IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

tirumal reddy <kondtir@gmail.com> Wed, 01 July 2020 06:48 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D61B3A0882 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 23:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g8LZusF6P5Py for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 23:48:00 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9F523A087C for <add@ietf.org>; Tue, 30 Jun 2020 23:47:59 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id t18so169530ilh.2 for <add@ietf.org>; Tue, 30 Jun 2020 23:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ImGsa6X3xpM0VJkG1Ycb/M21vg9XDGQYYvQhc+mwna8=; b=DI+nsBfORAEe3Qly0VgRewh9D5LMImDZNis5VO8TF2xypstu93lpo0E8hXUyMSC7H+ BI5fi8yBwVHRjZJThlIhXl/HKpX/n9zBxQ7WljHOn9BOPtTggubMevf1/PrP7yGD0lhH GFD9shsq++bSDLfw1hB5DqIUAZ4QnK+Qs59L/etFIYF0+Hfqy/tB0vxGGKOg9EZnF42s aW3Vxvr2uDjISVgUEcjktwCZcyY3Zluv2/v/zNVurf9eqQlNS4ikPkniSIwHQGWW6Ycs mUM0wJ+Q2INeD1KEtnZYeKOl9mHTV0as7khuMb+6W+rxQkIr0n9nxfwvAKo7SfIdWSFL bbLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ImGsa6X3xpM0VJkG1Ycb/M21vg9XDGQYYvQhc+mwna8=; b=M+l9bN8wxRoLovpqesa1bUp6vnePR5EWHJMcCo79ACkT9XNg7FHzGX2gmIsihIXimg 1TgPZWjRg5aIDvmKkVX865H1a20xZNlHqjhI4U5/iKRSNG26CnnezSknN6Jw5868P97r zLvJQnruyDnWQ+/O/LZxW5mAvv3LLleW1Xjzn6sk22DO+/j+ygD/TDSKWtH9xkXi6iXg 3ZSNS5xsKi1W+rug/1OgC+savmz9Shv0R8MuI+QEOTFNgE2srn5ZOrAxP59omrzk4Vx7 qNZJlBFC8x97CA7hnwcZhuCGEbeXuhCkYz+d3cUQFBcvthp9ypMTmZX6BeJtQI7WLeGA oyrw==
X-Gm-Message-State: AOAM532cilpLU9MbiiwwQPPNmJ/YYqN8gcwCpRQ5iKzeyPW0hzRbJ/MJ MmHO2jAo++9zvIs6biHH9VRB9106lzDKZ6W0kwA=
X-Google-Smtp-Source: ABdhPJwnGzriXRHrM1XJeuZ/l6ByiIqndxso05s2R2V6sjyLi73vEM1dmqtuWpP0E+xN63HLxmhiTkT+mo3l+dBEjC0=
X-Received: by 2002:a92:79cb:: with SMTP id u194mr6441958ilc.161.1593586079223; Tue, 30 Jun 2020 23:47:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SyTv7Oc3XX19b5T2uVn2MGATneVfaoKfDRpxVpYc19u1w@mail.gmail.com> <94C306DF-A9D9-4FAC-8C4B-AE3E90E29417@nbcuni.com>
In-Reply-To: <94C306DF-A9D9-4FAC-8C4B-AE3E90E29417@nbcuni.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 01 Jul 2020 12:17:48 +0530
Message-ID: <CAFpG3gfQy5ps0AbSTYAiT4Ln=UUGAHcE8foJ0BtQFh1gfdGqNw@mail.gmail.com>
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Cc: Rob Sayre <sayrer@gmail.com>, Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>, Paul Vixie <paul@redbarn.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002bd42b05a95bacd4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/tLIKLDe4R2GPB9c5UG0_kUTjQyE>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 06:48:02 -0000

On Wed, 1 Jul 2020 at 09:31, Deen, Glenn (NBCUniversal) <
Glenn.Deen@nbcuni.com> wrote:

>
>
>
>
> On Jun 30, 2020, at 8:31 PM, Rob Sayre <sayrer@gmail.com> wrote:
>
> 
> On Tue, Jun 30, 2020 at 5:52 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Tue, Jun 30, 2020 at 4:25 PM Deen, Glenn (NBCUniversal) <
>> Glenn.Deen@nbcuni.com> wrote:
>>
>>> This all comes back to the three slices of access types that had been
>>> discussed some months ago:
>>>
>>>
>>>
>>>    1. Trusted & known networks – this is your enterprise, your home.
>>>    You have a relationship with them.
>>>    2. Unknown networks – This is the café, school, hotel - you choose
>>>    them because they are available, but you know very little to nothing about
>>>    them.
>>>    3. Hostile networks – you may not have any choice in network and
>>>    must use this is you want any Internet access at all.  However, not only do
>>>    you not trust them, you know they are actively acting in ways you do not
>>>    want.
>>>
>>>
>>>
>>> Another slice around threat levels would be: Green, Yellow, Red networks
>>>
>>>
>>>
>>> Certainly in terms of policy and security concerns one size does not fit
>>> all 3.  The question is can we fashion a discovery means that works in all
>>> 3, but perhaps mitigates the policy and security concerns in each?
>>>
>>>
>>>
>>> DHCP may be a perfectly fine choice in a green network, but in a yellow
>>> network there is a need for validation and assurance of the choice, while
>>> in a red network – can you trust anything at all, even things you
>>> explicitly specified such as IP address of resolvers without some
>>> additional validation ?
>>>
>>
>> This is a great taxonomy. Thanks.
>>
>> I think the question I would ask is: in a green network, how much benefit
>> do you get from Do[HT]? We can probably divide this up into the local
>> network environment (e.g., the wireless network) and the access link from
>> the ISP.
>>
>
> There are lots of attacks that create compromised "Green" networks. For
> example:
>
>
> https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack
>
> I might categorize an "enterprise" network as something managed well
> enough to do an investigation in the event of a security breach. Most
> business and home networks do not fit this definition, so they are category
> 2 ("Yellow"), because people set them up and forget them.
>
>
> Should we design for the edge case where something bad happens, but is the
> exception or should we design for the 99% case when the home network is
> just fine?
>
> Granted hacks and attacks will happen, but while we should and do take
> reasonable steps to mitigate obvious problems, most of the time and most of
> the experience of home networks is that they aren’t compromised and behave
> the way their users expect.
>
> If we classified networks based on the concern that something bad may
> happen. Then everything would be yellow, or even red as it’s easy to find
> examples when bad things happened in any situation. Example: Home Depot was
> compromised - thus corporate networks can’t be trusted. Example: The NSA
> was compromised - thus highly secured networks can’t be trusted. Each such
> reaction is a fearful over generalization of an incident and not the normal
> expected state of such network types.
>
> If you look broadly at home networks the common generalized case is that
> The vast majorityaren’t compromised and the configuration information from
> the network can be trusted.
>
> So instead of designing for edge case of a previously trust network being
> compromised , why not design for the more common state of the network being
> trustworthy but and then add in some mechanism to verify the information
> you get from it. Basically a version of the trust but verify approach,
> which has been proven repeatedly as a reasonable strategy in the real world.
>
> For instance, if you get a DoH resolver from the green network, why not
> trust but verify by checking the reasonableness of the answer you were
> directed to?  This could something like validating with DNSSEC or some
> other validation method.
>

Good point. If the discovered DoH/DoT server is not pre-configure in the
OS/Browser,
https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-03 can
be used by DNS client to authenticate it is connecting to a DoH/DoT server
hosted by a specific organization (e.g., ISP). It is particularly useful
when the DoH/DoT server is insecurely discovered, the discovered DoH/DoT
server is not pre-configured as TRR and prevents the client from connecting
to an attacker's DoH/DoT server.

-Tiru


>
> This gets back  to Ekr’s question of declaring what threats you are
> actually worried about.
>
> -Glenn
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email