IETF Logo Mail Archive

Re: [Add] Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)

Tommy Pauly <tpauly@apple.com> Tue, 15 September 2020 02:48 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C653A0F4D for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 19:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.794
X-Spam-Level:
X-Spam-Status: No, score=-3.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNJsEI4Y6A-v for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 19:48:17 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51A9F3A0F4C for <add@ietf.org>; Mon, 14 Sep 2020 19:48:17 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 08F2gq6n049521; Mon, 14 Sep 2020 19:48:14 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : content-transfer-encoding : from : mime-version : subject : date : message-id : references : cc : in-reply-to : to; s=20180706; bh=eS+AYKI6EIJZ1N7neSmpqNUzkI85ncOi9ee3+mG+YYQ=; b=RZUTOgD1rGHKWTy0RNv159TdbUAJb5BblBy0gCfDbvqUxcmH4nFZvKI7wBM5VutOeVHa gD3XWTLkqMevddvUGV7tBjEz4Y82wfrJLd0p3ufJ1j8MXyxN3hVnooeficK5vWtA2UoB TRVo/5+a8i7AcuiNS+rZQk0Q+me42nEkgRDlMyH4dsAYIXz+mZHjmPRrlT8cO0Ji3YKP xSbRL/LZo4tBe8nbZ7zY7J1nsQ98uArp6V1ew9uNLMyVT9vKQoj2cjhbblkdtQUg7EBG fI/vIFKRP9o+g65lUidRnUX1dfEufhVlMmXetV8Ycxhikc/xaIVnokcN12aqCyk+VNvc 1Q==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 33gwatvyj1-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 14 Sep 2020 19:48:14 -0700
Received: from rn-mailsvcp-mmp-lapp01.rno.apple.com (rn-mailsvcp-mmp-lapp01.rno.apple.com [17.179.253.14]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPS id <0QGO009A1IGA4980@rn-mailsvcp-mta-lapp03.rno.apple.com>; Mon, 14 Sep 2020 19:48:13 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp01.rno.apple.com by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QGO00M00I88VE00@rn-mailsvcp-mmp-lapp01.rno.apple.com>; Mon, 14 Sep 2020 19:48:12 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-Va-E-CD: 1c7b55b78e3578219f1e6d8c46f0bd16
X-Va-R-CD: 2e27eead26b8d798892b0ed9967363bf
X-Va-CD: 0
X-Va-ID: 35d88da1-180f-4ebf-b4a2-46677e032561
X-V-A:
X-V-T-CD: 7a77f9138d60728e010dfb6f2118f5e7
X-V-E-CD: 1c7b55b78e3578219f1e6d8c46f0bd16
X-V-R-CD: 2e27eead26b8d798892b0ed9967363bf
X-V-CD: 0
X-V-ID: e1faf221-24cb-4285-b4c6-fe19d7d4dc68
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-15_03:2020-09-14, 2020-09-15 signatures=0
Received: from localhost.localdomain (unknown [10.104.222.93]) by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPSA id <0QGO00P6CIGAKO00@rn-mailsvcp-mmp-lapp01.rno.apple.com>; Mon, 14 Sep 2020 19:48:12 -0700 (PDT)
Content-type: multipart/alternative; boundary="Apple-Mail-EEB07387-DBA3-4661-804E-7E3AEEB77114"
Content-transfer-encoding: 7bit
From: Tommy Pauly <tpauly@apple.com>
MIME-version: 1.0 (1.0)
Date: Mon, 14 Sep 2020 19:48:08 -0700
Message-id: <A332081D-69AE-45F8-9E61-6ACA3D071C1E@apple.com>
References: <CABcZeBPuq86Fj0VYQ+1j8ZWo+4BT1bDJGfnRmi82oUc8Xns=PQ@mail.gmail.com>
Cc: "Deen, Glenn" <Glenn_Deen@comcast.com>, ADD Mailing list <add@ietf.org>
In-reply-to: <CABcZeBPuq86Fj0VYQ+1j8ZWo+4BT1bDJGfnRmi82oUc8Xns=PQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: iPhone Mail (18A373)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-15_03:2020-09-14, 2020-09-15 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/buGjJiZf4VGZbNEd76GzOmCutl0>
Subject: Re: [Add] Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 02:48:19 -0000

Hi Ekr,

Some thoughts in response, prior to the meeting (so I don’t forget due to the early hour):

My sense is that we need to look at attackers that are limited to not being able to act as the network provider or router themselves—specifically, assume the attacker is not the one providing DHCP or sending RAs. If we consider such an attacker who can spoof or inject packets to a client, I think there are some security benefits that a discovery can provide. 

If what I want to discover is a DoH resolver that is equivalent to the Do53 address I already know (maybe by DHCP, maybe something else), I’d want a mechanism to guarantee that:
a) I’m no worse off sending my queries to the DoH server (I trust it just as much as I did the Do53 resolver, however much that was based on my provisioning mechanism)
b) My queries cannot now be modified or observed by other entities on my network or path

I think this much is doable in some deployment models. For example, using a model like Comcast’s DoH deployment, if the DoH server’s TLS cert includes in its SAN list the address of the Do53 resolver provisioned by the network, I think we’d get the two benefits listed above. (This is what Tommy Jensen proposed in https://www.ietf.org/id/draft-pauly-add-resolver-discovery-01.html#name-discovery-of-doh-capabiliti)

The set of resolvers that are accepted in this manner could also be restricted to a known list or a publicly available list if we want the additional guarantee that a given resolver is “official” and not just some server that managed to get a cert that covered a particular address.

What might not be possible, on the other hand, is to usefully authenticate a deployment model where the resolver or forwarder is some private/local address that’s running on a router itself–unless this is a managed network or managed device that has some out of band mechanism to trust or configure resolvers (at which point we don’t need discovery mechanisms). I think the case of trying to find an equivalent and trusted resolver to the one running on 10.0.0.1 on my router ends up being indistinguishable from an attack scenario. But these scenarios likely aren’t worth solving this way anyhow—if the DoH server isn’t on my router itself, but hosted in the ISP network, the network would do better to provision the address of that ISP server instead of a local address; and if I really have a DoH server running locally, the router would presumably be able to upgrade to be able to provision the DoH information directly in DHCP/RA/PvD.  

Best,
Tommy

> On Sep 13, 2020, at 4:21 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> (1) What capabilities are we going to assume an attacker has in the local discovery model? Do we have *any* candidate design which does anything useful in those circumstances? If so, what does that design do?
> (2) Do we have any secure way to tell clients which resolver the network wants them to use?
> (3) Assuming that we had a secure way to tell clients which resolver the network wanted them to use, what would we want to say there?
> 
> Spoiler alert: I have opinions on the answers to these questions, but that seems like a topic for the interim.
> 
> -Ekr
> 
> 
> 
>> On Fri, Sep 11, 2020 at 11:51 AM Deen, Glenn <Glenn_Deen@comcast.com> wrote:
>> Hi ADD,
>> 
>>  
>> 
>> Authentication clearly has emerged as a topic important to the group.   It showed up during the ADD Interim on Sept 10th in both comments and in jabber. Prior to that It has shown up in  drafts, list traffic and GitHub issues.      Coming out of the Interim yesterday it was proposed as the starting topic for the next interim on Tuesday Sept 15.   
>> 
>>  
>> 
>> To help focus and facilitate productive conversation the chairs would like to ask for the group’s help in breaking down the topic of authentication into sub-topics for Tuesday’s interim session. 
>> 
>>  
>> 
>> Here’s a small homework assignment for the next couple of days to help set the Interim agenda:  We ask that ADD participants please take a few minutes and post to this list thread authentication sub-topics you’d like to cover. 
>> 
>>  
>> 
>> To get you thinking on the question,  consider that authentication has come up in a variety of ADD discussions:
>> 
>>  
>> 
>>       (1) Topic:  the question of can DHCP play a role in discovery which has resulted in many saying “No” since it isn’t authenticated;
>> 
>>       (2) Topic:  the question of authentication’s role in resolver discovery and validation; 
>> 
>>       (3) Topic:  the question of authentication to enable identification of resolvers that are associated or affiliated with one another or an organization   
>> 
>>       …. 
>> 
>>  
>> 
>>  
>> 
>> This list is by no means complete and is meant to illustrate a few of the places and contexts the topic of “Authentication” has popped up recently.  
>> 
>>  
>> 
>> Please share what authentication topic, scenario, role, need you believe the ADD group should spend time discussing on the Tuesday agenda.
>> 
>>  
>> 
>> Please limit discussion on this particular thread to only sharing what authentication sub-topic aspect you’d like to see discussed and not expand into a discussion of the sub-topics themselves.   Yes this all interesting stuff, but the thread can quickly become overwhelming for readers to follow.  
>> 
>>  
>> 
>> So limit, for now, responses to what you’d like to discuss – not the actual technical discussion.      
>> 
>>  
>> 
>> Also, this may prompt some responders to feel like now it is a good time to stray into policy discussions.   Please try to self-regulate and not go there.    ADD is limited to technical mechanisms to do discovery and a means to convey information about the discovered resolvers – and the discussion needs to stay withing those boundaries.   
>> 
>>  
>> 
>> Regards
>> 
>> Glenn Deen & David Lawrence – ADD Chairs
>> 
>> -- 
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email