IETF Logo Mail Archive

Re: [Add] Private IPs, DDR, and PR#11

Eric Rescorla <ekr@rtfm.com> Thu, 08 July 2021 03:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 099833A090B for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 20:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGWvjd34_aUM for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 20:11:49 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37F973A0905 for <add@ietf.org>; Wed, 7 Jul 2021 20:11:47 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id y8so6378948iop.13 for <add@ietf.org>; Wed, 07 Jul 2021 20:11:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qa0yC0LWvJ3dYhqMpkCCdA4bIk+j4lpIy5j2D6HroVc=; b=yUb6xP/jWGqYTS2BfyR8uej/ZaqmpYeAdTeqHAcljSC2wGzs1DZMplbpw1VDFa6Y43 v21cQbF090wKIHWn2xwC1ZmiBbNmiCjEx/T9uyUU1B1ZyJY+rqHWsHSsX8WeRBkJmvhK OA49da0+ptWtcsUfsr7W7jq5zBEDdOcjx/CIKnWKZgAfROLvfhc6pgtRd+9W6Qeppg+l TDzRw41+DQEFgMuOrhXQ1IO5C8WPWD66T/U6BE7m97ST2MMMk6pQQzDM7Tm4V0w4U+Wt 1isf3plOgb+SDBOo+OFaNwzr8pHZ3CYxrXNRQSvMT50/HHhC5mEbDttQGt0Ji85gDouj 1Peg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qa0yC0LWvJ3dYhqMpkCCdA4bIk+j4lpIy5j2D6HroVc=; b=aGhLHKcpS5OnRRd7XVsF2GGQgKG7U6FPcW2nrFupLmW61eUJvMQ/M4Shz3ApKpA54b BJodkdnrB6mkgi3odswsQN1Iz5uvaIITnn09k+dTmNBwlxVBoEpby6jwEVQp7lyIr7Nx yEXQs7YZID404ehrsDHfzhqUVvvKj7/STXj6bTbH8tQThMczj4AdBMro9v41kESrfUhp EhL970tJODISmcmW9f4ZaWx1Limp04husYswcBAQF5tuI7JIysduVYtA8U9hsN4yA318 4W5cNbNahiNFwjpLENmp/7JZb22EpW3yR7SFrTKUZeHIKZLUparhy6RZ2NBxhNvilpE7 3cbw==
X-Gm-Message-State: AOAM530D6S7sdBtPwhCxnhzE28DvzJpsDiJw0cmlvhlhxI6c79Y9xFvV XdTYHrG0xEWv2FFr8yeawDLJI3o9wgi7JeovU/ZB6ejGiFoDhA==
X-Google-Smtp-Source: ABdhPJyoteUjHXeBpTPOSRsx1ffX/hwaRQh45MF5hWM91sOfgmESAAfQvW3ZdgR1yVvajXThiS/Ew2OtvDK7XjnbbWg=
X-Received: by 2002:a6b:6205:: with SMTP id f5mr22295674iog.60.1625713906288; Wed, 07 Jul 2021 20:11:46 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com> <CAHbrMsBDT1G2qT8g1e+5yOdQkq7nfKw1vNemYE4zJ7J5qL8z=A@mail.gmail.com>
In-Reply-To: <CAHbrMsBDT1G2qT8g1e+5yOdQkq7nfKw1vNemYE4zJ7J5qL8z=A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 07 Jul 2021 20:11:10 -0700
Message-ID: <CABcZeBMYavozy81+OiytxsE7QZ0EOPfucx6wHzFbB9M9ag5Z8w@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e452dd05c694033a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/VCpAFxIMcMeF-dmzjuYOxv4M5Oc>
Subject: Re: [Add] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 03:11:54 -0000

On Wed, Jul 7, 2021 at 8:01 AM Ben Schwartz <bemasc@google.com> wrote:

>
> On Thu, Jul 1, 2021 at 6:18 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
> Can we get this documented before we start designing mechanisms?
>>
>
> I'm not sure what you mean.  Section 5 of the requirements draft [1] says
>
>     +-------------+---------------------------------------------------+
>     | R4.1        | If the local network resolver is a forwarder that |
>     |             | does not offer encrypted DNS service, an upstream |
>     |             | encrypted resolver SHOULD be retrievable via      |
>     |             | queries sent to that forwarder.                   |
>     +-------------+---------------------------------------------------+
>     | R4.2        | Achieving requirement 4.1 SHOULD NOT require any  |
>     |             | changes to DNS forwarders hosted on non-          |
>     |             | upgradable legacy network devices.                |
>     +-------------+---------------------------------------------------+
>     | R5.1        | Discovery MUST NOT worsen a client's security or  |
>     |             | privacy posture.                                  |
>     +-------------+---------------------------------------------------+
>     | R5.2        | Threat modelling MUST assume that there is a      |
>     |             | passive eavesdropping attacker on the local       |
>     |             | network.                                          |
>     +-------------+---------------------------------------------------+
>     | R5.3        | Threat modelling MUST assume that an attacker can |
>     |             | actively attack from outside the local network.   |
>     +-------------+---------------------------------------------------+
>     | R5.4        | Attackers MUST NOT be able to redirect encrypted  |
>     |             | DNS traffic to themselves when they would not     |
>     |             | otherwise handle DNS traffic.                     |
>     +-------------+---------------------------------------------------+
>
> I think these requirements (except perhaps R5.3) represent the goal of PR
> #11.
>

I think perhaps I missed 5.2, but I don't think it really answers my
question: what actual network environment does this correspond to? How
common is it? The rationale for the original DDR was that DHCP was somehow
special and could be trusted to deliver the IP address of the resolver, but
that's not true here.



[1]
> https://datatracker.ietf.org/doc/html/draft-ietf-add-requirements#section-5
>
> That would also help understand the effectiveness of the 5 minute
>> timeout.
>>
>>
>> Finally, assuming I've understood things correctly, reaching through
>> the CPE in this way seems like it has the potential to bypass any
>> CPE-specific filtering that the user has has installed. Suppose I have
>> some CPE that uses the ISP DNS but filters out certain names; if the
>> ISP posts a _SVCB record that directs me to their resolver, doesn't
>> that cause that filtering not to work?
>>
>
> Yes, but the CPE controls whether this upgrade occurs.  To control the DDR
> process, the CPE replies to the SVCB query (ideally advertising its own
> encrypted endpoint, but NODATA/NXDOMAIN will also work).
>

I would say rather that the CPE has the opportunity to prevent the upgrade
from occurring. However, as I understand the situation, the current CPEs
that do filtering will simply be invisible to this process.

-Ekr

v2.23.0 | Report a Bug | By Email