IETF Logo Mail Archive

Re: [Add] WG Adoption Call draft-schwartz-add-ddr-forwarders

Tommy Pauly <tpauly@apple.com> Fri, 15 April 2022 15:48 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3615C3A0CDB; Fri, 15 Apr 2022 08:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJID77kSxT69; Fri, 15 Apr 2022 08:48:18 -0700 (PDT)
Received: from rn-mailsvcp-ppex-lapp24.apple.com (rn-mailsvcp-ppex-lapp24.rno.apple.com [17.179.253.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CB013A0CE1; Fri, 15 Apr 2022 08:48:18 -0700 (PDT)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp24.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp24.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 23FFUZuo003177; Fri, 15 Apr 2022 08:48:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=abeFGsi6PrLDL1l8Rr7MfU3GoZjp3JCr2Xyson6V0Sg=; b=uUsRjzEVQgIuX2pyVRrh+duuvR05o5rcLhi+oMviPbv0UZMdKe4EqNMrAz/5yBZKyOgt cv92yObn4dqTLig9tVWZPMWcUwruedp8y0/98Ipu8rBbZRJO1CawNaSalcvOCli0KvAY MFqVEtnLn49W6aI9RFipopA1ti2Igr8CS+6LrciMuBlCifT3ADRPYhvNUUz2vV41Fd/J qPrd1csoDRWIupYAQ3dRHLd9+NuNRK9so6ur5jzjRCLkuMLEWUohE/QEUdNUbayShQwJ GZY9E2SvVYbycVJepsdUf0/w2/a/Pw6KCbG+gDwkr/b8q5VPiQELZx24eJxKX2ma9WIz /A==
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by rn-mailsvcp-ppex-lapp24.rno.apple.com with ESMTP id 3fb7ran12n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 15 Apr 2022 08:48:17 -0700
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.16.20220118 64bit (built Jan 18 2022)) with ESMTPS id <0RAE00VFM18HC790@rn-mailsvcp-mta-lapp04.rno.apple.com>; Fri, 15 Apr 2022 08:48:17 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.16.20220118 64bit (built Jan 18 2022)) id <0RAE00R000ZID600@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Fri, 15 Apr 2022 08:48:17 -0700 (PDT)
X-Va-A:
X-Va-T-CD: d5751b7356784125d25f3e83fa570d53
X-Va-E-CD: 9cc16614e130b3ec19204706e64b192d
X-Va-R-CD: fd768ea24d7ca2ad3b31130b350783ce
X-Va-CD: 0
X-Va-ID: 3b6e7237-af79-4667-b1f2-ed69b9f66474
X-V-A:
X-V-T-CD: d5751b7356784125d25f3e83fa570d53
X-V-E-CD: 9cc16614e130b3ec19204706e64b192d
X-V-R-CD: fd768ea24d7ca2ad3b31130b350783ce
X-V-CD: 0
X-V-ID: 5860f78d-43ee-4da3-84c2-574f500f5a30
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-15_01:2022-04-14, 2022-04-15 signatures=0
Received: from smtpclient.apple (unknown [17.234.127.220]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.16.20220118 64bit (built Jan 18 2022)) with ESMTPSA id <0RAE00W6918GON00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Fri, 15 Apr 2022 08:48:16 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <ABAB733A-743E-4E5C-9E71-104D9DF5E24F@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_8927C0D4-F8BD-449D-8F71-46FE0ED7DB49"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3691.0.3\))
Date: Fri, 15 Apr 2022 08:48:16 -0700
In-reply-to: <9BE5F92B-4F58-46F7-9A55-A740E58DA2F8@comcast.com>
Cc: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>
To: "add@ietf.org" <add@ietf.org>
References: <9BE5F92B-4F58-46F7-9A55-A740E58DA2F8@comcast.com>
X-Mailer: Apple Mail (2.3691.0.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-15_01:2022-04-14, 2022-04-15 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/pJikfXsm3e4lGLE09bNLptRtMcE>
Subject: Re: [Add] WG Adoption Call draft-schwartz-add-ddr-forwarders
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2022 15:48:23 -0000

Tl;dr: I’d like to see more revision and clarity in what this document is actually proposing, along with an understanding of who would use it, before we adopt it. I do not support adoption of the current form of this document.

——

Overall, I find the structure and flow of this document quite confusing. It starts with a terminology section and background, but never quite has a normal introduction that explains what implementations should do.

As discussed in the last ADD meeting, section 3 (which seems to be the important part that actually says that clients may want to just ignore the validation of encrypted servers) needs to have forward references to the concerns and mitigations. Saying that you define a “relaxed validation” policy that just says to ignore everything without telling people to read the functional/privacy/security problems and mitigations is very problematic.

I also suggest that section 3 suggests viable combinations of the mitigations described below. For example, using a trusted list of resolver + user approval. Or being entirely optimistic, but re-checking the designation every five minutes.

Section 4, which is called “naturally compatible”, really is about cases where clients would be ignoring local resolver/forwarder policy unless the local resolver/forwarder blocks all queries for resolver.arpa. This would be more clearly titled as “Policy and Functionality Concerns”. I also don’t think this is something that just “naturally” happens. Yes, forwarders may have configurable block lists, but until every forwarder actually configures their list to add resolver.arpa, a client can’t reasonably start using unvalidated DDR connections without breaking everyone’s local policy.

Section 5 on privacy considerations essentially claims that, since privacy is bad with unencrypted DNS, doing encrypted DNS to an untrusted party isn’t any worse. In light of the security attacks in section 6, I don’t find this convincing. Yes, before my privacy on the local network wasn’t great in that anyone could see my queries. However, the fact that now my queries can be sent to some random and unrelated third party anywhere on the internet doesn’t seem like equivalent privacy. The scope of where data is leaking has grown.

For the section on security considerations (6), I find the mitigation of having trusted resolvers to be far stronger than the “check again every five minutes” approach. You’re discussing a transient attacker that leaves the network, but I think we need to mention a more persistent attacker. If I have a persistent attacker between my forwarder and the ISP resolver, it’s true that it could have always been modifying or monitoring DNS activity from my network. However, it did not necessarily know per-device boundaries, it would have to do more work to rewrite all the traffic itself, and it would also be something that would be more easily detected by looking at packet traces on the network to discover anomalous responses. With unvalidated DDR, it just needs to intercept one kind of query (resolver.arpa), and can point individual clients to communicate with any server it chooses. The attacker’s job becomes significantly easier. We should at least mention this.

I’ll end with a question: what clients plan on implementing these approaches, and in what combinations? I’d prefer to see the document form around recommendations for what clients would realistically do. Just doing opportunistic DDR with no mitigations of any kind is not something that we should even mention or hint at.

Best,
Tommy

> On Apr 11, 2022, at 9:57 AM, Deen, Glenn <Glenn_Deen=40comcast.com@dmarc.ietf.org> wrote:
> 
> ADD
>  
> This is a WG Adoption call for draft-schwartz-add-ddr-forwarders
>  
> Draft link https://datatracker.ietf.org/doc/draft-schwartz-add-ddr-forwarders/ <https://datatracker.ietf.org/doc/draft-schwartz-add-ddr-forwarders/>
>  
> This adoption call will last 2 weeks until Monday April 25th 2022
>  
> Please submit comments to the ADD mailing list -  ADD@IETF.ORG <mailto:ADD@IETF.ORG>
>  
> Regards
> ADD Co-chairs Glenn Deen, David Lawrence
>  
> -- 
> Add mailing list
> Add@ietf.org <mailto:Add@ietf.org>
> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email