Re: [Add] fixing coffee shop brokenness with DoH

Eric Rescorla <ekr@rtfm.com> Wed, 24 July 2019 18:38 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 559B3120141 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 11:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqMG6terkJnV for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 11:38:04 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AB36120316 for <add@ietf.org>; Wed, 24 Jul 2019 11:38:04 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id z28so45550801ljn.4 for <add@ietf.org>; Wed, 24 Jul 2019 11:38:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UqOrDHla6q2FTzHDDmAyk0U/4nJw11SIPaxEH1nFt58=; b=j/MCu3Sb/q/+4LMko2F6fcfxrLYtTr+whx1Ab1t3woul5T+gH4vAxFEwhhpszXn1Fp +VT3L/W1QFiE2+sIQ/qoQrfz4oowqGG13q73Fadn85Lad68Wyi0uMtJCM2zAM+LcSSLd EPC8Rl27JSn+TQDq45F2FxllcotB5LLd0b9bGIsio1QsHEFZKaMaQDdyDGTGf8xtf+tL GPpa5DxRf8ti/3z7MAUBQRPD2TIe8bHaGyTzthPwLc+J+gZsSMs/am/BJgR8mjfZY0dw ZY7frKTiwE2w+Q/gPW19dbaQaMZN37yOWOKdy+RHhLkj/ekDKlcvixpqXfWF6/Yb3ZDF Q5Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UqOrDHla6q2FTzHDDmAyk0U/4nJw11SIPaxEH1nFt58=; b=r0k2iAqFAxoKXq1c+iFlUhR2iGf/IBTPOpYYyVAVu4otUx7i7Wh5E6T2ze2FCAkAzH bbhPKODLxfbvlonrl2nfBcTXGJqI54nOGnPtNqdxj2t2p5o3aX8x/AgNkbK8wR0B/GqT hd9fVrLIRX1ZO2vvS+DJbASmLjQvlHiDZ6mGkyJRSuHoevd7ACc57UVeLbSEmOWF+And xMWtYtsIcxHfKiXjgccAr+wZHCL9UnDyh8+Vf1MaFYv8w/cCZ3lMTnRwdRs0qE8MSeX2 55a4rCVAqtm1BTRgfU6bqVyH4NLWyK0f0a9+BVhcplhoakPpLroH4bi/omHJ0BgwfPEJ 41ow==
X-Gm-Message-State: APjAAAUrmYBaH/cP3B05bWllpmRMXFyqDrMFWNB7d4j+woSUt1Sw2MfB yznBqudnKI8xieBItqq00fosOzmP/zOBvve/OEU=
X-Google-Smtp-Source: APXvYqw4yq+Fiq5nrfnRsFhzt81Rc/vBMbTslDdXmdd2QruSUTibbiXQPkIrTOaQc+3bT5RoHjpKo0JCQC1ns4A7d8A=
X-Received: by 2002:a2e:9cd4:: with SMTP id g20mr21167635ljj.205.1563993482570; Wed, 24 Jul 2019 11:38:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com> <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com> <F8A56D5D-B05E-4E80-880C-60D6B550F107@fugue.com> <CABcZeBOO5yvcm=DvDjr-7v4AvVG=13Zy--j362eE0Qqp7hcRaw@mail.gmail.com> <21062.1563992339@dooku.sandelman.ca>
In-Reply-To: <21062.1563992339@dooku.sandelman.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Jul 2019 11:37:25 -0700
Message-ID: <CABcZeBOpW_Vow__G1roG2xqwELus=JKm0CVDnkK1OJ_e-D1qaA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f5c552058e719b6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/_H2TTKxD_PLVb3bM1oT8-vviEeI>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 18:38:06 -0000

On Wed, Jul 24, 2019 at 11:18 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Eric Rescorla <ekr@rtfm.com> wrote:
>     > In the case where A is not DNSSEC signed, the attacker just sends
>     > NXDOMAIN,
>     > which the client accepts and refuses to connect.
>
>     > In the case where A *is* DNSSEC signed, the attacker can also inject
> an
>     > NXDOMAIN. DNSSEC of course won't validate, but the client still
> doesn't
>     > have an IP address to connect to, so it's only recourse is to error
>     > out. Now, it can show the user a different error than it did for
>     > NXDOMAIN, but these errors tend to be fairly generic anyway (Firefox,
>     > for instance, shows "Hmm.  We’re having trouble finding that site."),
>     > so from the user perspective these
>     > aren't really very different.
>
> This needs to be an on-path attacker who can not only inject a fake
> NXDOMAIN,
> but also suppress/delete the legitimate answers.
>

Yes.



> This means it is the "coffee" shop that is doing the attack.
> When the coffee shop is a soveign country, then there are many things that
> they can also do which DoH/DoT may or not help with.
>

Sure.


When this is an off-path attacker, DNSSEC enables successful connections
> (that HTTPS can validate) vs "Having trouble" dialogues.
>

Yes. However, DoH/TRR also prevents these attacks.

-Ekr




>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>