IETF Logo Mail Archive

Re: [Add] Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)

Ben Schwartz <bemasc@google.com> Mon, 11 October 2021 02:07 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9F03A0867 for <add@ietfa.amsl.com>; Sun, 10 Oct 2021 19:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.097
X-Spam-Level:
X-Spam-Status: No, score=-18.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFrzlLIYwIOm for <add@ietfa.amsl.com>; Sun, 10 Oct 2021 19:07:03 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 502A23A086D for <add@ietf.org>; Sun, 10 Oct 2021 19:07:03 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id u66so6798340vku.4 for <add@ietf.org>; Sun, 10 Oct 2021 19:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BV17l1qACJBwsR0ydqpJvdnfKky8TB6qhxnpX928iPs=; b=FRjqvRQeRfJuozEOFR55/nHMuSk+h93k/H3VpDH+SU095CGiiDwMnh4eMt0MWyp3cz TgP2Sh2xXGgygEL0dIqUay9cybTqcJW+U3aWYVcKIHBCGwhFSjIAxQCIbd30DosPy7Qc enHVKFQZHpau9qFtMOSH2ggGEq1R0aweaUPTPnxQVNMIWfN/KeyeW2VDEhSFvfNbUFj1 b+94lNhseJgTSjz8+XZ0vYrHt87ar/0dh9gS1SGWAZ9xm/YX5Rr44GSJHh2zdqslVTEB lCKaw5f5zcTtrBLkbeSqulJfK1HK9jxkLBKP9zmAizum8xF2hhIwuHj1ZxKQ2URW67RF IjoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BV17l1qACJBwsR0ydqpJvdnfKky8TB6qhxnpX928iPs=; b=dxC210D2UrYEGOGvomzTPLhQaApbCVNZQnit6DaJosZNB4hxB7Vmqc7uxrOh4QPmk9 BlxAzpWGqyP12hTnJ9+8ZBPuSGug7luLt6Jgs9ka9ANSfA3lW3Ea1y0h0woxbryQ+rZq hY/oRZ/O8H5HiGeICklefQfhWImacMx9FOp62sEI7VBWMTHdCqbqKoCZImH1zWHqvuoi Vq1UV13a3eGIvY8zFVnC015YeJIx0B+CN/hZ1+0/mdoYf+F6vBwb/QsOnZZQqBJtOcAP SpqwECEjRKtD0N84kViL6QAfUbR+yP1ao5RIxYafGRq0/d0GXi/f+Ueco5o/gnAJz8mG X21A==
X-Gm-Message-State: AOAM531u/wUc84S9fvUpn+QhI4zFXxnZxWd1SutJyWGqfn6hyUucVLYq m4F+d2mhyZf44nRl8u69lrHzfM0wy4mIF3UxyTAsnxt3c51g3Q==
X-Google-Smtp-Source: ABdhPJyhqGE21tZV9Y0T+myfAkqsHz0vdyMl4RRK5GkUXQYNSN/O/Fyrl/k+1Slx6d5ThzDj/ZCIhC5UCkgITdKZ7wY=
X-Received: by 2002:a1f:9e11:: with SMTP id h17mr17857637vke.16.1633918021313; Sun, 10 Oct 2021 19:07:01 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR02MB6924A3C8D43C001C78994B01C3B19@DM6PR02MB6924.namprd02.prod.outlook.com>
In-Reply-To: <DM6PR02MB6924A3C8D43C001C78994B01C3B19@DM6PR02MB6924.namprd02.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Sun, 10 Oct 2021 22:06:50 -0400
Message-ID: <CAHbrMsBQBu8fTeeHtvO=YCn_Af-PzZvHmZK=ErXEAf6U44VZjw@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000047afbe05ce0a2fdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/hAuUvBPgfLChIR6e7CaRe4turmM>
Subject: Re: [Add] Relaxed validation and delegated IPv6 prefixes (Was: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 02:07:09 -0000

>
>  If the DNS forwarder is identified by a public address (IPv4 or IPv6),
> then it could get a TLS certificate for that IP address.  A client policy
> that doesn't require authentication in this case, even though
> authentication is possible, would be a much bigger departure from baseline
> DDR.  I would prefer not to describe that behavior in this draft.
>
>
>
> <bhs> When you say “[the DNS forwarder] could get a TLS certificate for
> that IP address”, are you saying it would be possible for a gateway to get
> a PKI CA-signed certificate every time it gets delegated an IPv6 prefix
> (and subsequent renewal)?
>

I misspoke.  Let me try again:

In DDR, the Encrypted Resolver must hold a certificate that covers the IP
address of the Unencrypted Resolver unless the resolvers have the same IP.
Thus, if the gateway uses a public IP address, and is actually a forwarder,
then the upstream resolver must return a certificate that covers the
gateway's IP address.

This is not the same as placing a PKI certificate on the gateway.  (I don't
know if it's easier or harder.)

...

> So if a client is provided a private IPv4 DNS server address and a public
> (GUA) IPv6 DNS server address (and, BTW, both reply with identical
> resolver.arpa info), will the relaxed-validation client prefer IPv6 and
> not upgrade because the IPv6 address is a GUA? Or will the
> relaxed-validation client try the private IPv4 address (also?) and do the
> DoH upgrade?
>

I think it will do the upgrade, via the IPv4 server.


> I’m ok not worrying about people with static public IPv4 address
> assignments (assuming the same argument that a certificate isn’t
> realistic). That’s a small population. But is it really not possible to
> explore allowing “same IPv4 subnet” or “on-link IPv6 prefix”?
>

Let's consider two clients, one implementing "baseline DDR" and one that
relaxes validation as you've described.  They are on a v6-only network
whose DNS server has a public IP and is "on-link" according to some
criterion.  A DDR query tells the client to use a "far away" designated
resolver.

If the local DNS server is actually a forwarder, then it is arguably safe
to upgrade without certificate validation.  However, the client doesn't
know whether this server is a forwarder.  It might actually be a full
resolver.

Suppose there is an active attacker close to the "far away" designated
resolver.  The "baseline DDR" client enforces certificate validation, so it
detects this attacker and continues to use the local (full) resolver.  As a
result, the attacker (who is far away) cannot see or modify most/any of the
user's queries.  The "relaxed" client sends all their queries straight to
the attacker.

This seems like a much larger departure from the baseline DDR security
model than anything contemplated in this draft, so I would prefer not to
combine it.  However, this situation is important, and should be mentioned
in the draft.  I've added the following paragraph in the pull request [1]:

> IPv6-only networks whose default DNS server has a Global Unicast Address
are out of scope, even if this server is actually a simple forwarder.  If
the DNS server does not use a private IP address, it is not a "legacy DNS
forwarder" under this draft's definition.

[1] https://github.com/bemasc/ddr-forwarders/pull/3

v2.23.0 | Report a Bug | By Email