[Add] Three degrees of (administrative) separation
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 28 May 2019 18:57 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BBA12023D for <add@ietfa.amsl.com>; Tue, 28 May 2019 11:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQfM7k9-t8AK for <add@ietfa.amsl.com>; Tue, 28 May 2019 11:57:38 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 180EF1200CC for <add@ietf.org>; Tue, 28 May 2019 11:57:38 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id b11so9027570lfa.5 for <add@ietf.org>; Tue, 28 May 2019 11:57:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hRYuAn1rRe3I8mxpWmL8tT1NuoIILplyk79DuYqjFO8=; b=p5FczRp2I96YurafL0QgYwbZ6QfIZ4rDSaDO6OCTAxjoAUBbBLfHwadiuO6zKuY7e3 AAYQax1T6ocGp3B4H0qBA41keYsAXAi91DWgIgXsWhTWTWmRbbbpiDEqv6aEq854KpIb sFc89tMU+jorhNKTbyukfvkme5YzJd45q1HhA/hlk1BT4NIfyLBvKulFkkmPblJr1OyR EFwK+ip7qeV+nQzY7krznk4W+02wjycP1ZOzjiWBtavYEFuiibfOyKBTpXsJJUdPCtFZ 98YkH6tZx2hWKfL6iKGCvNIdERKa1pwbnLi0r3nHjVQtwNoICWk8IODpEgMt/mcfzVpq YqzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hRYuAn1rRe3I8mxpWmL8tT1NuoIILplyk79DuYqjFO8=; b=VrCXGFf+mqGAsCYu+R1wXIsO+n+NG2fl7leBQQH/70UslouE5AUpDULUdbcysDb+yk i6xUTfZ7jVsXRw72wLjdRQ6dmBZ87I/fe8wcheu+L4boytAKR4luAnI1U3nNUH4HpUha eU9xVCwRsKW8v+JhaJbfMdRALj5kCnBt3KldnRb6SkaH94MT/L9zDYfbu9b1E+4HSZi+ hPB2ev05L92S64lhzRRaw1icaAvqFUJLqVoZzZlKP67QMVFvkWfQ/bJ4C0B2dGpmCnZd +PWc50Wuqxk4z08dYzkEWMBiCI0o0GQJoMu7vHxvbqOoxuQvRx2I8A44Jr/jqX5T+rvr q21w==
X-Gm-Message-State: APjAAAWDA4BDs2P6/KEjDLLEV1S8LTg27LN0bTxfEwhUINUcYUnDHO2g pknJR4FKBeF8m5v9m+F5KMsZLUqH7VSghAiocLQahg==
X-Google-Smtp-Source: APXvYqzWmvpM9IUZxgeyVgLgiE+C1v7R0OTzx8e8DkPv1xwi7qPxlR54uQZfDhh77OlgqzTV55q1aFfEppth5asYa/8=
X-Received: by 2002:a19:c20e:: with SMTP id l14mr19370273lfc.5.1559069854683; Tue, 28 May 2019 11:57:34 -0700 (PDT)
MIME-Version: 1.0
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 28 May 2019 11:57:21 -0700
Message-ID: <CAH1iCiqpmkEf3DR27kwWUzBCpAzwWVyHGFAozyN1xxRPYHrm7w@mail.gmail.com>
To: add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000de57420589f73c5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/RuT-vfUfGxAiIDPj7ONg4E0wrCM>
Subject: [Add] Three degrees of (administrative) separation
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 18:57:44 -0000
I'm putting this into a new thread, so: (a) it doesn't get mis-threaded; (b) its distinct set of issues don't get conflated; (c) it's easy to find in the archives. The three degrees of (administrative) separation are: 1. Network (including ACLs, firewall policies, RPZs, etc.) 2. Host administration (including network configuration and resolver configuration -- I place DHCP use of offered DNS as host rather than network, although one config choice is to defer to Network) 3. User/App administration (user preferences) The reason I am highlighting this hierarchy (which under DoH/ADD is potentially traditional/historical), is for the following issue: Security policy which relies SOLELY on the host, is fatally flawed. Security policy which replies SOLELY on the app, is doubly flawed. Host compromise (whether at the app level or at the privileged user level) in such a system, affects the only place where security policy is implemented. This in turn means a compromised host which does not have other mechanisms for enforcing policy, is unrestricted in what it can do. In some environments, for example (but not limited to) Enterprise networks, a "belt and suspenders" approach is common. E.g. hosts may be managed via automated systems, but network and/or DNS policies may provide redundant protection, or even a greater level of protection. In these environments, host/app level protections are typically using static sets of protection metadata which is updated periodically (daily or weekly). However, DNS level protections are frequently implemented with "live" feeds, that are capable of updating metadata about "bad" sites at very-near-realtime. Given the very nature of HTTPS (on port 443), where name-based-hosting is used and end-to-end encryption occurs prior to the HTTP headers, the current best practice is to implement DNS-based mechanisms for handling the network enforcement. Here are the reasons for using DNS-based filtering for HTTPS traffic, explained in pedantic fashion: - It is not possible to use IP-only filtering, since IP addresses may contain vast numbers of unrelated name-based hosting on web servers - It is cost-prohibitive and insecure to employ MITM techniques which require the decryption and re-encryption of traffic at a session level - Host connections on the basis of name, require DNS resolution before connections can be established - Thus, use of DNS-based schemes to block HTTP(s) connections are effective, and cost-effective - Enforcement of DNS resolver usage via network-level ACLs on port 53 and/or 853 ensures DNS resolution mechanisms cannot be bypassed - Without the ability to bypass DNS resolver choice (and presuming the non-existence of DoH), a compromised app or host would need to implement its own DNS scheme, which: - would require use of an outside agent (since it cannot directly contact DNS authorities if port 53 is blocked - would require a hard-coded server (name or IP) - at least potentially be detected in DNS logs (if it used name-based connection resolution), or - at least potentially be detected by the absence of DNS lookups (if it used a hard-coded IP address). In contrast, DoT usage at least provides the dedicated (IP, port) combination that is detectable and filterable, allowing the continued use of DNS-resolver selection enforcement, and the continued use of DNS-based mechanisms. Since DoT offers all of the same privacy protections as DoH, I am of the opinion that implementing DoH in a way that bypasses both host administration and network administration, is fundamentally incompatible with enterprise usage. On the other hand, I believe that use of DoT, either directly in the browser, or over a system-level API/proxy, is not incompatible with the enterprise use case. (There are other deployment considerations that need further discussion, but DoT is the starting point for those discussions.) Since the user population consists of a significantly non-negligible proportion of users whose networks employ such mechanisms (including home networks using third party DNS forwarders for filtered DNS), it may be time to discuss ways to prevent deployment of browsers doing DoH, or to discuss public resolver operators requiring that browsers use only DoT, possibly with a very limited set of exception mechanisms (the "dissident" use case), such as limiting that use case to incognito-mode, non-slit-tunnel VPN service over HTTPS, enforced by the public resolver operator. Brian (speaking for myself)
- [Add] Three degrees of (administrative) separation Brian Dickson
- Re: [Add] Three degrees of (administrative) separ… Stephen Farrell
- Re: [Add] Three degrees of (administrative) separ… Ralf Weber