZd +PWc50Wuqxk4z08dYzkEWMBiCI0o0GQJoMu7vHxvbqOoxuQvRx2I8A44Jr/jqX5T+rvr q21w==
X-Gm-Message-State: APjAAAWDA4BDs2P6/KEjDLLEV1S8LTg27LN0bTxfEwhUINUcYUnDHO2g pknJR4FKBeF8m5v9m+F5KMsZLUqH7VSghAiocLQahg==
X-Google-Smtp-Source: APXvYqzWmvpM9IUZxgeyVgLgiE+C1v7R0OTzx8e8DkPv1xwi7qPxlR54uQZfDhh77OlgqzTV55q1aFfEppth5asYa/8=
X-Received: by 2002:a19:c20e:: with SMTP id l14mr19370273lfc.5.1559069854683; Tue, 28 May 2019 11:57:34 -0700 (PDT)
MIME-Version: 1.0
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 28 May 2019 11:57:21 -0700
Message-ID: <CAH1iCiqpmkEf3DR27kwWUzBCpAzwWVyHGFAozyN1xxRPYHrm7w@mail.gmail.com>
To: add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000de57420589f73c5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/RuT-vfUfGxAiIDPj7ONg4E0wrCM>
Subject: [Add] Three degrees of (administrative) separation
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 18:57:44 -0000
I'm putting this into a new thread, so: (a) it doesn't get mis-threaded;
(b) its distinct set of issues don't get conflated; (c) it's easy to find
in the archives.
The three degrees of (administrative) separation are:
1. Network (including ACLs, firewall policies, RPZs, etc.)
2. Host administration (including network configuration and resolver
configuration -- I place DHCP use of offered DNS as host rather than
network, although one config choice is to defer to Network)
3. User/App administration (user preferences)
The reason I am highlighting this hierarchy (which under DoH/ADD is
potentially traditional/historical), is for the following issue:
Security policy which relies SOLELY on the host, is fatally flawed.
Security policy which replies SOLELY on the app, is doubly flawed.
Host compromise (whether at the app level or at the privileged user level)
in such a system, affects the only place where security policy is
implemented.
This in turn means a compromised host which does not have other mechanisms
for enforcing policy, is unrestricted in what it can do.
In some environments, for example (but not limited to) Enterprise networks,
a "belt and suspenders" approach is common.
E.g. hosts may be managed via automated systems, but network and/or DNS
policies may provide redundant protection, or even a greater level of
protection.
In these environments, host/app level protections are typically using
static sets of protection metadata which is updated periodically (daily or
weekly).
However, DNS level protections are frequently implemented with "live"
feeds, that are capable of updating metadata about "bad" sites at
very-near-realtime.
Given the very nature of HTTPS (on port 443), where name-based-hosting is
used and end-to-end encryption occurs prior to the HTTP headers, the
current best practice is to implement DNS-based mechanisms for handling the
network enforcement.
Here are the reasons for using DNS-based filtering for HTTPS traffic,
explained in pedantic fashion:
- It is not possible to use IP-only filtering, since IP addresses may
contain vast numbers of unrelated name-based hosting on web servers
- It is cost-prohibitive and insecure to employ MITM techniques which
require the decryption and re-encryption of traffic at a session level
- Host connections on the basis of name, require DNS resolution before
connections can be established
- Thus, use of DNS-based schemes to block HTTP(s) connections are
effective, and cost-effective
- Enforcement of DNS resolver usage via network-level ACLs on port 53
and/or 853 ensures DNS resolution mechanisms cannot be bypassed
- Without the ability to bypass DNS resolver choice (and presuming the
non-existence of DoH), a compromised app or host would need to implement
its own DNS scheme, which:
- would require use of an outside agent (since it cannot directly
contact DNS authorities if port 53 is blocked
- would require a hard-coded server (name or IP)
- at least potentially be detected in DNS logs (if it used name-based
connection resolution), or
- at least potentially be detected by the absence of DNS lookups (if
it used a hard-coded IP address).
In contrast, DoT usage at least provides the dedicated (IP, port)
combination that is detectable and filterable, allowing the continued use
of DNS-resolver selection enforcement, and the continued use of DNS-based
mechanisms.
Since DoT offers all of the same privacy protections as DoH, I am of the
opinion that implementing DoH in a way that bypasses both host
administration and network administration, is fundamentally incompatible
with enterprise usage.
On the other hand, I believe that use of DoT, either directly in the
browser, or over a system-level API/proxy, is not incompatible with the
enterprise use case. (There are other deployment considerations that need
further discussion, but DoT is the starting point for those discussions.)
Since the user population consists of a significantly non-negligible
proportion of users whose networks employ such mechanisms (including home
networks using third party DNS forwarders for filtered DNS), it may be time
to discuss ways to prevent deployment of browsers doing DoH, or to discuss
public resolver operators requiring that browsers use only DoT, possibly
with a very limited set of exception mechanisms (the "dissident" use case),
such as limiting that use case to incognito-mode, non-slit-tunnel VPN
service over HTTPS, enforced by the public resolver operator.
Brian (speaking for myself)
- [Add] Three degrees of (administrative) separation Brian Dickson
- Re: [Add] Three degrees of (administrative) separ… Stephen Farrell
- Re: [Add] Three degrees of (administrative) separ… Ralf Weber