IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)

Tommy Jensen <Jensen.Thomas@microsoft.com> Mon, 21 September 2020 18:08 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9EA63A0B3C for <add@ietfa.amsl.com>; Mon, 21 Sep 2020 11:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.794
X-Spam-Level:
X-Spam-Status: No, score=-3.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X54i7cUKHZ4F for <add@ietfa.amsl.com>; Mon, 21 Sep 2020 11:08:36 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650126.outbound.protection.outlook.com [40.107.65.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FCA33A0B3B for <add@ietf.org>; Mon, 21 Sep 2020 11:08:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=loYLNo9IID8vXXsGEL09IvF0twlILNqmskHM0aVzpDztu5da+bnNBeR45qNXfaQlwGJKXH+eIerSsRy9T0nkAzMf68AjSf7e7G/bIoFdWhVTHllExvpqKnKz28+hpoyL5SJNAxgBYRNsJfeYtRXr/X75I1GB7pK5dZrk21Gbe6exm26gvp4y5vrIAlovZOnjCL4B/hr9OrmuWbLPo3W/Zy4WWis/2Tl+OAHYOf9q0a36ExHtnDPho6UCSUSGaBk7CUt1VMtmQfjOtT+M83pgAPUOkrQBeN/vNl41ebv53qt9ISTmno1KD3NcjnsFKsiGqXo0KDzpN5J8CYcUgJli+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0S2sPI6YOvPUwC8JxaRB38A5MffwIo889v2wbe9cY9k=; b=fEw3RgSHX18RSjYuJbYHh1skKpS0zjbXAjXeEdQhpbAZzkUP8i55Xh7RIyfbdsdOckF9RDVTt02V2GINu9D7w9VH3IWqTC2uY+m+HR9SMmPpAcI4IZRIO+rDcCTi8aMj/bAFCr/IjTdITIHG1Jxij5pL+6gfS6oeX89mhpBU58RTDfhgacStocCM0YQxL/zJMaTIhaQPaALZEoSA81Ha+A1EWtwykO2LLhORxiKsaN5YE9zSG3FU1ytZ4lT8WS5KVyPtOvtRIyW5np34/32OunxcRE5t2YuiIGufndzcqxj078UfIi5BVkJBZzbtma/z+Ku085LWZHXu5U9tyOzsWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0S2sPI6YOvPUwC8JxaRB38A5MffwIo889v2wbe9cY9k=; b=cx04tg6zItHrxhmtHM2T83Kx3T9aPrHJmeReo/bd4tbzSeeRnnLvjfsvkqxgS3o9f87aBv799AMN2GLIpTot9XAcAXcEW65CM4DALULNawI7GADKAG+phIVizaoNqD96/K1YuTQLk6SgCqwu/FiTXKI2jLUd7glUyj/2GdB3DhI=
Received: from (2603:10b6:5:1b5::20) by DM6PR00MB0816.namprd00.prod.outlook.com (2603:10b6:5:208::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3434.0; Mon, 21 Sep 2020 18:08:33 +0000
Received: from DM6PR00MB0781.namprd00.prod.outlook.com ([fe80::6511:c69d:9def:f584]) by DM6PR00MB0781.namprd00.prod.outlook.com ([fe80::6511:c69d:9def:f584%8]) with mapi id 15.20.3440.000; Mon, 21 Sep 2020 18:08:33 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Christian Huitema <huitema@huitema.net>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, Tommy Pauly <tpauly@apple.com>, Eric Rescorla <ekr@rtfm.com>
CC: ADD Mailing list <add@ietf.org>, "Deen, Glenn" <Glenn_Deen@comcast.com>
Thread-Topic: [Add] [EXTERNAL] Re: Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)
Thread-Index: AQHWi6o/9XdyzUPdU0ixoBpu+/pfEKlzabYW
Date: Mon, 21 Sep 2020 18:08:33 +0000
Message-ID: <DM6PR00MB07815D6C695BF3C915691467FA3A1@DM6PR00MB0781.namprd00.prod.outlook.com>
References: <CABcZeBPuq86Fj0VYQ+1j8ZWo+4BT1bDJGfnRmi82oUc8Xns=PQ@mail.gmail.com> <A332081D-69AE-45F8-9E61-6ACA3D071C1E@apple.com> <1557871922.1625.1600173809868@appsuite-gw2.open-xchange.com> <BY5PR00MB07731B1505ECFCC3074EF9D0FA201@BY5PR00MB0773.namprd00.prod.outlook.com>, <a5a5bbd6-2695-f97f-26b3-eef0f25aa9cf@huitema.net>
In-Reply-To: <a5a5bbd6-2695-f97f-26b3-eef0f25aa9cf@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-09-21T18:08:33.219Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.35.64.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e8a51f7c-6b3d-4599-8ca0-08d85e595a90
x-ms-traffictypediagnostic: DM6PR00MB0816:
x-microsoft-antispam-prvs: <DM6PR00MB0816D1964D4FEA1F4BB4032CFA3A1@DM6PR00MB0816.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hG8V3jlk6E3ICfAqYAJTZzFvX5cny+s7f4+hYoDNz/Q8YdblEw/42YTtkLEMY8YD8vDOdfCUBkXKWh7yETUjIjGw/GscaRa8WhgqAiEzofohF4/khfWMEjyQVV4Ea2LCRsO/v4qSj9rQxTkefaGy2clG1SEcF9SaGhjxdCFbHtJjfF3AHBIFfQ5XGrWp6aLHABMZHasopuB8qnWwk788Lp5/Wh9WGzIpx4OffBCOHG50Bxh8ZQjUpZlTf4k7p5uK3GZwjhLClQYp7IYS73tVuVi4HGNvhz/HokQAzG88gpF/oOwUlgdeTN0FBzNhNZ+E7s8PkgLbCbQTanDi/VqVvU64o1DzlvMFBWIEyoO+38kAE6PbeUr+MXHkUYKD4aex5sNsvkhDKtr1FnDNhnzMOg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0781.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(136003)(39860400002)(376002)(346002)(26005)(91956017)(66476007)(966005)(66556008)(64756008)(316002)(66946007)(186003)(71200400001)(86362001)(76116006)(166002)(7696005)(66446008)(83380400001)(8936002)(19627405001)(2906002)(66574015)(83080400001)(8676002)(110136005)(9686003)(8990500004)(33656002)(82950400001)(82960400001)(54906003)(52536014)(5660300002)(478600001)(4326008)(53546011)(6506007)(10290500003)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 32fqr4h/dpHOuuBGrZymDnCBSmB8i+kYMJHlwo2nHce4pCWgr/+vr7uq21YIiP7RMlnrKCK7NmksLS1vr3W9pu92mbrbmtacQXEauiBNbs6e7bF1ylzAMtn2UUIc71LPErCHQ6sngpHrjxtdz0m3ObWZW+s75QKg9h61YBPapTZ1xM+1Q7zGwR8BwwrK+hsS4Lb4rGN7k+33FiTUGAxH0yWO0EuFrrnBk7POB3lpiyp3Xg8fcWYJiLJy58X/Gj9IWwZWbN0vwaahVFFC+LHjl8qtQWZhhxPB2wZdipqSmLbs6XnGxnrPULYLuZxs6XcIhUBi8p0xfL3gy0cCSwLIY5tt1/pIezmuacww4ZMVmDEpWrbgcKFkJyZFqImYSUHO2NLR8guTiPSeIlOXP8kePSXK5T+GZIorbMvICR5L8j3/Cc2cV5EAmQPVxBbEY1GkqP7Ufa4cyrWbYIj3ZqLoATrBkYTrz+FANh/jy0g4oWun4PEfhhs0cFa5LBQwhEb7FCms3RY8ZMvqCNIGKnhF25oLTgVRTnkZWSs9YcamsbyxfavWHe9PegSEGakKNGY2YlGPe0zYzmZ3NNLtyNDvYyPssGEcE2XChQNJIdN5tOtCjqB75RgmqXY/NOzRxmoEi415dDGgC5kqSXyLGTRqcw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB07815D6C695BF3C915691467FA3A1DM6PR00MB0781namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0781.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e8a51f7c-6b3d-4599-8ca0-08d85e595a90
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2020 18:08:33.6532 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: r61C7pPP+w6lMxI/gwuz7e8LmQLlRuCd03kdnw5b2iUvLxhiYkDTKX34jmXWNzgfueOpLaH5HkisUNH8NYV0lQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0816
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/-o8CFOrxObPl1leRH8CCdyHA8HU>
Subject: Re: [Add] [EXTERNAL] Re: Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 18:08:39 -0000

Hey Christian,

I think scoping the problem to "well identified network" seems reasonable.

Do we need a protocol for this case? If I can get the network's DoH template from the same source I got the SSID from, then they're equivalently trusted. For enterprises, that can reuse existing network profile configuration mechanisms. For coffee shop / airport / hotel style networks, that can be printed on the same sign/card as the SSID/password (or the captive portal page as part of use terms?).

Perhaps this is exactly what you meant and I'm just being dense.

Thanks,
Tommy

================================================

The latest in Windows Internet Protocols:

  Native gRPC support: https://aka.ms/grpcblogpost

  DNS over HTTPS: https://aka.ms/dohblogpost

________________________________
From: Christian Huitema <huitema@huitema.net>
Sent: Tuesday, September 15, 2020 11:40 AM
To: Tommy Jensen <Jensen.Thomas@microsoft.com>; Vittorio Bertola <vittorio.bertola@open-xchange.com>; Tommy Pauly <tpauly@apple.com>; Eric Rescorla <ekr@rtfm.com>
Cc: ADD Mailing list <add@ietf.org>; Deen, Glenn <Glenn_Deen@comcast.com>
Subject: Re: [Add] [EXTERNAL] Re: Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)



On 9/15/2020 11:03 AM, Tommy Jensen wrote:
Hey Vittorio,

To follow up on this and from our conversation on Jabber for the same proposal:

> What would be the security problem if 10.0.0.1 via Do53 received a "resolver discovery" query, forwarded it to the main resolver, received a DNSSEC-signed response, forwarded you the response, and the response included both a DoH URI and a TLSA record that the DoH resolver's certificate has to match?

The problem is there's no name associated with the original Do53 server. The client, in order to trust the DNSSEC claim, needs to know the name being signed in advance. Otherwise, an attacker can intercept and replace the DNSSEC-signed DoH URI and TLSA record with their own DoH server information, correctly DNSSEC signed.

A client in this scenario can't distinguish between valid signed data for "doh.exmaple-isp.com" and "doh.example-attacker.com". Realistically, this will complicate any attempt to validate ownership between a non-public Do53 IP address and a DoH server. Until the network authentication problem is more generally solved, I don't think authenticating local DNS servers is a good use of the WG's time.


But is that problem even solvable? The chain of event seems to be:


1) Connect to some random network

2) Get the IP address of the local Do53 resolver using DHCP

3) Infer the identity of the equivalent DoH resolver

4) Connect to said resolver

5) Verify that it is equivalent to the Do53 resolver


Step 5 checks that the identity verified by TLS identity matches the DoH identity discovered in step 3. Thus, it cannot be more secure that the process used to infer that identity. In the case of "random networks", I don't see how that can be secured. You might push it one layer down if the L2 network is somehow configured, and for example associate a DoH identity with a Wi-Fi network ID, but then we are not considering random networks anymore. Do we want to replace "random network" with "well identified network"?


-- Christian Huitema

v2.23.0 | Report a Bug | By Email