Re: [Add] ECS privacy concerns, alternatives?
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 16 April 2019 23:53 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 817861200EC for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 16:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zq0AbWZ3wSy3 for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 16:53:32 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F28EA1200B4 for <add@ietf.org>; Tue, 16 Apr 2019 16:53:31 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id t28so25451979qte.6 for <add@ietf.org>; Tue, 16 Apr 2019 16:53:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YrJMeNIkm6R3GbvsWuuk56neANb2OZbd6UP9eXUTm/c=; b=sKYkxsQmyo9UqqzZyjB/S7VyYLA3ZTr2UMKEGGCAdhBShSox9ugsx8chsB1t/P76mD 64HVzBuRfCDYS8qzF+aor0mmGwwB4Ab+zYXPUBhCXW4wBF3PoybPpBeIQQvuIzCYd8ve 1LbH4TqSUZURAQKTBEm0oJiaUGUsD2k27xI+BtCgfsah55gzFs25Gc8DDeEn6dGRCUL4 XeL2Sf01YHigS838qzbgWkFP996f2XKQx9fFnWKofIs9BItsxveh+NKxA3OU2SVkHHIR W2YMVlKpH2obIAbskmwYPvjd+tYNutx06oBhp8inRaNsvQczsooDV1yU4ziaZTdQEJSs /phw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YrJMeNIkm6R3GbvsWuuk56neANb2OZbd6UP9eXUTm/c=; b=tLX2jrfvBC6RRgeh3hpuCV5TXjCm0jLZsmcycdw2rfFXA+f6+V83VFF8YnY5Ic6LSs UMK8MRZzLdEmNe55hDqQxc2tnyD2xFzjZrVLHIQkekQtJGlMErhmfZ7ihQ8Q1qNZbU0W /gaojr5Nv7gzDE353Gvzp4vOO8KpcDAMbE1KRRa/9X0knIHYO53xL+Wu0fVwHPgO47sx UNTpfje6g6CDspQusuKxnrVBGjh3X6RcyzAHNiz2M6x399nilu6OKZIaFoNoi0BYm+4n 2rqGDwPYl6HMJe+OWhYHXnYSsjbAW2mLy5RziY9v/0AJJGDH9M3Z71tgoLWHejJaw776 dCog==
X-Gm-Message-State: APjAAAXZ9T42Qd4RYmHnydmZy/QROq8ZXqtjfw9l+uQIIjG6NwNTcgoG G2GXL7AJY8OQewD/r1iQzflv+pEfbO3M+3giA1xA4CK8
X-Google-Smtp-Source: APXvYqztpO5qFwLlfxP5SbgCN0+8G3JgRr+QoKTl0y0792Mi1k+6p53IGs6hq8ZrDJ4ANU+CycMJM30wox3ZNrhh23I=
X-Received: by 2002:ac8:1a34:: with SMTP id v49mr68138552qtj.236.1555458809081; Tue, 16 Apr 2019 16:53:29 -0700 (PDT)
MIME-Version: 1.0
References: <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <21C5261E-9DE0-4CFD-A949-6E91DD0C2552@cable.comcast.com> <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com> <CAH1iCiqPqWCEmT0DSyzu-DRtna_p1SZXuiK15HHyTrjnX1iUaA@mail.gmail.com> <20190416215849.59653.qmail@f3-external.bushwire.net> <CAH1iCirZRDBAvVoyYa9MqsGaciO=vTbgstVOVRpN=En6+KqxcA@mail.gmail.com> <20190416231016.60303.qmail@f3-external.bushwire.net>
In-Reply-To: <20190416231016.60303.qmail@f3-external.bushwire.net>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 16 Apr 2019 16:53:17 -0700
Message-ID: <CAH1iCirZd_z5gpP-Yjsut-JCbjqt=Za6hW0bRpFfOFNYBqaKYA@mail.gmail.com>
To: Mark Delany <h4m@mike.emu.st>
Cc: add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c7332d0586ae799a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/mlmYeFfocyMG-cMukS0HLjEFBSg>
Subject: Re: [Add] ECS privacy concerns, alternatives?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 23:53:35 -0000
On Tue, Apr 16, 2019 at 4:10 PM Mark Delany <h4m@mike.emu.st> wrote: > On 16Apr19, Brian Dickson allegedly wrote: > > > That's why I indicated that by "geo", I meant OPTIONALLY more > fine-grained > > than country-level: > > > > >country and sub-country levels, e.g. ISO-3166, with 3166-1 being > > countries, and 3166-2 being sub-country 3-letter codes. > > I hope I'm not mis-understanding you, but no level of fine-grained GEO > provides suitable input for topology-based solvers. I want to know > which networks you are connected to and even a high-precision lat/long > doesn't tell me that. Your /24 does. > Yes, I understand. For you, ECS works fine, and GEO doesn't. So, continue to use ECS, and don't use GEO. I don't understand why that would be a problem, unless resolver operators choose not to continue to send ECS. They might make that decision based on the requirements to encrypt if ECS is used. Or, they may decide doing ECS is worth the encryption cost, and encrypt and use ECS. (Those issues would be something for you to take up with them, IMHO.) Other auth servers might make different decisions on ECS, for whatever reason. Those other auth folks might not want to encrypt, and may want to use GEO. For them, that may be good enough. Them doing GEO doesn't impact you doing ECS, unless I'm missing something obvious. GEO might not be as good as ECS, but there are plenty of cases where the difference is moot. E.g. if the zone owner (!= auth operator) has services in only a few places, and they don't benefit from any granularity improvement. > > > I'm pretty sure we are not in a one-size-fits-all world here. > > For sure, but fine-grained GEO raises more questions. What if you want > to send sub-country codes to trusted auths to get better resolution > but only country codes to less trusted auths to get better > privacy. How is that provisioned in end-user equipment and kept > current? > Don't know, don't particularly care, honestly. I would expect that to be something managed on a per-auth-provider basis, or maybe negotiated somehow? What does "trusted" mean, privacy or something else? > > > The other thing is that auths can play discovery tricks to correlate > queries with client IPs anyway. E.g. issue nonce IPs with very short > TTLs then watch for inbound connections. (Finally a killer app for > IPv6!). So I think we want to be crystal clear about what privacy risk > we think is being solved and whether it's lulling people into a false > sense of security or not. > I think that would imply cooperation between auths and those seeking to defeat the privacy of Do*. I don't think anything done resolver-auth has the ability to impact that cooperation, if it exists. I.e. if an auth does that nonce trick, it doesn't matter whether the resolver encrypts the connection, it doesn't matter whether ECS is used or GEO is used. The client's association is discovered on the data connection established based on the DNS answer. Maybe the resolver can implement counter-measures on behalf of clients, maybe not. But the issues is invariant over encrypted/clear or ECS or GEO, as far as I can tell. In fact, I'd argue the granularity aspect of GEO may provide better "cover" to clients, since the recursive could do any number of things for low TTLs that compensate. I'm not condoning any particular countermeasure, only suggesting that the existence of countermeasures which align better and scale better with GEO, could be more effective. Examples might be, requerying and keeping a variety of answer sets, and serving them randomly, i.e. a combination of "hammer" and "serve-stale". Privacy, like security is hard. Trying to mesh efficient/accurate results with privacy is also hard, and may require re-thinking solutions. There may be some need to trade off efficiency with privacy, or to consider other means of approaching the solution space for efficiency (with respect to topology). E.g. maybe instead of GEO, using ASN based mechanisms, which better reflect topology, while offering some degree of privacy. Clearly there is non-uniformity, since some ASNs have very few prefixes which are small, and others have lots of large prefixes. Thoughts on this? Brian
- [Add] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Martin Thomson
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Jim Reid
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Manabu Sonoda
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Ray Bellis
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Daniel Stenberg
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] [Ext] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] [Ext] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] [Ext] Mozilla's DoH resolver policy Brian Dickson
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] Mozilla's DoH resolver policy Mark Andrews
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Salz, Rich
- Re: [Add] Mozilla's DoH resolver policy Ben Schwartz
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Geoff Huston
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] ECS privacy concerns, alternatives? Erik Nygren
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Paul Hoffman
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Hollenbeck, Scott
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] ECS privacy concerns, alternatives? Puneet Sood
- Re: [Add] ECS privacy concerns, alternatives? Erik Kline
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson