IETF Logo Mail Archive

Re: [Add] [EXTERNAL] My single use case

Ben Schwartz <bemasc@google.com> Thu, 10 September 2020 20:48 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1EF3A0FA4 for <add@ietfa.amsl.com>; Thu, 10 Sep 2020 13:48:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTzV9PwPaSj1 for <add@ietfa.amsl.com>; Thu, 10 Sep 2020 13:48:17 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E483A0F9C for <add@ietf.org>; Thu, 10 Sep 2020 13:48:16 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id u126so8677642iod.12 for <add@ietf.org>; Thu, 10 Sep 2020 13:48:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9ryk3V3QGed8vED4rtmr+UnjWjCFBkazYe6yjcixrAw=; b=lCErxWqanUCAWph0/XYYo21ZrsXUFfQl1N4RXw47jy2ROyuGk5MqnJimvBQIs1xmYu NSCcqCzEued5Gy+3i73xfDmDuPtw55EHLQeHY8ik7Na0qjc1saydera4Y6HOh+qHk0Cz PszBPmuMbLANUfzbpQGtDylj9RDxpjQueWUTvXdo46bQQRM7oa9ORaHQyhTX3Pavha64 KxSkwIgSQVt3lgt5eI+TyJGeH/lR63pjWyuLZGKxJ7xlifM0fgUEKPIXIYwZrjnHIsRV XoInfpw3yTeroaEreh0wRIJTKtXXE8QGftDT0eB267sLlEHOLCJfLKu06pCZWs2y/ble t/Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9ryk3V3QGed8vED4rtmr+UnjWjCFBkazYe6yjcixrAw=; b=XKdsoXYQcFZeY/ot0h6CizeEcJdcU9VCDkml0Qc91kRHEUcHsa/n2xt6hUqNMnJ/GI DTYIQrZAADaMz/jzqhHfFkxmcJQ7iC/eA80/ibUB6SBQnCyrD4CBvlNsSWV7GfilWRQy efysxicAqAwtwTu0rdfBJ9ktAPaSEf3PQoNlstwVAoFuw6YAEbDol6Ej7LmgAm9M/ivo pJ5w54ERaZAaZMEOJyeIW7AVv9eLni3sV/RSk7XQkDBa0i7T3g1au3cLvkX2nv1s9GeC LKQBQ4hVmZnlPNDcdgldTRL4p1iKnCEFyqzW78aBd+ar/hxx2bjLmfj3+3PkjOK4Habx I4+w==
X-Gm-Message-State: AOAM5306o8Vm2TwCdi45ypit9AYtdWYLICUCxUeXg3uQn9cB7IytJysf StnUNcbF+3Ubu4GBuRsmWZVvcgKpG2AXoSxjTxyYBg==
X-Google-Smtp-Source: ABdhPJz4/12ZOJj9vl2a2eQY9M4VWiUxLC5TbF8Emh9fSyWdKfxJzMJEvo5/JDx5zgjEby0Iy/JStf1Z0gCrBdw8+6Y=
X-Received: by 2002:a02:486:: with SMTP id 128mr2923627jab.8.1599770895877; Thu, 10 Sep 2020 13:48:15 -0700 (PDT)
MIME-Version: 1.0
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 10 Sep 2020 16:48:04 -0400
Message-ID: <CAHbrMsBduVj7fzutp9x7rYpXo6wLUK7-Pe4VvDHaF45dj==PYQ@mail.gmail.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ffa17c05aefbaf9a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/VLkD9X0JNS2HiLr-BC15YAqgLxI>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 20:48:19 -0000

On Thu, Sep 10, 2020 at 11:31 AM Tommy Jensen <Jensen.Thomas=
40microsoft.com@dmarc.ietf.org> wrote:

> > As a new device or application, when I join a network that I have no
> prior relationship with or configuration for, I want to discover the DoT or
> DoH resolver that corresponds to the Do53 resolver offered by that network
>
> My issue with this scenario is I see "discover a DoT/DoH" server
> differently from "discover a DoT/DoH server that corresponds to the Do53
> resolver". The former doesn't require authentication to meet security
> parity with Do53 server use today. The latter is a novel concept I would
> prefer to be authenticated. This means for existing TLS infra would only be
> possible for publicly routable IP addresses, a subset of the
> network-offered servers out there.
>

I think of this as a distinction about how the correspondence is
validated.  In one scenario, the client validates the correspondence
topologically.  That could be the IP network topology (e.g. using the same
IP for both Do53 and encrypted DNS) or the DNS lookup topology (in-band
upgrade, with or without forwarder bypass).

In the other scenario, correspondence is validated using a PKI with its own
validation rules.

Which of these is appropriate depends on the intended user experience (does
the user see this IP address?) and also threat modeling questions (what
does it mean to own an IP address?).  This seems like a good example of how
even this seemingly narrow use case has a wide variety of potential
variations and complexities.  Here are some more potential complications:

* Increased query linkability, if multiple users' queries would otherwise
be mixed together by a NAT or a DNS forwarder.
* When should the client validate the certificate chain, and to which trust
anchor?
* Enabling a DNS-poisoning attacker to capture all DNS traffic
* Enabling a transient attacker to become persistent
* Defending against a passive+drop attacker who is trying to prevent upgrade
* Defending against a late-arriving attacker who is trying to trigger a
downgrade

All of these apply to the narrow use case that Martin highlighted.  When we
talk about requirements, these are the kinds of questions I'd like to see
the group considering.  On some points, I think we will find consensus; on
others, I think we will need to leave options open for implementers.  Which
properties we can provide will depend on the details of our protocol design.

For developing requirements, I agree that we should focus on this use case,
which deserves its own requirements draft.  When it's time to adopt
solutions, I'd prefer to consider the bigger picture, and try to find a
solution that extends naturally to other use cases as well.

v2.23.0 | Report a Bug | By Email