Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
tirumal reddy <kondtir@gmail.com> Mon, 06 July 2020 12:18 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B32C3A13E7 for <add@ietfa.amsl.com>; Mon, 6 Jul 2020 05:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WA4HWLQQD_6g for <add@ietfa.amsl.com>; Mon, 6 Jul 2020 05:18:20 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0B143A13E3 for <add@ietf.org>; Mon, 6 Jul 2020 05:18:20 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id o5so38963548iow.8 for <add@ietf.org>; Mon, 06 Jul 2020 05:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bZyaUZ7fhsxcbXNVtXgcO7XryW9i2QssXg48dwnQ86U=; b=ckgs1Th+48Tr03iBF5nmYcBvxIICo5R5L2H+PdW/nzDJbHAISZ3gO6Mr3riknT1yNC 58ogeF6hNW6m3zPXvZRRtLLjf4pUB9Y3PYMRsTY9p8947gQR4SiqQ8mLynknY8yX1VCm S//HI4Y062K/KPbFbNuBjPDkaiHiB9/n2gFv4tKOjUXxsNN8wbR282H3m9cMwVs52IOn l5ihXUzZ+KlDu6l2Po+DlcbFWtfETa2ekaa6iuExKmY8jTGqM1rt6y6R1GtDQ/NR0Zho /44m4SoLPcse/I398Lv+ykhZWJRhjCqh/lkm5PeHFS4FRSijTGjA4hpGwwy3T/Rh7yWy mpjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bZyaUZ7fhsxcbXNVtXgcO7XryW9i2QssXg48dwnQ86U=; b=oibdpeuwRPUmm4SC8XOzrE9lSSUS5NVpr0w7bTHCAyANayH9V2wKmPvPKX5NHcHDsb d+NaAVwAK+fmgzsrKJzIzLnbMmqwIduDD0pz0OkIyd3CkXQ7civQhtY9VDwU4a6wXXQL qXHIahWiRd5RqhHdihSre0XRNY9Mhm4/du+nWVpHpBogHUwaPWIucTOKE67Nl6JknJiw 9+DRxaZhnYcogLEgSLfX/ZIcN+Kuai2ijM0HPC0qRid5vpY5kb7RbBp2tSNgWT4opDzC 1cOx/N3BNaXl9m7nDTXiDddwKrMKfAmZE3SViNwFgXoMqPelBSWeEvJc7sK29C6FyRXB KtkQ==
X-Gm-Message-State: AOAM533JjUQRCWJFBgcXTs+tBEp8xrvc3oq2vzIokpqldfO5nSKBqjMb pDHAJ5m2TOfJT9BVFnR3TxfORKMhHzqvE6qGYMle7ytR
X-Google-Smtp-Source: ABdhPJzptm554pU12MHAe1uoZfg3lv8Afo6nTc+AUL9s3bl4D71mEv10VJO8Xh09hyYMljq/8pag1VNMP1l6qHpXNjs=
X-Received: by 2002:a02:5443:: with SMTP id t64mr53433200jaa.100.1594037899856; Mon, 06 Jul 2020 05:18:19 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <1AB2782B-87C0-4991-8703-AE2C98411AFC@apple.com> <CABcZeBOyAb3HrX0ABM2ZFuz-_Vn+0sPk_88e2OwQ5U-DRjAxXQ@mail.gmail.com> <2013869.BjYadG0qc2@linux-9daj> <CABcZeBOoOQ1drRepe9oHCyFrgnRxomKBkno7b1CDcfRJAZqkHg@mail.gmail.com> <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
In-Reply-To: <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 06 Jul 2020 17:48:07 +0530
Message-ID: <CAFpG3gdngGPjn8VxJ7dhSZuR3jCkUzyOga52mnyQGmzvqs+r_w@mail.gmail.com>
To: Puneet Sood <puneets=40google.com@dmarc.ietf.org>
Cc: Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>, Paul Vixie <paul@redbarn.org>, Tommy Pauly <tpauly@apple.com>
Content-Type: multipart/alternative; boundary="000000000000c7910e05a9c4def5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qZukpZbwLZ58Ykn9WwImf2B-iEs>
Subject: Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 12:18:24 -0000
On Sat, 4 Jul 2020 at 06:09, Puneet Sood <puneets= 40google.com@dmarc.ietf.org> wrote: > On Fri, Jun 26, 2020 at 8:48 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > > > > > > On Fri, Jun 26, 2020 at 5:04 PM Paul Vixie <paul@redbarn.org> wrote: > >> > >> On Friday, 26 June 2020 22:08:05 UTC Eric Rescorla wrote: > >> > ... Other than inelegance, what's problematic about the CNAME > approach? > >> > >> inelegance is permanent, accretive, and earns compound interest. we > ought not > >> dismiss inelegance as the basis for reluctance. inelegance is not > inevitable > >> nor is it automatically acceptable. > >> > >> > ... > >> > > >> > The scenario you seem to be interested in is one in which the user > joins > >> > the network and then learns that the associated Do53 resolver > supports DoH > >> > and then connects to it with whatever coordinates that resolver (or > DHCP or > >> > whatever) provides. That clearly is not useful in the 3552 threat > model > >> > which assumes that the attacker entirely controls the network because > the > >> > attacker can just send their own resolver coordinates. That isn't to > say > >> > that there aren't more limited but still realistic threat models > where this > >> > would be useful, but I think you should start by describing those. > >> > >> as we describe them, we should also describe their scale, their age, > and their > >> likely lifespan. the 3552 threat model, while it does use the term > >> 'pervasive', is nowhere near as common as the SASE (secure access > service > >> edge) operations model, nor will it ever be. if apps who want to do > their own > >> DNS treat any DoH failure as an attack, and start an arms race of > spy-vs-spy > >> bypass along the lines of Tor, that's going to feel problematic to any > of us > >> whose privately owned securely operated edge networks have a local-only > DNS > >> policy. > >> > >> RESINFO could probably get better results by using TXT, because of long > tail > >> problems. but ultimately we have to pick a default assumption that we > can act > >> on when secure resolver discovery fails. "OMG it's a 3552 attack" is > not the > >> only interpretation we could think of for this. it's entirely possible > that > >> the most engineering solution to the discovery problem is to fail hard > when > >> the middlebox prevents authenticated policy negotiation, to force > middlebox > >> upgrades. i know that "tough love" is a hard sell, but "assume 3552 > attack" is > >> also a form of tough love. > > > > > > Hi Paul, > > > > I think this response perhaps conflates two somewhat different issues, > > namely CNAME versus authenticated policy propagation. > > > > Ignoring the question of CNAME for the moment, if a device joins a > > network and gets its configuration from that network (e.g., via DHCP), > > then it is trusting that network to provide the configuration. So, the > > question then becomes what benefit is obtained if that network > > supplies a Do[TH] server rather than a Do53 server. In the 3552 model, > > we assume the attacker has complete control of the network and can > > therefore supply its own server, so it's not clear what the security > > benefit is. Conversely, if the network is totally secure and trusted, > > then it's *also* not clear what the security benefit is. > > > > So, if we are to have unauthenticated discovery of Do[TH] servers, > > then we must have some other threat model. For instance we might > > think that the attacker can read all packets but for some reason > > can't impersonate the DHCP server. What I'm saying is that we should > > start by laying out what that threat model is and then we can define > > what, if any, technical measures add security benefit in that threat > > model. That would be true even if we knew that there weren't > > middleboxes which tampered with new record types. > > >From RFC 3552, the threat model for unauthenticated discovery would be > passive attacks described in section 3.2. There is benefit to > upgrading from Do53 to Do[TH] even if the network between the client > and the DHCP server is secure - specifically when the DNS resolver is > further away on the network. This could be because the network > operator is running the DNS resolver further away (e.g. DHCP could be > on the home router for a typical home user) or the DNS resolver > specified by the ISP is operated by a third-party on a different > network. > Home networks are susceptible to both internal (ARP spoofing/poisoning) and external attacks (Evil twin, Dragonblood, Krack). Unfortunately typical home networks use shared WPA-PSK and both WPA2/WPA3 are susceptible to attacks. The attacker can be active or passive. -Tiru > > -Puneet > > > > > > > Two more points, if I may: > > > > 1. Where this interfaces with the question of CNAME versus RESINFO > > is that RESINFO is much more flexible, but (as above) it's not > > clear we can securely make use of this flexibility. > > > > 2. It's worth nothing that there are scenarios where the device > > can get authenticated network configuration (for instance, if > > the device is managed and has had some sort of authentication key > > installed). The comments above do not apply to this scenario > > but rather to the scenario where you have a naive device joining > > a network. > > > > -Ekr > > -- > > Add mailing list > > Add@ietf.org > > https://www.ietf.org/mailman/listinfo/add > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] Draft Posting: CNAME Discovery of Local DoH… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… John Levine
- Re: [Add] Draft Posting: CNAME Discovery of Local… tirumal reddy
- Re: [Add] Draft Posting: CNAME Discovery of Local… Tommy Pauly
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] Draft Posting: CNAME Discovery of Local… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… Patrik Fältström
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… John Levine
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… John R Levine
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Martin Thomson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- [Add] Threat models Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Vittorio Bertola
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Tony Rutkowski
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Tony Rutkowski
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] Draft Posting: CNAME Discovery of Local… Puneet Sood
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… tirumal reddy