Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11
Tommy Jensen <Jensen.Thomas@microsoft.com> Wed, 07 July 2021 16:46 UTC
Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76C23A1E9D for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 09:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lq00WkuD9uY9 for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 09:46:06 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650099.outbound.protection.outlook.com [40.107.65.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5DB63A1E9B for <add@ietf.org>; Wed, 7 Jul 2021 09:46:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EdxGa/Dj4hQAfQhld8pmsRsyJ4xVC/TrW/qJGaukGcYT1WSxJO/N57LBhuqW8SLPOEBPp/Vv1EtEvWr7/0XbjAqZgogrXWGHJIjSSWZwn/oaD6DI20YFGB4eP3XNFaWRRAIeWl2CFB1gYR7C7ab6Ipn0X+L0gZoZRkrDNRyR3ev++4g+N6g9rCeVTGUfPV3eeMdqvgs2NdP4G58Ifdj0ImenCmJrPK3X8fKWX28qY2pWXiRUUOIPD9hZGdKHfYC5r4hdi6C2wET+yiO3YLuDVz19ZKWTnD49I+M0HtgYmAhc0kiDA5TEIk/G6qPg4XUP52O14EYW830MNuLufAokrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P2MaMHrvkxxXJtlPmlvNBE44B/jcruUIGA+Qj5jyPRQ=; b=YVarWn3vS9+hU2y2s+/y4LqzV8GxIhevmYNLCAlgWKSlpWsCDkFjaPf99HXzEq7XJA416ghCfuJWip2+grluVRXFJ6BbPC+5CJDMAtyqSU4yntwfcyVBgOnRjWHu4231szFhVNf4dGg/mskD8RE3BIhwOo3ZaoNz5He4wgX8GEdPaBg6DPrusEx2OJQAuxRM8HbTxbzyOzIaTUuGI99by2UAb4iEGKdtMCDBZFsyltLp1Rz6y5g9R9RxrkH9Qt6Usl5ps90qOHhImAwFNscSUIE8LjMk01K/INmRUIm8jwaWexNq5tpekY0sQtO87XZ55BGtiwODJXy/SFMOB3OYyA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P2MaMHrvkxxXJtlPmlvNBE44B/jcruUIGA+Qj5jyPRQ=; b=SiCVz6wzjotxAk3oXX5t33reGePGDZb6gkdKxmnAvi/DmYeLLVahCUkr7/5/xgukr//tQOA+zJko7KH1GFYaVQVSGWBawdIRgTaaKW7eVakV5TWR5v24oRbqkRUfvRdx1MFwFqJeBJYIa+vCv8JYBuP4PxZwd38/tTJrQj7CgRI=
Received: from MW2PR00MB0347.namprd00.prod.outlook.com (52.132.148.146) by MW4PR00MB1164.namprd00.prod.outlook.com (20.183.238.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4349.0; Wed, 7 Jul 2021 16:45:59 +0000
Received: from MW2PR00MB0347.namprd00.prod.outlook.com ([fe80::cd3b:c241:47a:4094]) by MW2PR00MB0347.namprd00.prod.outlook.com ([fe80::cd3b:c241:47a:4094%9]) with mapi id 15.20.4349.000; Wed, 7 Jul 2021 16:45:59 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: "ekr@rtfm.com" <ekr@rtfm.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [EXTERNAL] [Add] Private IPs, DDR, and PR#11
Thread-Index: AQHXbscG1WMnTC9wzUy8K527Hpo9dKs3vRVg
Date: Wed, 07 Jul 2021 16:45:59 +0000
Message-ID: <MW2PR00MB03470E2B9FB76B4BB2E2CDD7FA1A9@MW2PR00MB0347.namprd00.prod.outlook.com>
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com>
In-Reply-To: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-07-07T16:38:03Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=52b6bc0a-99b2-41b4-86b2-f98fe89fdf5a; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2991e32b-7e28-4340-e045-08d94166b309
x-ms-traffictypediagnostic: MW4PR00MB1164:
x-microsoft-antispam-prvs: <MW4PR00MB1164EE4A86FC975EBBF40861FA1A9@MW4PR00MB1164.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jBiRrt5XOdtFEsDuy52shVIxDgX5XFTSEfNpxAB/DVqbaDyLYeLmyMXwhIdu/xWv0Gw4KtKC1pBZffW/xpCe1iMQn/h8j/cIA7XIdKX68gZzhVEimy8n5jm7URK2X1TAFvwqCFhThDm/VU6tVjvoX04RgHG5ryqI6tBDotVqz4SxWQGPsGhIO+rLyPFuV+LDmC7ClO3PfXN825cqvddTld1nKZTFQgSlA5V7V5iRcBsmqglaQP1RDwVFOr0j83BcGjGUsYDHeZz/myrxzb9EQbNl1LdNifGD9kd4Jz+7Log58Np/PoRYbroCTUY//9F4BPs18ImDmi+Nw2CRsQeH3Lh/tqNxLRq+LTLqLUiOClX3LvvqxURhex8Wa0R/2WriDOhU1XG3k2CeIBJKvMUwab6uRN7xM2EDGVbqkNd8VS1El1JrJg6oDMW6NKNDmaAcatQqdCzVeeovsKIsvLRLxSrzW1Lb/dH9mPr66pmVOZsPQBshm8yh5oE5I40bW/9EARjbaxkJhntLPcCJZ9FbhMpyaKeXhBjeoz28y+cf+HQ0Eix9KdX+OcXe+dKzcRVuVsXwiI0iAUhiQtquzIeT63xFky4LRkobHDbVTKVMNhnffCcW1t+82ujlLQvtgsvAZKS5ZHL8kWN7KgHW9rOonQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW2PR00MB0347.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(83380400001)(38100700002)(86362001)(71200400001)(82960400001)(82950400001)(122000001)(10290500003)(186003)(110136005)(5660300002)(33656002)(8990500004)(2906002)(478600001)(8936002)(8676002)(55016002)(9686003)(26005)(52536014)(53546011)(7696005)(6506007)(316002)(66556008)(66476007)(66946007)(76116006)(64756008)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: OQt/xwsFcmuNMKI3TnZ/nmJnN8+JKS7K8kwucSqaWJR3tRJ5f8z1p6TcqrjF6CYudt20z/FQWPZ1EDgaM0FdyMVj/utVzPa8BsubnsovR08rG0FWoAuPQAB28QkYBo/zPTgLetS+57iAdGVj6B6JoBg5mXZwqABS/y/Ii2zXjeoNzDHe3L7MHV/rOUcFi9U7x5+y8RLrwDSKvbaRd5CuMWnPacbW+OPs0++q3Xg6EJflWqKH1xH72JSsvL4K/D4m2SlnKlyXdT8Cpcyu0JIpXi7f71LcYWt38GgfxTQCtXxSHqoL/d6M/zGnZzfw3HTDPGCZqLAQblcJUinKuwEMvurd5rvXoyQRYnr+kozfb//cdBp+AZUA9ZnGnuMGsW7AZIY1cegyUTC/hk+qbpnmqLOG3ksEK10Ns1xA3+3ARBLB5cPagys6meVCJbjKi+Gsispr//OLJL9GM+3qbOsH+vhwHnIyOcjLtw1wI37jKWD++sgxwUV6Bpe/vDIY7C2tvZwRa48VmVuC39ucOeCNm8smZ8CEuvZVmgw9TtUcBhdZdRW6lGaULlSbWUG0ID2IixnXATNrW2DNm4UFNHgQztSzkWXM8u9WXL3xRq3RM+zd0Lynoizn5VGwt2Z2Z6eDP+cTu2HsrgTUL7FSDpUp/VS7EcNG3GLNAcyQZyCvWtX06nHT7dhP7mvZzetVOX+wIkbV1lGPISNZ/+PPqTFmQONq8iHROZbAls0F+KoH6Znj2fMSGY6VfNA7e9/iYMND3saF7gPULhBlbN1UbyWoKvc4zI60TR1cSR6QJEGiUnTNyDPs+dwAl4niVMrvlyR0kW6A8pNmWYp8vUym2zYgZMS2lIBFWm7cbNWmSvLmJyNSvymwSTZLOlVUqFZCx6g/fKcnrjN1+HdyBi5/Kq5orZ0bRZyiSiRk3jSh9aUpe/UcudJlE0+Miwwk/mAgmaDI7UibtsWOCR260s+k88DJk6+9UHQk+YI9A6nDu8nrsWu7pj3qhhBuX8BqnZhV4gDKqDzmsXmDPN7HXwV/RoSWsaTN+CV7RQATd3sHvUrYT05wJQDEurjC6svuDhZCXgnSzjpRMsicJtF9j6LuDJ9ECdBAXbYxfVphV81KarjSfZARwNGWZbihmn51zQvAlcVXinYWMM3U0H8h17P8iYI7euM/llX7/AD+NjBLRySV1pZR2PseWEutggsbj4xcuzTGYyM7pOm02Op2ZPzexJh5AbTsKz70xf90sl6A4eG9lTMAaepinck0VcGOFCWCkSSjjOm1BXAF1YUc3L67FR+N0OKmteEeBHijhKOZWKau0/Wiu0Yii9pZ3GWQ5WtrKrOP
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW2PR00MB03470E2B9FB76B4BB2E2CDD7FA1A9MW2PR00MB0347namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW2PR00MB0347.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2991e32b-7e28-4340-e045-08d94166b309
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2021 16:45:59.3985 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Lh69/YD2RfNAUN8H8BPGy5xXYjW9CBBpAFgvBYGKGaFLguQw0lwGkgibJZoU4qf3tOK3F751OOHwWuaT7gbLWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR00MB1164
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/nAE97GGF4H29MBCpnXC7PdDDSn0>
Subject: Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 16:46:11 -0000
> Are there an appreciable number of networks with these properties? If so, can we write down where that happens and put it in Security Considerations? If not, we should consider removing this mode. Just my 0.02: I would support removing this whether in PR#11 or DDR as it stands. The reason we added this “same IP is allowed without verification” mechanism was in response to WG feedback that expecting ecosystem members to accomplish this on our own was unreasonable (the authors originally said “we leave that to DoT knocking which is already suggested in RFC7858”). I see Michael already commented on this; it would be useful to hear more WG commentary on this point. I was under the impression that there is some subset of network operators who found that useful. If not, we should revisit. Thanks, Tommy From: Add <add-bounces@ietf.org> On Behalf Of Eric Rescorla Sent: Thursday, July 1, 2021 3:18 PM To: ADD Mailing list <add@ietf.org> Subject: [EXTERNAL] [Add] Private IPs, DDR, and PR#11 I've been spending some time thinking about PR#11 and trying to figure out the threat model where it brings value. This message is an attempt to get to a better understanding. As should be clear, I'm a little confused, so if people want to tell me why I'm wrong, that would be helpful. First, let's start with what I take to be the network topology: ISP Resolver 192.0.2.1 | | <- ISP Network | 192.0.2.100 CPE/DNS Proxy 10.0.0.1 | | <- Home network | 10.0.0.100 Users device We have the ISP's resolver with a public address of 192.0.2.1. The user has some sort of CPE with an external address of 192.0.2.100 and an internal address of 10.0.0.1. The user's device has an IP of 10.0.0.100. When the user's device does DHCP, it gets the address 10.0.0.1 for its resolver, presumably because the CPE intends to proxy or cache DNS, otherwise it could just serve the ISP's resolver address (192.0.2.1) in DHCP. The general assumption for the DDR threat model so far is that: 1. The user's device gets the address of its resolver securely (presumably because DHCP is secure in some way). If that's not true, then I think we can agree that DDR does not provide much additional security benefit because the attacker can just substitute their own resolver [0]. 2. Either the home network or the ISP network is insecure, otherwise you don't need DoX. OPPORTUNISTIC MODE So, first, its not entirely clear to me what the Opportunistic mode of S 4.2 provides. In this scenario, presumably the client will be doing TLS to the CPE (because otherwise the IP address would be the resolver's public address), which means that we are concerned with the attacker controlling the home network. So, in this scenario, we are only getting value if you have a network in which: 1. The attacker can *see* traffic not destined for their IP address (otherwise there's not much point in encrypting). 2. The attacker cannot forge traffic from another IP address (otherwise they can just impersonate the CPE because there is no certificate). Are there an appreciable number of networks with these properties? If so, can we write down where that happens and put it in Security Considerations? If not, we should consider removing this mode. PR #11 The idea with PR#11 seems to be to bootstrap up from a local IP address issued via DHCP to some other address. PR#11 doesn't do that great a job of describing the setting, but I'm assuming the scenario is that we want to start from a situation in which we have a CPE-based proxy and move to a situation in which the user's device talks directly to the ISP resolver. Otherwise, presumably, we could just make do with the mode in S 4.2. Is this right or am I missing something? And the reason we're not just vending the ISP's resolver directly via DHCP is that the CPE isn't upgradeable or potentially under the user's control and not the network's? So, first, what threat model are we concerned with: 1. If it's control of the home network, then why can't the attacker block the _SVCB record between the user and the CPE stopping them from upgrading? 2. If it's control of the link to the ISP, then why can't the attacker just block the resolution of the _SCVB record between the CPE and the ISP's resolver? Maybe the CPE is using DoX, but we're trying to protect against *future* compromise of the user's network? Can we get this documented before we start designing mechanisms? That would also help understand the effectiveness of the 5 minute timeout. Finally, assuming I've understood things correctly, reaching through the CPE in this way seems like it has the potential to bypass any CPE-specific filtering that the user has has installed. Suppose I have some CPE that uses the ISP DNS but filters out certain names; if the ISP posts a _SVCB record that directs me to their resolver, doesn't that cause that filtering not to work? -Ekr [0] Modulo cdisco-style steering where the address is matched up against a trusted list.
- [Add] Private IPs, DDR, and PR#11 Eric Rescorla
- Re: [Add] Private IPs, DDR, and PR#11 Michael Richardson
- Re: [Add] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 Tommy Jensen
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 STARK, BARBARA H
- Re: [Add] Private IPs, DDR, and PR#11 Eric Rescorla
- Re: [Add] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] Private IPs, DDR, and PR#11 Andrew Campling
- Re: [Add] Private IPs, DDR, and PR#11 Eric Rescorla
- Re: [Add] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] [EXTERNAL] Re: Private IPs, DDR, and PR… Tommy Jensen
- Re: [Add] Private IPs, DDR, and PR#11 Eric Rescorla