Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 1B32C3A13E7
 for <add@ietfa.amsl.com>; Mon,  6 Jul 2020 05:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id WA4HWLQQD_6g for <add@ietfa.amsl.com>;
 Mon,  6 Jul 2020 05:18:20 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com
 [IPv6:2607:f8b0:4864:20::d29])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id B0B143A13E3
 for <add@ietf.org>; Mon,  6 Jul 2020 05:18:20 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id o5so38963548iow.8
 for <add@ietf.org>; Mon, 06 Jul 2020 05:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=bZyaUZ7fhsxcbXNVtXgcO7XryW9i2QssXg48dwnQ86U=;
 b=ckgs1Th+48Tr03iBF5nmYcBvxIICo5R5L2H+PdW/nzDJbHAISZ3gO6Mr3riknT1yNC
 58ogeF6hNW6m3zPXvZRRtLLjf4pUB9Y3PYMRsTY9p8947gQR4SiqQ8mLynknY8yX1VCm
 S//HI4Y062K/KPbFbNuBjPDkaiHiB9/n2gFv4tKOjUXxsNN8wbR282H3m9cMwVs52IOn
 l5ihXUzZ+KlDu6l2Po+DlcbFWtfETa2ekaa6iuExKmY8jTGqM1rt6y6R1GtDQ/NR0Zho
 /44m4SoLPcse/I398Lv+ykhZWJRhjCqh/lkm5PeHFS4FRSijTGjA4hpGwwy3T/Rh7yWy
 mpjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=bZyaUZ7fhsxcbXNVtXgcO7XryW9i2QssXg48dwnQ86U=;
 b=oibdpeuwRPUmm4SC8XOzrE9lSSUS5NVpr0w7bTHCAyANayH9V2wKmPvPKX5NHcHDsb
 d+NaAVwAK+fmgzsrKJzIzLnbMmqwIduDD0pz0OkIyd3CkXQ7civQhtY9VDwU4a6wXXQL
 qXHIahWiRd5RqhHdihSre0XRNY9Mhm4/du+nWVpHpBogHUwaPWIucTOKE67Nl6JknJiw
 9+DRxaZhnYcogLEgSLfX/ZIcN+Kuai2ijM0HPC0qRid5vpY5kb7RbBp2tSNgWT4opDzC
 1cOx/N3BNaXl9m7nDTXiDddwKrMKfAmZE3SViNwFgXoMqPelBSWeEvJc7sK29C6FyRXB
 KtkQ==
X-Gm-Message-State: AOAM533JjUQRCWJFBgcXTs+tBEp8xrvc3oq2vzIokpqldfO5nSKBqjMb
 pDHAJ5m2TOfJT9BVFnR3TxfORKMhHzqvE6qGYMle7ytR
X-Google-Smtp-Source: ABdhPJzptm554pU12MHAe1uoZfg3lv8Afo6nTc+AUL9s3bl4D71mEv10VJO8Xh09hyYMljq/8pag1VNMP1l6qHpXNjs=
X-Received: by 2002:a02:5443:: with SMTP id t64mr53433200jaa.100.1594037899856; 
 Mon, 06 Jul 2020 05:18:19 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com>
 <1AB2782B-87C0-4991-8703-AE2C98411AFC@apple.com>
 <CABcZeBOyAb3HrX0ABM2ZFuz-_Vn+0sPk_88e2OwQ5U-DRjAxXQ@mail.gmail.com>
 <2013869.BjYadG0qc2@linux-9daj>
 <CABcZeBOoOQ1drRepe9oHCyFrgnRxomKBkno7b1CDcfRJAZqkHg@mail.gmail.com>
 <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
In-Reply-To: <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 6 Jul 2020 17:48:07 +0530
Message-ID: <CAFpG3gdngGPjn8VxJ7dhSZuR3jCkUzyOga52mnyQGmzvqs+r_w@mail.gmail.com>
To: Puneet Sood <puneets=40google.com@dmarc.ietf.org>
Cc: Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>,
 Paul Vixie <paul@redbarn.org>, Tommy Pauly <tpauly@apple.com>
Content-Type: multipart/alternative; boundary="000000000000c7910e05a9c4def5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qZukpZbwLZ58Ykn9WwImf2B-iEs>
Subject: Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>,
 <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>,
 <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 12:18:24 -0000

--000000000000c7910e05a9c4def5
Content-Type: text/plain; charset="UTF-8"

On Sat, 4 Jul 2020 at 06:09, Puneet Sood <puneets=
40google.com@dmarc.ietf.org> wrote:

> On Fri, Jun 26, 2020 at 8:48 PM Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >
> >
> > On Fri, Jun 26, 2020 at 5:04 PM Paul Vixie <paul@redbarn.org> wrote:
> >>
> >> On Friday, 26 June 2020 22:08:05 UTC Eric Rescorla wrote:
> >> > ... Other than inelegance, what's problematic about the CNAME
> approach?
> >>
> >> inelegance is permanent, accretive, and earns compound interest. we
> ought not
> >> dismiss inelegance as the basis for reluctance. inelegance is not
> inevitable
> >> nor is it automatically acceptable.
> >>
> >> > ...
> >> >
> >> > The scenario you seem to be interested in is one in which the user
> joins
> >> > the network and then learns that the associated Do53 resolver
> supports DoH
> >> > and then connects to it with whatever coordinates that resolver (or
> DHCP or
> >> > whatever) provides. That clearly is not useful in the 3552 threat
> model
> >> > which assumes that the attacker entirely controls the network because
> the
> >> > attacker can just send their own resolver coordinates. That isn't to
> say
> >> > that there aren't more limited but still realistic threat models
> where this
> >> > would be useful, but I think you should start by describing those.
> >>
> >> as we describe them, we should also describe their scale, their age,
> and their
> >> likely lifespan. the 3552 threat model, while it does use the term
> >> 'pervasive', is nowhere near as common as the SASE (secure access
> service
> >> edge) operations model, nor will it ever be. if apps who want to do
> their own
> >> DNS treat any DoH failure as an attack, and start an arms race of
> spy-vs-spy
> >> bypass along the lines of Tor, that's going to feel problematic to any
> of us
> >> whose privately owned securely operated edge networks have a local-only
> DNS
> >> policy.
> >>
> >> RESINFO could probably get better results by using TXT, because of long
> tail
> >> problems. but ultimately we have to pick a default assumption that we
> can act
> >> on when secure resolver discovery fails. "OMG it's a 3552 attack" is
> not the
> >> only interpretation we could think of for this. it's entirely possible
> that
> >> the most engineering solution to the discovery problem is to fail hard
> when
> >> the middlebox prevents authenticated policy negotiation, to force
> middlebox
> >> upgrades. i know that "tough love" is a hard sell, but "assume 3552
> attack" is
> >> also a form of tough love.
> >
> >
> > Hi Paul,
> >
> > I think this response perhaps conflates two somewhat different issues,
> > namely CNAME versus authenticated policy propagation.
> >
> > Ignoring the question of CNAME for the moment, if a device joins a
> > network and gets its configuration from that network (e.g., via DHCP),
> > then it is trusting that network to provide the configuration. So, the
> > question then becomes what benefit is obtained if that network
> > supplies a Do[TH] server rather than a Do53 server. In the 3552 model,
> > we assume the attacker has complete control of the network and can
> > therefore supply its own server, so it's not clear what the security
> > benefit is. Conversely, if the network is totally secure and trusted,
> > then it's *also* not clear what the security benefit is.
> >
> > So, if we are to have unauthenticated discovery of Do[TH] servers,
> > then we must have some other threat model. For instance we might
> > think that the attacker can read all packets but for some reason
> > can't impersonate the DHCP server. What I'm saying is that we should
> > start by laying out what that threat model is and then we can define
> > what, if any, technical measures add security benefit in that threat
> > model. That would be true even if we knew that there weren't
> > middleboxes which tampered with new record types.
>
> >From RFC 3552, the threat model for unauthenticated discovery would be
> passive attacks described in section 3.2. There is benefit to
> upgrading from Do53 to Do[TH] even if the network between the client
> and the DHCP server is secure - specifically when the DNS resolver is
> further away on the network. This could be because the network
> operator is running the DNS resolver further away (e.g. DHCP could be
> on the home router for a typical home user) or the DNS resolver
> specified by the ISP is operated by a third-party on a different
> network.
>

Home networks are susceptible to both internal (ARP spoofing/poisoning) and
external attacks (Evil twin, Dragonblood, Krack). Unfortunately
typical home networks use shared WPA-PSK and both WPA2/WPA3 are susceptible
to attacks. The attacker can be active or passive.

-Tiru


>
> -Puneet
>
> >
> >
> > Two more points, if I may:
> >
> > 1. Where this interfaces with the question of CNAME versus RESINFO
> > is that RESINFO is much more flexible, but (as above) it's not
> > clear we can securely make use of this flexibility.
> >
> > 2. It's worth nothing that there are scenarios where the device
> > can get authenticated network configuration (for instance, if
> > the device is managed and has had some sort of authentication key
> > installed). The comments above do not apply to this scenario
> > but rather to the scenario where you have a naive device joining
> > a network.
> >
> > -Ekr
> > --
> > Add mailing list
> > Add@ietf.org
> > https://www.ietf.org/mailman/listinfo/add
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

--000000000000c7910e05a9c4def5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sat, 4 Jul 2020 at 06:09, Puneet Sood =
&lt;puneets=3D<a href=3D"mailto:40google.com@dmarc.ietf.org">40google.com@d=
marc.ietf.org</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex">On Fri, Jun 26, 2020 at 8:48 PM Eri=
c Rescorla &lt;<a href=3D"mailto:ekr@rtfm.com" target=3D"_blank">ekr@rtfm.c=
om</a>&gt; wrote:<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; On Fri, Jun 26, 2020 at 5:04 PM Paul Vixie &lt;<a href=3D"mailto:paul@=
redbarn.org" target=3D"_blank">paul@redbarn.org</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; On Friday, 26 June 2020 22:08:05 UTC Eric Rescorla wrote:<br>
&gt;&gt; &gt; ... Other than inelegance, what&#39;s problematic about the C=
NAME approach?<br>
&gt;&gt;<br>
&gt;&gt; inelegance is permanent, accretive, and earns compound interest. w=
e ought not<br>
&gt;&gt; dismiss inelegance as the basis for reluctance. inelegance is not =
inevitable<br>
&gt;&gt; nor is it automatically acceptable.<br>
&gt;&gt;<br>
&gt;&gt; &gt; ...<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; The scenario you seem to be interested in is one in which the=
 user joins<br>
&gt;&gt; &gt; the network and then learns that the associated Do53 resolver=
 supports DoH<br>
&gt;&gt; &gt; and then connects to it with whatever coordinates that resolv=
er (or DHCP or<br>
&gt;&gt; &gt; whatever) provides. That clearly is not useful in the 3552 th=
reat model<br>
&gt;&gt; &gt; which assumes that the attacker entirely controls the network=
 because the<br>
&gt;&gt; &gt; attacker can just send their own resolver coordinates. That i=
sn&#39;t to say<br>
&gt;&gt; &gt; that there aren&#39;t more limited but still realistic threat=
 models where this<br>
&gt;&gt; &gt; would be useful, but I think you should start by describing t=
hose.<br>
&gt;&gt;<br>
&gt;&gt; as we describe them, we should also describe their scale, their ag=
e, and their<br>
&gt;&gt; likely lifespan. the 3552 threat model, while it does use the term=
<br>
&gt;&gt; &#39;pervasive&#39;, is nowhere near as common as the SASE (secure=
 access service<br>
&gt;&gt; edge) operations model, nor will it ever be. if apps who want to d=
o their own<br>
&gt;&gt; DNS treat any DoH failure as an attack, and start an arms race of =
spy-vs-spy<br>
&gt;&gt; bypass along the lines of Tor, that&#39;s going to feel problemati=
c to any of us<br>
&gt;&gt; whose privately owned securely operated edge networks have a local=
-only DNS<br>
&gt;&gt; policy.<br>
&gt;&gt;<br>
&gt;&gt; RESINFO could probably get better results by using TXT, because of=
 long tail<br>
&gt;&gt; problems. but ultimately we have to pick a default assumption that=
 we can act<br>
&gt;&gt; on when secure resolver discovery fails. &quot;OMG it&#39;s a 3552=
 attack&quot; is not the<br>
&gt;&gt; only interpretation we could think of for this. it&#39;s entirely =
possible that<br>
&gt;&gt; the most engineering solution to the discovery problem is to fail =
hard when<br>
&gt;&gt; the middlebox prevents authenticated policy negotiation, to force =
middlebox<br>
&gt;&gt; upgrades. i know that &quot;tough love&quot; is a hard sell, but &=
quot;assume 3552 attack&quot; is<br>
&gt;&gt; also a form of tough love.<br>
&gt;<br>
&gt;<br>
&gt; Hi Paul,<br>
&gt;<br>
&gt; I think this response perhaps conflates two somewhat different issues,=
<br>
&gt; namely CNAME versus authenticated policy propagation.<br>
&gt;<br>
&gt; Ignoring the question of CNAME for the moment, if a device joins a<br>
&gt; network and gets its configuration from that network (e.g., via DHCP),=
<br>
&gt; then it is trusting that network to provide the configuration. So, the=
<br>
&gt; question then becomes what benefit is obtained if that network<br>
&gt; supplies a Do[TH] server rather than a Do53 server. In the 3552 model,=
<br>
&gt; we assume the attacker has complete control of the network and can<br>
&gt; therefore supply its own server, so it&#39;s not clear what the securi=
ty<br>
&gt; benefit is. Conversely, if the network is totally secure and trusted,<=
br>
&gt; then it&#39;s *also* not clear what the security benefit is.<br>
&gt;<br>
&gt; So, if we are to have unauthenticated discovery of Do[TH] servers,<br>
&gt; then we must have some other threat model. For instance we might<br>
&gt; think that the attacker can read all packets but for some reason<br>
&gt; can&#39;t impersonate the DHCP server. What I&#39;m saying is that we =
should<br>
&gt; start by laying out what that threat model is and then we can define<b=
r>
&gt; what, if any, technical measures add security benefit in that threat<b=
r>
&gt; model. That would be true even if we knew that there weren&#39;t<br>
&gt; middleboxes which tampered with new record types.<br>
<br>
&gt;From RFC 3552, the threat model for unauthenticated discovery would be<=
br>
passive attacks described in section 3.2. There is benefit to<br>
upgrading from Do53 to Do[TH] even if the network between the client<br>
and the DHCP server is secure - specifically when the DNS resolver is<br>
further away on the network. This could be because the network<br>
operator is running the DNS resolver further away (e.g. DHCP could be<br>
on the home router for a typical home user) or the DNS resolver<br>
specified by the ISP is operated by a third-party on a different<br>
network.<br></blockquote><div><br></div><div>Home networks are susceptible =
to both internal (ARP spoofing/poisoning) and external attacks (Evil twin,=
=C2=A0<a name=3D"ref-Dragonblood" id=3D"gmail-ref-Dragonblood" style=3D"fon=
t-size:13.3333px">Dragonblood, Krack</a>). Unfortunately typical=C2=A0home =
networks use shared WPA-PSK and both WPA2/WPA3 are susceptible to attacks. =
The attacker can be active or passive.=C2=A0</div><div><br></div><div>-Tiru=
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
-Puneet<br>
<br>
&gt;<br>
&gt;<br>
&gt; Two more points, if I may:<br>
&gt;<br>
&gt; 1. Where this interfaces with the question of CNAME versus RESINFO<br>
&gt; is that RESINFO is much more flexible, but (as above) it&#39;s not<br>
&gt; clear we can securely make use of this flexibility.<br>
&gt;<br>
&gt; 2. It&#39;s worth nothing that there are scenarios where the device<br=
>
&gt; can get authenticated network configuration (for instance, if<br>
&gt; the device is managed and has had some sort of authentication key<br>
&gt; installed). The comments above do not apply to this scenario<br>
&gt; but rather to the scenario where you have a naive device joining<br>
&gt; a network.<br>
&gt;<br>
&gt; -Ekr<br>
&gt; --<br>
&gt; Add mailing list<br>
&gt; <a href=3D"mailto:Add@ietf.org" target=3D"_blank">Add@ietf.org</a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/add" rel=3D"noreferre=
r" target=3D"_blank">https://www.ietf.org/mailman/listinfo/add</a><br>
<br>
-- <br>
Add mailing list<br>
<a href=3D"mailto:Add@ietf.org" target=3D"_blank">Add@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/add" rel=3D"noreferrer" ta=
rget=3D"_blank">https://www.ietf.org/mailman/listinfo/add</a><br>
</blockquote></div></div>

--000000000000c7910e05a9c4def5--

