Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 17 July 2019 19:46 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53ACC1200CD for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 12:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJQFED_9U8Tk for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 12:46:49 -0700 (PDT)
Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E6DA120071 for <add@ietf.org>; Wed, 17 Jul 2019 12:46:49 -0700 (PDT)
Received: by mail-ua1-x943.google.com with SMTP id j21so10134303uap.2 for <add@ietf.org>; Wed, 17 Jul 2019 12:46:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ygCING+RrUaEbUs6MxU8SPIOBhRUhT95oKZMX1Su8gc=; b=nASGlzILMDULzpJuRhv2sp9Bs9EHfwVXCbpckhhINKaKHe1tzA9indYysihHrtaUOp PYs+1sCKm4HOiN9zvQ+2thTB+Q5m2saTcxZpwz3wdJYm12DyEBP43QJ15/za4YMqwsDH EcwHPLdM4T/AKlpBlwiIZTDUyMuB3+S/zgRujEKhfrgnrta/vxM2PuX8IrpjtNjzxV99 2klElgrHtcb4Z2h+mpq7Klcf9qxA1rYh4+X8IRLzY7z7dbuNT9+C1jWFJKkKkI9ZyG89 Dj6LcIpAYgJF/MMsSQ4xMf5shgnY2rXDk2wqgFXdSpMQMLtqdzcEAXcXtUPI7V5U61+G vAXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ygCING+RrUaEbUs6MxU8SPIOBhRUhT95oKZMX1Su8gc=; b=mhnDOPnYfG5RGYGt625tt50a3R0cxIME8pXIiy/H3iGfK98sqr/YrHHS06Ppp+wOwZ fa+qwRpJqaNWueHNaIMypFUuUgma9j46MF0ug2+qkSy8/tfeI0LZUlppTy4QOdCrrDoY 3iDpw7ipsxwOuD3CKzKdusKPMJhqvYNQWoLay/tcF1Dy2UpEe9ZIvgpMuhOzQhcNHl3E 792uEYsKrU4fMk5mtq7jGu4At9abnEs4wQsKoCUQwScGXIyKBWc3MH+nMELoq6OQACyF mNOwWw/sdNFrMQLBzz2D+NjzAecn+a2YLiU4nDh2UnEqAOqXjAmxFiQ0yauLiPNZwQl5 onqw==
X-Gm-Message-State: APjAAAUDc27EBTcTaiMOz4WxLOiDNZlZy11LLgyBPZe6o58t40P9/o6E 64nds3YJTTYtEFn1LEasAYdMepdsTIE35BZFsZ8=
X-Google-Smtp-Source: APXvYqyuaBiQE0p+5m2h0AuWMi6rG23kRMb5xeEG4uzoySCxtV3E8GYt2uuy+zJOzOcvo5u6KrfVYHSo8WUwrEkL0CQ=
X-Received: by 2002:ab0:2994:: with SMTP id u20mr23842727uap.114.1563392808264; Wed, 17 Jul 2019 12:46:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com> <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com> <CA+9kkMBjL5VqiH+vjxgTFq2d76O0yoyeJdQF6HhKvO_pOdzDgA@mail.gmail.com>
In-Reply-To: <CA+9kkMBjL5VqiH+vjxgTFq2d76O0yoyeJdQF6HhKvO_pOdzDgA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 17 Jul 2019 12:46:36 -0700
Message-ID: <CAH1iCio9ktw2N+tLq9bkGCT3H9SN5AyqHst11hWKY_YwbFxVJw@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Neil Cook <neil.cook@open-xchange.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, add@ietf.org, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000fb2a2d058de5c091"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/WZBStcICj0HJxu8A_BPK0uFEsug>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 19:46:52 -0000
On Wed, Jul 17, 2019 at 11:56 AM Ted Hardie <ted.ietf@gmail.com> wrote: > On Wed, Jul 17, 2019 at 11:40 AM Brian Dickson < > brian.peter.dickson@gmail.com> wrote: > >> >> The root of the problem is visible in "if they chose not to". The nature >> of DoH, is that the network operator (regardless of who they are) is unable >> either detect or prevent guests (or users or BYOD or whoever) from not >> complying with your network policy. >> >> > I disagree. It forces the existence of the network policy to be visible, > but it is entirely possible to deny network access to a system which is > non-compliant. It is not as simple as blocking or intercepting all port 53 > traffic, but that method never addressed the reality that cleartext traffic > on that port was available to an observer. To get both confidentiality and > policy enforcement via this means, practice will need to change. It will > need to be visible to the system consuming the DNS (be it a browser, an OS, > or some other application), and the enforcement mechanism will have to be > better integrated into reachability mechanics. That is definitely new code > for most people, but it is not impossible. > So, I'd like to use a fairly simple existence proof (i.e. demonstrate a proof-of-concept model that would scale and work) on re-implementing the port-53 model, using DoT. Client attempts to contact random DoT server. Network monitoring systems see new DoT traffic between new pair of hosts (on port 853), alerts if not blocked, or perhaps the network already blocks such random connections on port 853 (check.) Client attempts to contact well-known DoT server (e.g. Quad9, CloudFlare, Google, or similar). Network policy permits this (check). Or, network policy does not permit this (check). Client attempts to contact local DoT server (e.g. server on IP handed out by DHCP or equivalent, or locally configured). Network policy permits this (check). Network surveillance of DNS queries performed on local DoT server (check). Client attempts to contact random DNS/53 server. (Either allowed or denied, i.e. same as today, including monitoring elements if allowed). No change (check). Yes, network surveillance of DNS queries on DoT requires operation of a DoT server to facilitate that. Use of DoT, exclusively, allows the enforcement of that policy at a network level (ACLs with respect to port 853). The end result is a network policy of, "use our DNS service, or none at all, or don't use our network". None of the above *requires* host-level changes. The above certainly plays nice with any host-level augmentations on other explicit ways of publishing and consuming policy. I don't see any way of achieving the same policy enforcement result, without implementing strict host-level validation mechanisms, which is a change over the DoT-only scheme above. In the DoT world, the policy is inherently visible. If you try to use a particular DoT provider, you know immediately whether that is possible or not. The issue of whether a particular DoT server is or is not providing a certain level of privacy, is perhaps something that could be signaled, but I don't see any way of validating that signaling beyond, at best, some kind of contractual enforcement. I.e. if you want to be sure the party you are talking to is or is not doing what they say they are doing, pretty much the only way to be sure requires the involvement of law enforcement and/or lawyers. The difference between DoT and DoH are whether host-level mechanisms are required, to achieve any meaningful assessment of compliance. Host-level compromise defeats host-level mechanisms, so other than secure ways of proving host non-compromise (like TPM things), it is provably less secure than adding network-based detection/enforcement. (None of the above applies to malware that does its own communication to C&C systems, but it does apply to malware that leverages browser-based DoH capabilities to make use of DNS for any of C&C, exfiltration, payload acquisition, etc.) Brian
- [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- [Add] Firefox DoH behaviour Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason