Re: [Add] Secdir last call review of draft-ietf-add-svcb-dns-06
Ben Schwartz <bemasc@google.com> Wed, 13 July 2022 16:12 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA19C16ECF1 for <add@ietfa.amsl.com>; Wed, 13 Jul 2022 09:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.609
X-Spam-Level:
X-Spam-Status: No, score=-22.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9WMajIcbr4I for <add@ietfa.amsl.com>; Wed, 13 Jul 2022 09:12:32 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44895C157B58 for <add@ietf.org>; Wed, 13 Jul 2022 09:12:32 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id j1so10515447vsr.4 for <add@ietf.org>; Wed, 13 Jul 2022 09:12:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=McX1POSp0DO2cLW207kfdD3Zv2DnDA3tpxrjIRDkw0g=; b=KbwTm2CDoWT+eGbvZTIaDMALNcbOrFCkECusYcJ09F+QAdCYHX9Z5azU7mbpa7uZHA W31mugdvwLRaUpz8h6jo/hJWVYc8Hc4soy44FQ+FetXaT3bKdptPsB947GhBvo0pFcQO VxJrv8xHTxnI0rYtGSvmyITxPMslaDCCI0Ubofxa5HZbiiywfba99cXZq/y5AtgHII8z ma7+VpQ4isIbLQnRUDF2jSGYknrau1eYPxy3yc3xXQrJU7WmDfKL+KHrMdpoaZaN0Vcl IWtghTlr/4nx6e6kWuUcTSZzVtN+2BFd6EYzS5TQDM09/Z6h0WF2HsOX8oltxZwnxtYc 8RoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=McX1POSp0DO2cLW207kfdD3Zv2DnDA3tpxrjIRDkw0g=; b=NZ3hG707ECXIkXfgaAx5ilFycg7BpMLzRSPXTFbqXwiqAExheBjID6Osmd5ycMSWg6 j4S8js8f2SSCXgZOHwPMSW9QqZO1qhhhSQ/TdpmUjmoS97W2UkEsF0ELtJ8ooHHuIVde v2FyQaF1MR4rfKZqucGcc6o12u106hHjnZgJOvE1s5sN73SHKv8ozvvydlZxmbfe97rN 9ZA4NeAdyPsACobueJXX1daUJ4k8uAC0HkaAJAw+Rc/UE3HMscsFmBlGxmC/OKiPu3kY 9NS0pZR0oL3vNMpjM8NuZlDmZZqm5B+2qx1dhtE3BJoYmaUu8O2nehvPSW4QY/CvHgrm gYIA==
X-Gm-Message-State: AJIora+uAMhtjyLG5aXrLJTg4cjRGzL72W6jYpQPMb+RzkpIVQwZwrWU pi7cUmZaKmvamm7Vj7ESS410G9A1N11LAeizbPd+hA==
X-Google-Smtp-Source: AGRyM1svHb57k/dRsMb1J+Sq3n+T3o9MMxyKd5lg9h2+Xya4pycb2ZiGXNza8WNT6PnZoTxUf005vd/l5bswvtACnlA=
X-Received: by 2002:a67:b749:0:b0:357:83ba:40dc with SMTP id l9-20020a67b749000000b0035783ba40dcmr1789609vsh.74.1657728751266; Wed, 13 Jul 2022 09:12:31 -0700 (PDT)
MIME-Version: 1.0
References: <165732512858.37539.14391175135822397412@ietfa.amsl.com> <CAHbrMsAYMca0pBkWoYspm4pwUrEEOb07ywjoRVFGbkBGUwiepA@mail.gmail.com> <CAOgPGoBt+3JJrxiq4AM-o9ReTvdw+bYx=yCnSA1FTj6SKWdAFA@mail.gmail.com>
In-Reply-To: <CAOgPGoBt+3JJrxiq4AM-o9ReTvdw+bYx=yCnSA1FTj6SKWdAFA@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 13 Jul 2022 12:12:20 -0400
Message-ID: <CAHbrMsB5xNC_YDC+-+UkVLpEpT7Yp4_-3VQOH+cNJnj8A3A5Lg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: secdir <secdir@ietf.org>, ADD Mailing list <add@ietf.org>, draft-ietf-add-svcb-dns.all@ietf.org, last-call@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000005fa97305e3b20d22"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/dhnW3Jhd902MjIsnAwT2L4s2yq4>
Subject: Re: [Add] Secdir last call review of draft-ietf-add-svcb-dns-06
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 16:12:33 -0000
On Tue, Jul 12, 2022, 12:52 AM Joseph Salowey <joe@salowey.net> wrote: > Thanks for the quick reply, comments below: > > On Sat, Jul 9, 2022 at 5:33 AM Ben Schwartz <bemasc@google.com> wrote: > >> Hi Joe, >> >> On Fri, Jul 8, 2022 at 8:05 PM Joseph Salowey via Datatracker < >> noreply@ietf.org> wrote: >> >>> - Section 8.1.2 - good description of this problem, it seems like some >>> of this >>> should have been discussed in the doh document, but I couldn't find >>> any. If >>> there is relevant considerations in the doh document then you should >>> reference >>> them here. >> >> >> This topic is not addressed in RFC 8484 because that standard assumes >> that the URI template is configured from a single source, so all its >> components are equally authentic. The strange thing here is that the >> hostname comes via a (unspecified) trusted channel, but the port and path >> do not. >> >> > > [Joe] I see, so this adds some attack vector that was not anticipated in > 8484 > > >> It seems that the recommendation "To mitigate redirection attacks, >>> a client of this SVCB mapping MUST NOT identify or authenticate itself >>> when >>> performing DNS queries, except to servers that it specifically knows are >>> not >>> vulnerable to such attacks." would be difficult to implement since its >>> not >>> clear how the client gets this information and really should be a >>> consideration >>> for the server implementations/deployments that require authentication. >> >> >> How about "... except under private arrangement with a server operator >> who has made sure that there are no such vulnerable services on $HOSTNAME"? >> >> [Joe] Could we say something like "the server operator should make sure > that there are no such vulnerable services on $HOSTNAME before publishing > an SVCB mapping" > It's not clear to me that this would help, because this attacker can forge a SVCB record even for origins that don't publish their own record. In the extreme case, the origin might not operate a DNS service at all! It seems the server should really take steps to prevent this if possible. > I can't think of a way to do this without adding a new requirement to all DNS servers that are identified by a hostname. As a practical matter I suppose that would be fine, but in principle it seems like poor form to add requirements to existing deployed systems. Having the client also verify this to the best of their ability is also a > good idea. > > > >> I'm >>> not really sure what to do about this except as a consideration for a >>> revision >>> of DoH. >>> >> >> I don't think RFC 8484 has a problem of this kind, because an adversary >> cannot alter any portion of the URI template (unless it controls the whole >> template). (There is still the ALPACA attack, but that is not specific to >> DoH.) >> > [Joe] yea, thanks for clarifying >
- [Add] Secdir last call review of draft-ietf-add-s… Joseph Salowey via Datatracker
- Re: [Add] Secdir last call review of draft-ietf-a… Ben Schwartz
- Re: [Add] Secdir last call review of draft-ietf-a… Joseph Salowey
- Re: [Add] Secdir last call review of draft-ietf-a… Ben Schwartz