IETF Logo Mail Archive

Re: [Add] Private IPs, DDR, and PR#11

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 04 July 2021 18:42 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446193A1488 for <add@ietfa.amsl.com>; Sun, 4 Jul 2021 11:42:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deV1Au204sae for <add@ietfa.amsl.com>; Sun, 4 Jul 2021 11:42:25 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B5F3A1487 for <add@ietf.org>; Sun, 4 Jul 2021 11:42:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 42A0138B1A; Sun, 4 Jul 2021 14:44:45 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id h8c_IwhvX22G; Sun, 4 Jul 2021 14:44:40 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 9ABB138B19; Sun, 4 Jul 2021 14:44:40 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 07AB7319; Sun, 4 Jul 2021 14:42:19 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>
In-Reply-To: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com>
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 04 Jul 2021 14:42:19 -0400
Message-ID: <14140.1625424139@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ojcX_ZCTfXzRMALw-_q8KSkAJ7k>
Subject: Re: [Add] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jul 2021 18:42:31 -0000

Eric Rescorla <ekr@rtfm.com> wrote:
    > I've been spending some time thinking about PR#11 and trying
    > to figure out the threat model where it brings value. This
    > message is an attempt to get to a better understanding. As
    > should be clear, I'm a little confused, so if people want
    > to tell me why I'm wrong, that would be helpful.


    > First, let's start with what I take to be the network topology:

I think that the implicit placing of the CPE IP + the ISP Resolver on the
same subnet suggests more security than is really the case.
I can forgive the numbering and imagine that the ISP Resolver is really on
some other subnet, some distance away.  But, therein lies the issue.

The ISP Network hop could involve a significant stretch across a Metro network.
(in most Canadian provinces, the DSL connection travels across province to
some DC, often on a wide variety of third party fibers, which are trivially
subject to Mallory-in-the-Rough [offpath] eavesdropping)
This use case is even part of the APN (BOF) use case situation.

    > ISP Resolver
    > 192.0.2.1
    > |
    > | <- ISP Network
    > |
    > 192.0.2.100
    > CPE/DNS Proxy
    > 10.0.0.1
    > |
    > | <- Home network
    > |
    > 10.0.0.100
    > Users device

    > 2. Either the home network or the ISP network is insecure, otherwise
    > you don't need DoX.

So the word "insecure" is ambiguous here.
It could mean:
Malory-in-The-Middle, Malory-on-the-side, malory-in-the-rough

DoX defends against many of these things.

We agreed in add that we have to assume that the home network's DHCP is
secure (via DHCP/RA-Guard filters on the home router's wifi hairpin).
I'm unclear if we have real ARP-spoofing guards.

    > OPPORTUNISTIC MODE
    > So, first, its not entirely clear to me what the Opportunistic mode of
    > S 4.2 provides. In this scenario, presumably the client will be doing
    > TLS to the CPE (because otherwise the IP address would be the
    > resolver's public address), which means that we are concerned with the
    > attacker controlling the home network. So, in this scenario, we are
    > only getting value if you have a network in which:

    > 1. The attacker can *see* traffic not destined for their IP address
    > (otherwise there's not much point in encrypting).

ARP-spoofing of ".1" is common and in some cases, even considered a feature
that enables a VPN.

    > 2. The attacker cannot forge traffic from another IP address
    > (otherwise they can just impersonate the CPE because there
    > is no certificate).

DHCP Guard makes this harder.

    > Are there an appreciable number of networks with these properties? If
    > so, can we write down where that happens and put it in Security
    > Considerations? If not, we should consider removing this mode.

I mostly agree.

    > So, first, what threat model are we concerned with:

    > 1. If it's control of the home network, then why can't the attacker
    > block the _SVCB record between the user and the CPE stopping
    > them from upgrading?

Because that depends upon the kind of attack you are assuming.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email