IETF Logo Mail Archive

Re: [Add] draft-arkko-abcd-distributed-resolver-selection

"Chris Box (BT)" <chris.box.ietf@gmail.com> Sat, 21 March 2020 16:32 UTC

Return-Path: <chris.box.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 769D93A148C for <add@ietfa.amsl.com>; Sat, 21 Mar 2020 09:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3vwwRre-g_vd for <add@ietfa.amsl.com>; Sat, 21 Mar 2020 09:32:08 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F5413A0CB4 for <add@ietf.org>; Sat, 21 Mar 2020 09:32:08 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id c9so934698qtw.7 for <add@ietf.org>; Sat, 21 Mar 2020 09:32:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o6CNjQxCnZkPoPso43gaDhFBPUHqy+szj86kwsZQvbo=; b=JiM9JlzTv/gJv9jeFZx6+EKcL9KcMX8fp7eSnWkgK7qspzTmtul80iQFXGhgjHrmGG cKbJFq/LynQZIEsPlzqZGawIOle+o84r04BtBNNVMx7mAZXK7UmeeaAod0Yv27KrxtS+ kZMyj1FCaerrB9A5qUKQ3QqP/SlWQfLIayWPiGz20RyiEzMcEfktKfiDNvcaDFQtGKTj 8PFtfupAOY5DnfM5x45lIZobQ2DvYJPwxlKBZfq/Uf5KRmqnWbDdfr7xxdR51NRlj9Vs WNmjLF5wkS5bHoXabzHISJtz2eVxzdTyy4sEI+hlBFi13PUHxph9e1ycjlqali5l5+D9 m9Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o6CNjQxCnZkPoPso43gaDhFBPUHqy+szj86kwsZQvbo=; b=QLRzpnfPdxvDkQ7LU2c7cuSsMPVGN0VdIzBo0l1cgIWDrM+uGhlSb73lSxwdNaNdcR 3YnJuRx40TBxMGY+e79L50Zccnr8dT6KxP57G8Ag3buZ24oyKxT++KtsFg6wAewVH/P5 /7P8tVYPO2XFnXUM1hfjLudD4kqkeK1guRUF/QOX/sXgrkKyR0EZ+l2LCa/h4xNqlYUl aSV4K2I0TpehYjFzBYvBS3aGg5nLTPfZB8LjGobPEV0be7YnNWGuluQ8BIt3XU2DufNN cio9TDbsXm9dEJCSgJQEapgQyQZMDmXkgrZpX5RmY29MjvFSeHGvZvb0/xaXcpVBa785 ogOQ==
X-Gm-Message-State: ANhLgQ3vtPqzZuIaSH9kHI0q1KvottxKMbZzS+jp7+05h1PzYxE6vbUD gQrbY8YW6QlmXWSrWzzftElCR1cc6YSv3vYD60Y=
X-Google-Smtp-Source: ADFU+vt9DMIZkMCAoWVWoAypWNyIktbdwTHlsUZNA8MrkIz6GOwjjarMjUoL/drUWGqBWU/MZic6to+nu4X4qmaayOA=
X-Received: by 2002:ac8:2648:: with SMTP id v8mr14125917qtv.65.1584808327147; Sat, 21 Mar 2020 09:32:07 -0700 (PDT)
MIME-Version: 1.0
References: <CA+9kkMDvX7e0WkRMmJtf33GwMQQ1rAGny87UwneA6znCom_85Q@mail.gmail.com> <CACJ6M17rjhta9rqFHAJ_JaugRiCR7xvAChww0uO912-NayQwEQ@mail.gmail.com> <CA+9kkMBug-PfkJsQ2-cm5G-J+iynma2OJzYJ3AjM6Gpzg-fFkg@mail.gmail.com>
In-Reply-To: <CA+9kkMBug-PfkJsQ2-cm5G-J+iynma2OJzYJ3AjM6Gpzg-fFkg@mail.gmail.com>
From: "Chris Box (BT)" <chris.box.ietf@gmail.com>
Date: Sat, 21 Mar 2020 16:31:55 +0000
Message-ID: <CACJ6M15gHiNDyCPNAaS2aYnzcnEOEW21SeTo0Bkt9rpsYfz4Bw@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: ADD Mailing list <add@ietf.org>, Jari Arkko <jari.arkko@piuha.net>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="00000000000060752f05a15ff12a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/SxQIt0IWQUo8Pbei01jF8qi9zds>
Subject: Re: [Add] draft-arkko-abcd-distributed-resolver-selection
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Mar 2020 16:32:13 -0000

Hi Ted,

Thanks for responding. Let's take a look:

On Fri, 20 Mar 2020 at 21:24, Ted Hardie <ted.ietf@gmail.com> wrote:

>
> If you look at section 4.1, you'll see that one of the strategies is "to
> distribute each different client to a different resolver."  If the client's
> trusted set includes the local network resolver, it might well be
> associated with that network.    Because this strategy is focused on the
> aggregate distribution of DNS queries, there are a lot of cases where the
> local network being trusted means the current association methods don't
> actually change for some clients.
>

To clarify, we're talking here about the case where the client's trusted
set consists of these two:
* The local resolver
* A more distant resolver

These two are operated by different parties. I agree that in strategy 4.1,
sometimes it will exclusively use the local resolver, and this means no
change in behaviour. Other times it will not.  In the general case, clients
use a mixture of the two.

If you put resolvers with different policies into the trusted set, that can
> happen.  If the resolvers are transparent about their policies, this seems
> less likely to happen, because you will put resolvers into the set only
> when you are both confident of their privacy-preserving behavior and that
> their policies match your desires.
>

Given that the resolvers within the set are operated by different parties,
I would say it's extremely likely that their privacy policies will have
non-identical wording, and consequently different semantics. As a user it's
already hard enough to read one privacy policy and satisfy yourself it's
ok. To have to do this more than once is quite a (human) challenge.

>

> I'm not familiar enough with SAC 109 to comment, so I'll leave that to
> others.  My personal belief is that the ability to choose what resolvers
> belong in the set is important enough that it should map to the client's
> controller (which might be an individual, the parent of child, the
> enterprise owner of an employee device).
>

I will suggest it’s worth a read, as the issues are complex enough that
they can’t be solved by requiring administrative control of the client.

>
I find your graphic a bit confusing, because you are not treating the stub
> resolver in the home router as if it were a part of the calculus here.  If
> I understand things correctly, if those clients were actively choosing to
> use a resolver here (rather than taking one by association), they would be
> choosing the home router, rather than A (let's call the home router
> resolver H).  They presumably believe H has policies that match the ones
> they prefer; A is opaque to them.  But H sees the traffic of all five
> clients; that's the common trade-off there.
>

Yes H could be part of the set, but since this draft is about using
multiple resolvers it would not be the only one. There must be at least one
remote resolver.

I had drawn it using two remotes (A & B), but if instead it was one remote
(H & A), the same issue applies. Resolver A can individually discriminate
between all the clients who are contacting it. Compare this with the status
quo, where H is the sole intermediary, and remote recursive resolvers do
not obtain that fine-grained client identification.


> As I said, there are trade-offs here.  In any case where your query
> traffic goes to a recursive resolver, the number of clients sharing that
> resolver increases the anonymity set for traffic analyzed upstream of that
> resolver.  In your first example, because your A is upstream of H, H's
> clients get an anonymity set size of 5 with respect to A.  In your example
> two, for traffic analyzed upstream of A or B, the anonymity set size is
> likely to be much higher, but the tradeoff is that that A (or B) has a more
> direct view of a larger number of clients.
>

Yes, we agree with the more direct view of the clients. I wasn't really
thinking about upstream of the recursives, but yes on that side, the larger
the number of clients using A, the more anonymity. For a large ISP, this
can be well into the millions.

Thanks,
Chris

v2.23.0 | Report a Bug | By Email