IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

tirumal reddy <kondtir@gmail.com> Wed, 01 July 2020 06:34 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 738193A084F for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 23:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.096
X-Spam-Level:
X-Spam-Status: No, score=-1.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8wP5x0QCAnH for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 23:34:57 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A4E83A085B for <add@ietf.org>; Tue, 30 Jun 2020 23:34:43 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id q3so9362217ilt.8 for <add@ietf.org>; Tue, 30 Jun 2020 23:34:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mYixJ3o+GgBJcpOmoVgV7hXviwuq77RQZQqAqEggmsk=; b=SEB75roiN+crfm+Ih7IkYrysQSr+8nOWO7Cvht3lSwTf5QpUNhUkaCq+lR2WgAU5/w cSpooJFOXSG+ODL8Q3eg+2PqRErSfCU1mb4Ph1obtbvuk7H3x4XkIZDH36touUfMTZWF nPNMi0rJgcE9GpfpFVSb778jLzeLKMvRfMpSrP1JyJZ8eoifY/5wYAbqUM6+fRRPVDcm ZiT2HWs1knxPmpvh4OIEOzq9X63bjWqAOgX6CuCF1wdiK/HCttrx8AO41leaNhMTN9ga /Pj3wnqOD1uFm0lQUP6xbeGa/BJK67iXub89VH2N5Fqo+OwEd3C0TUHBJL+gOBQG3/Ij tlOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mYixJ3o+GgBJcpOmoVgV7hXviwuq77RQZQqAqEggmsk=; b=sYmlqTbLsACjg6oKmcRWB7CgY67utw5zDYSzJIKgFb6UroGLTVakPfyoK3RGt3jqoJ 2iaHddjF0RQ7Esdos6ydNlMwuobaBRW6fkpq77/dU1zwrONkdYgz9q2h7vRe3F94JMAm p1iCU66rm/HmBJrczq5LU1TeL42qh/uCf0f2wBxoakIa+fcttAaUyoOMqNv0kgpGA+zX cVWFQjBxWnG4Q9BZxRB/vAAfJpi9+V4LBNwnrvsbytyxERNm7cE6P+//wPpJrQSgOUpp YpkuodAs/83GG/pXs03YQp9edIjavKC5GEnJ8M3osp9w6Rd/S+lcTzqyB1gafYRYq8OU srmw==
X-Gm-Message-State: AOAM531dPqMcMk4Obh6MhU+3EZMaZBQn68yt38gv0yrEZwdHSDo4y8QG kztA1BSPi1BoeO+gdWteDFPrzOD0DPCoVDpyEAxt3NGdry2bWA==
X-Google-Smtp-Source: ABdhPJx/wfaCHFx098GgRR1dlqiS3nMfw2ZjnrdPWYS8qYRk7T1CIP/0T6lDkmark37nSvq47Bri5a8p/wyLzjnU4NY=
X-Received: by 2002:a92:c530:: with SMTP id m16mr6600157ili.300.1593585282643; Tue, 30 Jun 2020 23:34:42 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org> <668384b7-90f5-4ff1-b9e2-d0257aee731d@www.fastmail.com> <3421779.8U4dVgcHlH@linux-9daj> <CABcZeBP8okFjJZk6+PYnTRqDi+KW+=4eT9niRZKkQ00THgL81g@mail.gmail.com> <CAFpG3gdn5JLf7wFpF2ZOVpGzDF9=y4RXsdZbztTJP8y71v80oA@mail.gmail.com> <CABcZeBMG9P8wpK8PAH_fQkdC_N7xrqoOewpYO1dw4GSwBQEBqw@mail.gmail.com>
In-Reply-To: <CABcZeBMG9P8wpK8PAH_fQkdC_N7xrqoOewpYO1dw4GSwBQEBqw@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 01 Jul 2020 12:04:31 +0530
Message-ID: <CAFpG3gdkg0uLHSTa1DDxWDtBSnaePRDHHvwmRWBCBDVT+TPiPQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b0fe0305a95b7cd7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/iAFw7fR9dgPzNBVT0dubfO8zBM4>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 06:35:00 -0000

On Tue, 30 Jun 2020 at 21:30, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Jun 30, 2020 at 6:44 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>>
>>
>> On Tue, 30 Jun 2020 at 18:28, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>>
>>>
>>> On Tue, Jun 30, 2020 at 2:19 AM Paul Vixie <paul@redbarn.org> wrote:
>>>
>>>> On Tuesday, 30 June 2020 09:07:43 UTC Martin Thomson wrote:
>>>> > Hi Paul,
>>>> >
>>>> > On Tue, Jun 30, 2020, at 17:51, Paul Vixie wrote:
>>>> > > Eric Rescorla wrote on 2020-06-29 20:08:
>>>> > > > On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <
>>>> mglt.ietf@gmail.com
>>>> > > >
>>>> > > > <mailto:mglt.ietf@gmail.com>> wrote:
>>>> > > >     If the lookup takes as input the IP addresses or something
>>>> provided
>>>> > > >     by the ISP (like the local resolver IP address), the
>>>> resulting chain
>>>> > > >     is likely to be from the ISP. DNSSEC is needed to assert it.
>>>> > > >
>>>> > > > Why do you assume that the IP is delivered securely?
>>>> > >
>>>> > > because dnssec allows me to verify end-to-end authenticity of
>>>> > > name/address bindings (and other dns content.)
>>>> >
>>>> > DNSSEC allows you to be sure of the veracity of what comes from
>>>> DNSSEC, but
>>>> > in this case the IP address didn't come from DNSSEC.  It's not DNS
>>>> content.
>>>>
>>>> i have badly misunderstood.
>>>>
>>>> the way i know that the ip address provided by the isp was delivered
>>>> securely
>>>> today is because off-net DHCP forgery is hard,
>>>
>>>
>>> Let's start here:
>>> I agree that off-net DHCP forgery is hard. However, once you assume that
>>> you are off-path, then Do53 interception is *also* hard. So for this to be
>>> useful you need an environment in which the attacker is able to attack Do53
>>> but *not* to attack DHCP. What I'm asking for is for someone to define that
>>> threat model precisely so that we can design protocols that match it.
>>>
>>
>> The various possible attacks in a home network are discussed in
>> https://tools.ietf.org/html/draft-btw-add-home-06#section-9
>>
>
> As far as I can tell, what this text says is that authenticating the
> server based on information received in DHCP is not useful.
>

No, the draft discusses new DHCP/RA options to convey the DoH/DoT server
domain name. Section 9 discusses several attacks and mitigations the
endpoint can use to defend from an on-path attacker modifying the DHCP
response.

(1) Attacker modifying the DHCP response to point to the DoH/DoT server
hosted by the attacker.
(2) Attacker modifying the DHCP response to point to a public DoH server
not capable of filtering malware when the local resolver provides malware
filtering capability.

-Tiru


> -Ekr
>

v2.23.0 | Report a Bug | By Email