IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

tirumal reddy <kondtir@gmail.com> Tue, 30 June 2020 13:44 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F1703A086B for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 06:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.097
X-Spam-Level:
X-Spam-Status: No, score=-1.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0hckFmkdJzp for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 06:44:07 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E39F43A0866 for <add@ietf.org>; Tue, 30 Jun 2020 06:44:06 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id k6so17708633ili.6 for <add@ietf.org>; Tue, 30 Jun 2020 06:44:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BBSc8RdB5lZnHfrHFX8ApXS9PvPuapNxWrP0Ozfq/z8=; b=JaTB7c3pgxc2+ujHy1czXhzvNcpy++uxmoGAXeR9xazTuVk61P2b4lE3sLckj44ggx 5G621tB9vQrt9l7Uc5y22sNQC7B9Zco+O4Yd6+L+3FkDVWL3PMLFJ3XkJW+oAQpKPz1G NyM08m76ke6uRqj7GmG2OPRiBMcF7YvWCZtAHG2zQrMm4jXhUm/gmJXG8VKUa3qM3kXh GVQSkCmHdnEJXYcyjz/rdJuW7SM+SeuZRuTvByY4TO6sPUyRucPUTzzKytGFbNj6mu2H xj7FyZ+WZSfQGI81eZNVRuf82zij1Y6Ar422b/61VhXXp7ORorNwvvqpg8QoOvTPJ4+0 XY7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BBSc8RdB5lZnHfrHFX8ApXS9PvPuapNxWrP0Ozfq/z8=; b=m0d3VFS+7TMWbuHC/d51nw0tWAglMUkIq2jv81saGrp055eVlQOrYgLte6KU7SCtFM EvKIOmYEk/LCpS+dXGtzO/zU3nfqU/Ez4DLwFPrU2L3XTBR1UlV+vqksM3L+iTzeBKys HXsWiv42AsQbYX81hDbC19zLaObMfLDwgnOrB/4zajJnazLYJjLPvUj1XhmqWYASvVkF cK4szHNxXlIuSUL/cWeK0VtFl8WuDjjpcL7/UyN4/hnJILgD23tZmZM67wM4ghqAUZZM CLklq8ZT/NdtjCPKLfAWq4q+l5lf27w8/EIND6lTZwHqfyKVT+mEEaJX+eLFvEB5v0ol WzFQ==
X-Gm-Message-State: AOAM530J8x21QjVpj5DhSATlhPRg5pmBmDv4PD2frf+MP0xWgW6Xj0CC IWgW5FVufh9WiCocjjTDWsoGY1fqaj0ZsyVG6zhjx3Fk1Xz4Rg==
X-Google-Smtp-Source: ABdhPJzv5jNzo6kQR1YD37CNHFNod3AdJsAEP1cVL8N2FfALsnt3f8QrFFvLpZmepA+BtN7y45qIf/0JeDrhtrda0L8=
X-Received: by 2002:a92:c530:: with SMTP id m16mr2750047ili.300.1593524645260; Tue, 30 Jun 2020 06:44:05 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org> <668384b7-90f5-4ff1-b9e2-d0257aee731d@www.fastmail.com> <3421779.8U4dVgcHlH@linux-9daj> <CABcZeBP8okFjJZk6+PYnTRqDi+KW+=4eT9niRZKkQ00THgL81g@mail.gmail.com>
In-Reply-To: <CABcZeBP8okFjJZk6+PYnTRqDi+KW+=4eT9niRZKkQ00THgL81g@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 30 Jun 2020 19:13:53 +0530
Message-ID: <CAFpG3gdn5JLf7wFpF2ZOVpGzDF9=y4RXsdZbztTJP8y71v80oA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006bf26805a94d5eb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/gIjfQi0w2l5Q3JMCGza53NvxCWU>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 13:44:10 -0000

On Tue, 30 Jun 2020 at 18:28, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Jun 30, 2020 at 2:19 AM Paul Vixie <paul@redbarn.org> wrote:
>
>> On Tuesday, 30 June 2020 09:07:43 UTC Martin Thomson wrote:
>> > Hi Paul,
>> >
>> > On Tue, Jun 30, 2020, at 17:51, Paul Vixie wrote:
>> > > Eric Rescorla wrote on 2020-06-29 20:08:
>> > > > On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <mglt.ietf@gmail.com
>> > > >
>> > > > <mailto:mglt.ietf@gmail.com>> wrote:
>> > > >     If the lookup takes as input the IP addresses or something
>> provided
>> > > >     by the ISP (like the local resolver IP address), the resulting
>> chain
>> > > >     is likely to be from the ISP. DNSSEC is needed to assert it.
>> > > >
>> > > > Why do you assume that the IP is delivered securely?
>> > >
>> > > because dnssec allows me to verify end-to-end authenticity of
>> > > name/address bindings (and other dns content.)
>> >
>> > DNSSEC allows you to be sure of the veracity of what comes from DNSSEC,
>> but
>> > in this case the IP address didn't come from DNSSEC.  It's not DNS
>> content.
>>
>> i have badly misunderstood.
>>
>> the way i know that the ip address provided by the isp was delivered
>> securely
>> today is because off-net DHCP forgery is hard,
>
>
> Let's start here:
> I agree that off-net DHCP forgery is hard. However, once you assume that
> you are off-path, then Do53 interception is *also* hard. So for this to be
> useful you need an environment in which the attacker is able to attack Do53
> but *not* to attack DHCP. What I'm asking for is for someone to define that
> threat model precisely so that we can design protocols that match it.
>

The various possible attacks in a home network are discussed in
https://tools.ietf.org/html/draft-btw-add-home-06#section-9

-Tiru


>
>
> moving on, what i'd love to have is SDNCP rather than DHCP. S=secure,
>> N=network. because i want to know i'm getting what the operator of the
>> network
>> wants me to get, and because there are other parameters besides RDNS that
>> i
>> care about, such as whether there's a mandatory HTTPS or HTTP/3 proxy i
>> will
>> have to talk to. because, IoT. if DHCP isn't useful because it's not
>> secure,
>> we should stop using it. but before we could do that, we'd have to meet
>> its
>> functionality in another way.
>>
>
>> i realize that i've identified an unmarketable general case which has got
>> to
>> sound like i want to boil the ocean, or boil frogs, or something. but i
>> figure
>> if i don't say something, then after we've consensed around a secure RDNS
>> discovery protocol, and somebody says what about all these other
>> parameters
>> that also have to be set by the network operator and have to be
>> authenticated,
>> we won't know how we got there.
>>
>> i'd like setting up an IoT device to be like bluetooth pairing, only,
>> secure.
>> like, enter a four-digit PIN or something. getting secure RDNS
>> configuration
>> should be like that. right now it's a welcome letter printed by my ISP,
>> and
>> that seems outdated.
>>
>
> This all sounds great. And when it was available, we could also use it to
> indicate which Do[HT] server you ought to use.
>
> The question I am addressing is what we ought to do in the interim.
>
> -Ekr
>
>
>> --
>> Paul
>>
>>
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email