IETF Logo Mail Archive

Re: [Add] draft-arkko-abcd-distributed-resolver-selection

Ted Hardie <ted.ietf@gmail.com> Fri, 20 March 2020 21:24 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B14B53A0EA5 for <add@ietfa.amsl.com>; Fri, 20 Mar 2020 14:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1j66SRb1Izq for <add@ietfa.amsl.com>; Fri, 20 Mar 2020 14:24:05 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F5813A0E9C for <add@ietf.org>; Fri, 20 Mar 2020 14:24:05 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id j5so8140402oij.1 for <add@ietf.org>; Fri, 20 Mar 2020 14:24:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JikgZzQHIfPXJV8CNH4mbvG6MrpPrYQ4lwSmz4NBPT0=; b=kMqpdslkipkYnWGRkEk1fDktcr/aMhsNZp0q8wFMa1dPd5pc19kHQgxKiWKHbapf8d QksefGISwpoMivOVx0gjHgxNILhYJl3Lh/borJsTSGBHa8P3LT8KtSfwQnLCiCeHgzPC lt+y1C6jZ5N5MNqWmJLPmHjHPC8eTq6Q76VTjVXCPxwPuR0bJYeN1Xn8C0gJxFOMSGa9 Lny9Wo4rIqgfhhNMDuA7TkvA+uMkRT+hqtGeNgmUBqC2k2cH9FFcV7chFgBCl+lT6NH4 evwdOGpONXo7lABM2ev2sbIjbvr4TAN/BzaXgst+WTeRm3Jo5WakLFGpmXJiH3aJeX0d H5uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JikgZzQHIfPXJV8CNH4mbvG6MrpPrYQ4lwSmz4NBPT0=; b=QRNUNT7dKLZWcvxNZjsL7cOGau0mgD3UUl/faSvcSx2us7KWjygLP6XXxlp0dLxg7z mUQKkeXycHbDOrfHgTvmK4F5wJCG3+kNMvsJbmTuXDL3uDDB/7WNsie9qO1irnbUFB5p IHnmJV9hTW2dXCd9S1c24JkJ/R3fNNbC1TO8h2Bnsl8OR8vsUzmuqQLe5WUgi5YF86Tt AMkJiuudWnPoLoqx8BseEHdxmPrl6+vJ4F8aJn2cmsVya5Nsm0eQLq1KHmonv8h8B08a AsZJ/TYqfOnXNMuDMuY0NI3ghCEUguTDs4WosW0Qx1G8rVEK8UfHPHotPppltJrLBZcM XSZA==
X-Gm-Message-State: ANhLgQ140BmFQ8m2PLWzRQGgm6mEyu5wUj22G4wmziEd7ytdA+d1Se6I f1WP524qGtbwb6Iw09FA8FUQRXWbF2XGopabrmw=
X-Google-Smtp-Source: ADFU+vsO2kzKDHJ+EyYobRPwr9ud+pNDa9eyCAKsJdaBSVB10hOwcnj1Zr/iJbi4CXGCz4QT7EndT3k5Tdz9GpxnitQ=
X-Received: by 2002:aca:cc81:: with SMTP id c123mr8107931oig.74.1584739443664; Fri, 20 Mar 2020 14:24:03 -0700 (PDT)
MIME-Version: 1.0
References: <CA+9kkMDvX7e0WkRMmJtf33GwMQQ1rAGny87UwneA6znCom_85Q@mail.gmail.com> <CACJ6M17rjhta9rqFHAJ_JaugRiCR7xvAChww0uO912-NayQwEQ@mail.gmail.com>
In-Reply-To: <CACJ6M17rjhta9rqFHAJ_JaugRiCR7xvAChww0uO912-NayQwEQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 20 Mar 2020 14:23:37 -0700
Message-ID: <CA+9kkMBug-PfkJsQ2-cm5G-J+iynma2OJzYJ3AjM6Gpzg-fFkg@mail.gmail.com>
To: "Chris Box (BT)" <chris.box.ietf@gmail.com>
Cc: ADD Mailing list <add@ietf.org>, Jari Arkko <jari.arkko@piuha.net>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/related; boundary="0000000000009afd4505a14fe7f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/kOPQoYls_OqOu1gn1qHSQqGoCUc>
Subject: Re: [Add] draft-arkko-abcd-distributed-resolver-selection
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 21:24:08 -0000

Hi Chris,

Thanks for the review.  Replies in-line.

On Fri, Mar 20, 2020 at 11:22 AM Chris Box (BT) <chris.box.ietf@gmail.com>
wrote:

> Ted, Jari, Martin,
>
> In preparation for the first presentation on Tuesday, I've had another
> look through your draft and it's raised some questions in my mind.
>
> Section 3 introduces the premise that the client selects a set of trusted
> resolvers, excluding all less trusted ones. It doesn’t really say this, but
> I think each resolver in the set needs to be operated by a different party,
> otherwise the activity seems to be pointless. Do you agree?
>
>
If you do, the premise implies the set must include at least one resolver
> NOT operated by the provider of the local network.
>

If you look at section 4.1, you'll see that one of the strategies is "to
distribute each different client to a different resolver."  If the client's
trusted set includes the local network resolver, it might well be
associated with that network.    Because this strategy is focused on the
aggregate distribution of DNS queries, there are a lot of cases where the
local network being trusted means the current association methods don't
actually change for some clients.


>
> We then get onto the problem briefly mentioned in section 6.2, namely
>    different resolvers might have different policies with
>    respect to blocking or filtering of queries that lead to clients
>    receiving inconsistent answers
>
>
If you put resolvers with different policies into the trusted set, that can
happen.  If the resolvers are transparent about their policies, this seems
less likely to happen, because you will put resolvers into the set only
when you are both confident of their privacy-preserving behavior and that
their policies match your desires.


> If I compare the above to the set of perspectives outlined in ICANN
> SAC109, my expectation is that the resulting net change in the ability to
> meet their needs is as follows:
>
> 4.1 (Parents):  Negative
> 4.2 (Enterprise Network Managers):  Negative
> 4.3 (Dissidents, Protesters and Others):  Positive
> 4.4 (Internet Service Providers):  Negative
>
> Would you agree with this assessment? Or have I missed something crucial?
>
>
I'm not familiar enough with SAC 109 to comment, so I'll leave that to
others.  My personal belief is that the ability to choose what resolvers
belong in the set is important enough that it should map to the client's
controller (which might be an individual, the parent of child, the
enterprise owner of an employee device).



> I'm normally optimistic so let's assume there is a way to mitigate the
> negatives. Let’s now focus on whether the impact to privacy is always
> positive. I think there is a case where it may be weaker than the status
> quo.
>
> Imagine a normal residential home. This one has five different wifi
> clients, with a single recursive resolver (A) outside the home, on the
> internet. This is shown below (apologies to anyone reading the plain text
> version).
>
> [image: Normal.png]
> Resolver A sees the merged traffic of all 5 clients, coming from a single
> IP address.
>
> With the client-based selection mode (section 4.1), and two resolvers
> chosen (A and B), those resolvers can learn more data about the specific
> clients:
> [image: With two resolvers.png]
> Of course A can individually separate clients 1, 3 and 5, because even
> though they share an IP address, they've all set up separate TLS sessions.
>
>
I find your graphic a bit confusing, because you are not treating the stub
resolver in the home router as if it were a part of the calculus here.  If
I understand things correctly, if those clients were actively choosing to
use a resolver here (rather than taking one by association), they would be
choosing the home router, rather than A (let's call the home router
resolver H).  They presumably believe H has policies that match the ones
they prefer; A is opaque to them.  But H sees the traffic of all five
clients; that's the common trade-off there.



> Is this is a legitimate privacy issue?
>
>
As I said, there are trade-offs here.  In any case where your query traffic
goes to a recursive resolver, the number of clients sharing that resolver
increases the anonymity set for traffic analyzed upstream of that
resolver.  In your first example, because your A is upstream of H, H's
clients get an anonymity set size of 5 with respect to A.  In your example
two, for traffic analyzed upstream of A or B, the anonymity set size is
likely to be much higher, but the tradeoff is that that A (or B) has a more
direct view of a larger number of clients.


> I would be grateful for your thoughts, either on the list or during the
> presentation on Tuesday. And if anyone on the list has a view, particularly
> if there is a way to modify the text such that negative impacts can be
> reduced, that would be most valuable.
>
>
thanks again for the review,

Ted



> Thanks,
> Chris
>
>
>
> On Tue, 25 Feb 2020 at 18:01, Ted Hardie <ted.ietf@gmail.com> wrote:
>
>> Howdy,
>>
>> Jari, Martin, and I put together
>> draft-arkko-abcd-distributed-resolver-selection
>> <https://datatracker.ietf.org/doc/draft-arkko-abcd-distributed-resolver-selection/?include_text=1> to
>> start a discussion on whether DNS clients can improve their privacy through
>> the use of a set of multiple recursive resolver services.  We think it
>> might be in scope for ADD, since the charter says the group "will focus on
>> discovery and selection of DNS resolvers" and this discusses the impact of
>> selecting more than one.
>>
>> Do the chairs and the working group agree?  If so, can we ask for agenda
>> time at IETF 107 to present?
>>
>> thanks,
>>
>> Ted
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
>

v2.23.0 | Report a Bug | By Email