Re: [Add] ECS privacy concerns, alternatives?
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 16 April 2019 21:36 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3C38120155 for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 14:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zrwr3j3NLCMN for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 14:36:22 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 270D4120140 for <add@ietf.org>; Tue, 16 Apr 2019 14:36:22 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id y5so13119340qkc.11 for <add@ietf.org>; Tue, 16 Apr 2019 14:36:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LN/iwFyoDF9aAg+CeE/ZRMz6ji+yYzGSsFmdDNceUCs=; b=XGPQ6S3QWvuhRkzFNRT3YNOI2mbj0Wzi4JwcD+dNrRzH6+j48Ur1XDFpEV/kw8AXef zhh0xkPCAr4G2pGASjwLMIEN4CuViX49Tt0KhW2wUNxrRfuTh3gB8SH8KzAPybWv96Q5 tcXRAuu9xQoMh437BTZPeevaNdGgRYlfuRWZb4s/2KwUytovQVqwsxGAIKq5Pe2IrjOK iaXG7H4z2AHRyzBBo+LDfrWdt3o/Jk62TicJZpH4Rfghliee2egzPlTAkcEEDcqtenGY G77LX2kSCPkHdiFemn8QCBNYpZHadHgNrQ+3+zOcPXARKzp1/EcJkMtxqU79vdMBlV4b /xKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LN/iwFyoDF9aAg+CeE/ZRMz6ji+yYzGSsFmdDNceUCs=; b=ZAiZO/yQRD1YUSv9VvkHtBtFAdOI043Ao22xQe3hDhNrg6ujetaFT1KAI9+ezzKe7U GZ97Xqo4+nZiQMiX7bCmk2lAYBT15M/wKESwIQTrXEtBJQEeAkr8wygyggZ6Vz7M7sK2 0IxR9QXA5PgQXGTRmQfospwM1lEzx4bXJoR9rvT5FDVjzcBQ/z0tWiaj4yA/1AXmcoec wZSArFlwxG/T+PXOKKiLMCrfyhj0X+fQwWFb1gNPh2dbLckga4vEwOm4090VnUvFQ+7a F0nKJ2CIRLfDwO2o/QxGDkMfOm1FH1YLAR2QAq6CX65FhwEjn7E7NG0qtqy0I5oZyyMa VvbQ==
X-Gm-Message-State: APjAAAV+MPSnU6cS7WTXb/Lv3orgXT4D+elwZakMfZVCefwcIFwHsUBA b9zEicc862jf5EuCeThk4ISGWBoyHtPZoOCfmrp1K5xR
X-Google-Smtp-Source: APXvYqyxkwpWpAxrZS4rgZ0RBl4vj42t58GN4RvLDLWRzVGdEj5ofQCg0WdEGYfOU027/ltiDpcnMp/bflPwzMtWGeM=
X-Received: by 2002:a37:784:: with SMTP id 126mr7332343qkh.10.1555450581234; Tue, 16 Apr 2019 14:36:21 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <21C5261E-9DE0-4CFD-A949-6E91DD0C2552@cable.comcast.com> <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com> <CAH1iCiqPqWCEmT0DSyzu-DRtna_p1SZXuiK15HHyTrjnX1iUaA@mail.gmail.com>
In-Reply-To: <CAH1iCiqPqWCEmT0DSyzu-DRtna_p1SZXuiK15HHyTrjnX1iUaA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 16 Apr 2019 14:36:10 -0700
Message-ID: <CAH1iCipX0cvXBvMFHCbYiPUKODNnJLnLBo=0Jzro443Pq3KB2Q@mail.gmail.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: Peter Saint-Andre <stpeter@mozilla.com>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c39640586ac8fff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rEKUZeYUsnyGAvVBc5v2ismJCwU>
Subject: Re: [Add] ECS privacy concerns, alternatives?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 21:36:25 -0000
On Tue, Apr 16, 2019 at 2:31 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote: > > > On Tue, Apr 16, 2019 at 9:00 AM Livingood, Jason < > Jason_Livingood@comcast.com> wrote: > >> And for ease of any replies, I have a separate question on CDN >> localization via ECS. The 6th privacy requirement suggests that ECS cannot >> be used unless there is encryption between the resolver and the >> authoritative server, presumably via DoT. This suggests that the privacy >> concern isn't that the network/geographic hint provided by ECS is >> problematic in and of itself, but that it should not be observable along >> the network path used in recursion. >> >> But if TRR-to-auth recursion is not available via DoT, I wonder what the >> recommended mechanism is for providing a more privacy-protective >> network-geographic hint to an authoritative server, in order for example >> for a CDN to dynamically respond with a localized response. Maybe something >> new needs to be standardized? What options do folks suggest? > > > That's a great question. Apologies in advance for always providing long > answers. :-) > > IMHO, the privacy issue is the IP portion, not the geo portion, of geo-ip. > > I may be oversimplifying the situation, but I believe the vast majority of > authority DNS services (or proxy services in front of those) structure > their internal representation of things as geo->answer mappings, and > generally have some flavor of ip->geo mapping on their front-end(s). > > Those internal representations may be non-standard, but there are > standards for geo representations for country and sub-country levels, e.g. > ISO-3166, with 3166-1 being countries, and 3166-2 being sub-country > 3-letter codes. > > I think there is sufficient anonymity in using these codes instead of > ECS, which would remove the need to encrypt the resolver-auth transactions, > and potentially offer other benefits to auth operators which as a > consequence, would potentially improve both the quality of results (by > standardizing the GEO codes, and placing the ip->geo accuracy > responsibility onto the resolver). > > There are other ways to improve the whole ECS model by moving to GEO. For > example, a query to an authority server with GEO might return not only an > answer, but also a hint about the granularity at the specific GEO code. A > query for e.g. CA-ON might return an answer for CA-0, indicating that no > more-specific answers within CA are available, while a query for e.g. CA > might return an answer for CA-1 (indicating that more-specific answers are > available, hinting that the resolver might want to ask again). The GEO > stuff could be treated analogous to QNAME minimization; ask for the > next-more-specific answer IFF more-specifics are available. > I forgot to mention another aspect of this idea: privacy-preserving iteration. Rather than only querying for the more-specific code associated with the client, the resolver could just as easily do queries for all of the next-specific-level entries, possibly in parallel, possibly randomized order. The resolver would be able to provide an answer to the client once the particular answer it was looking for was received, and would have the added benefit of pre-populating its cache for the other geographically-close answers. Brian > > It would require the resolver to have its own IP->GEO mapping stuff, but > has the benefit of getting consistent results across authority providers > (always right or always wrong, and the resolver has both the ability and > incentive to fix any IP-GEO mapping errors). > > It probably helps scaling on the cache side (resolver) and zone side > (authority). > > Any authorities doing ECS probably already have the GEO->zone stuff and > possibly even encode it that way; the incremental work in supporting an > EDNS GEO would in those cases be negligible. > > Honestly, if GEO can get standardized and reach critical mass, I think it > would be valuable on its own, even without the privacy aspects, and I think > it would be nice to use it and to deprecate ECS, eventually. > > Brian. >
- [Add] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Martin Thomson
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Jim Reid
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Manabu Sonoda
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Ray Bellis
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Daniel Stenberg
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] [Ext] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] [Ext] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] [Ext] Mozilla's DoH resolver policy Brian Dickson
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] Mozilla's DoH resolver policy Mark Andrews
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Salz, Rich
- Re: [Add] Mozilla's DoH resolver policy Ben Schwartz
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Geoff Huston
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] ECS privacy concerns, alternatives? Erik Nygren
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Paul Hoffman
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Hollenbeck, Scott
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] ECS privacy concerns, alternatives? Puneet Sood
- Re: [Add] ECS privacy concerns, alternatives? Erik Kline
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson