[Add] ECS privacy concerns, alternatives?
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 16 April 2019 21:31 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8019B120155 for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 14:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hP3j9V7LI5C for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 14:31:42 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAA82120112 for <add@ietf.org>; Tue, 16 Apr 2019 14:31:41 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id c20so13119637qkc.10 for <add@ietf.org>; Tue, 16 Apr 2019 14:31:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=17ry2HpytYB8Xbc8y00DYcMw6w4ffVSFY33How1lCtQ=; b=jlthfLaftzlNQ+C94Yyi3YMybDE3te4U2L+HvxA65PNj+h2TaWiO/JavuGP0oASbqM lXpnCmPqD3GgZB8HPwC4dqiM1As1c3bElIcEa/oBpEL/+7QvA01NSClD96i4rweZpUVs IEgcmuT/mosA4iydtJV/LlPydtO5dQU0EiyIPCjvo8U9JzPsULYamO0Sr3/yCGgvqwW4 YtozulFk20l74+7dX6ofQ6Xn+aQCbh4W29HXTf7hP/wCcnRhEFByx1jwWVQCA1AXbd+4 QzJMQXha/W/bS+2bGT/xoNtoX5riJFqHR3iQha9u3OL4dZSyp73HPmYVlVacjxlUL0V5 2OZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=17ry2HpytYB8Xbc8y00DYcMw6w4ffVSFY33How1lCtQ=; b=eTbICqaSisI4cZl7lZJxAlA/ljrphe1x3Z+lnRr33GP8SdhkSajHmG9NTUQu8k09iQ 2jtJBLu9PjAxvEpaefkTvrAfefFL16Sl9N4EYl+Zzen9ya+QrshCIhrZm5rFNYYDCeR+ chIMWw7qfZBwU4dPkqMuQTt42nRhpS8L93ULCXneQxoJqAL1tBN8q7rNCthgWF7/F+U/ GHZf46LQ5GWbtMIGBF3caIVvlmuy55XxUlamwfFGx/juXeOivJhP0qMj4rKz5z6ZIFcC vQxulUnjBSzsnyPqPRuFkpguh54GDp5VM87qPSOC8OYFt9L/tLCS4ppcdt5TV6qOcUI0 TL8A==
X-Gm-Message-State: APjAAAXI9KZTbOpY+4TaEiLg5YGyyIX7Bgjx3/qpchuCIh+vXNMTeqnp pRnkGidtQPGehlzoe/2aeyKsJ8F6G/krKduJpHc=
X-Google-Smtp-Source: APXvYqzsJXT1ltRS5pasiiJyEecvtjdljSROEjJ9yKx8EvsY2nBi+o+dDlhnuqosrr843JLo5Z3zAnLmndU6E9UP9QA=
X-Received: by 2002:a37:dd8:: with SMTP id 207mr64765529qkn.278.1555450300924; Tue, 16 Apr 2019 14:31:40 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <21C5261E-9DE0-4CFD-A949-6E91DD0C2552@cable.comcast.com> <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com>
In-Reply-To: <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 16 Apr 2019 14:31:28 -0700
Message-ID: <CAH1iCiqPqWCEmT0DSyzu-DRtna_p1SZXuiK15HHyTrjnX1iUaA@mail.gmail.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: Peter Saint-Andre <stpeter@mozilla.com>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a708f80586ac7e28"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/iBzJdcTBIIMEStavEEIwPHx-sIE>
Subject: [Add] ECS privacy concerns, alternatives?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 21:31:44 -0000
On Tue, Apr 16, 2019 at 9:00 AM Livingood, Jason < Jason_Livingood@comcast.com> wrote: > And for ease of any replies, I have a separate question on CDN > localization via ECS. The 6th privacy requirement suggests that ECS cannot > be used unless there is encryption between the resolver and the > authoritative server, presumably via DoT. This suggests that the privacy > concern isn't that the network/geographic hint provided by ECS is > problematic in and of itself, but that it should not be observable along > the network path used in recursion. > > But if TRR-to-auth recursion is not available via DoT, I wonder what the > recommended mechanism is for providing a more privacy-protective > network-geographic hint to an authoritative server, in order for example > for a CDN to dynamically respond with a localized response. Maybe something > new needs to be standardized? What options do folks suggest? That's a great question. Apologies in advance for always providing long answers. :-) IMHO, the privacy issue is the IP portion, not the geo portion, of geo-ip. I may be oversimplifying the situation, but I believe the vast majority of authority DNS services (or proxy services in front of those) structure their internal representation of things as geo->answer mappings, and generally have some flavor of ip->geo mapping on their front-end(s). Those internal representations may be non-standard, but there are standards for geo representations for country and sub-country levels, e.g. ISO-3166, with 3166-1 being countries, and 3166-2 being sub-country 3-letter codes. I think there is sufficient anonymity in using these codes instead of ECS, which would remove the need to encrypt the resolver-auth transactions, and potentially offer other benefits to auth operators which as a consequence, would potentially improve both the quality of results (by standardizing the GEO codes, and placing the ip->geo accuracy responsibility onto the resolver). There are other ways to improve the whole ECS model by moving to GEO. For example, a query to an authority server with GEO might return not only an answer, but also a hint about the granularity at the specific GEO code. A query for e.g. CA-ON might return an answer for CA-0, indicating that no more-specific answers within CA are available, while a query for e.g. CA might return an answer for CA-1 (indicating that more-specific answers are available, hinting that the resolver might want to ask again). The GEO stuff could be treated analogous to QNAME minimization; ask for the next-more-specific answer IFF more-specifics are available. It would require the resolver to have its own IP->GEO mapping stuff, but has the benefit of getting consistent results across authority providers (always right or always wrong, and the resolver has both the ability and incentive to fix any IP-GEO mapping errors). It probably helps scaling on the cache side (resolver) and zone side (authority). Any authorities doing ECS probably already have the GEO->zone stuff and possibly even encode it that way; the incremental work in supporting an EDNS GEO would in those cases be negligible. Honestly, if GEO can get standardized and reach critical mass, I think it would be valuable on its own, even without the privacy aspects, and I think it would be nice to use it and to deprecate ECS, eventually. Brian.
- [Add] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Martin Thomson
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Jim Reid
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Manabu Sonoda
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Ray Bellis
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Daniel Stenberg
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] [Ext] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] [Ext] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] [Ext] Mozilla's DoH resolver policy Brian Dickson
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] Mozilla's DoH resolver policy Mark Andrews
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Salz, Rich
- Re: [Add] Mozilla's DoH resolver policy Ben Schwartz
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Geoff Huston
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] ECS privacy concerns, alternatives? Erik Nygren
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Paul Hoffman
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Hollenbeck, Scott
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] ECS privacy concerns, alternatives? Puneet Sood
- Re: [Add] ECS privacy concerns, alternatives? Erik Kline
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson