IETF Logo Mail Archive

[Add] My longer list of questions [from partial distribution at the MIC]

<chris.box@bt.com> Thu, 25 July 2019 22:59 UTC

Return-Path: <chris.box@bt.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332A31201BB for <add@ietfa.amsl.com>; Thu, 25 Jul 2019 15:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0KO0UwJaOeH for <add@ietfa.amsl.com>; Thu, 25 Jul 2019 15:59:53 -0700 (PDT)
Received: from smtpe1.intersmtp.com (smtpe1.intersmtp.com [213.121.35.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC2AD1202ED for <add@ietf.org>; Thu, 25 Jul 2019 15:59:49 -0700 (PDT)
Received: from tpw09926dag12e.domain1.systemhost.net (10.9.212.12) by BWP09926083.bt.com (10.36.82.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Thu, 25 Jul 2019 23:59:42 +0100
Received: from tpw09926dag11e.domain1.systemhost.net (10.9.212.11) by tpw09926dag12e.domain1.systemhost.net (10.9.212.12) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 25 Jul 2019 23:59:46 +0100
Received: from RDW083A012ED68.bt.com (10.187.98.38) by tpw09926dag11e.domain1.systemhost.net (10.9.212.11) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 25 Jul 2019 23:59:46 +0100
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (104.47.20.54) by smtpe1.intersmtp.com (62.239.224.234) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 25 Jul 2019 23:59:07 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eNCmvGQkgqRjThaRj6VkRFd0wV9PLwvAsY5PDw3TPpfw/vdx7Bsu3jzmcGQlinbThdOBMEzQwJBHuoqXrmarD/cuI8eebrRkzWCMA/5mieAU4YVR2xZpYcvTgVsdxt1QANq4x1DnpaWEiZcUv0rKM+eawd/gLyamPYQqOXaTQjw+F/5THyQ1St4O1peqh41JPR1VFCT4xkCf9ySIyrZ7odrvWrMfLWys0Twu1cbBjJXATa4OYAcEcvcKt6IsiSiQlxd00W8v1zx6U1Bz2Ct4EYz3SAZ7gTL1xE26VgnreXTafPkqv5ogG2/+LN11hx0pLxjJ+l7LhLvDa5uotalHHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BpM5RrYxNjhig0V9uMGUykzwsaxLoKtDbEYvd4mhjFA=; b=RMnZEw6esJDiEV5MrZMaXsSRa05Tku3fCUonHOvi91a+jq6klPjvWIDSqfAEF9GFk6eEgtZ5VkZpn4TVOEi0Ik0K1QVqUnvxJbUo9bwwmOiqaonZ46d9gN9ln+tbvZ5oi5ZURZJuBJ34sMoFETtaj8aG509poA/S1WN0plWvFGjr6TMA4l5EWoRcUxpr8vUo6nNj8fk5Barb/J7Yg4cWSqfiUrjPzXHfgqd6l3I8/JKZhI9HchMTLzrtTWSKXdDuKaa3CbqF42pTB5KG2QpW3Ai2IbO/o50/kliR6hzR834RR6h4l+ZqTpK36HylfLtjJXvSPjZ+qTNMbcfLqW0opg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=bt.com;dmarc=pass action=none header.from=bt.com;dkim=pass header.d=bt.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bt.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BpM5RrYxNjhig0V9uMGUykzwsaxLoKtDbEYvd4mhjFA=; b=VcnjNvfc0l9Hx7kOQEbl8GPpJNO11oimtTQ7kRfg+DGJfl6cSnyvXTaUlDAvauNMAbZ4m1rTmvby++qPq6ebLBBCMH3k1ifMfzEMutaHWf91i3ZCelPdH907HhZKETf92f598iLZvWZD4O9YAgqtIc22Xy8M5H9rHPA1QpNqK9M=
Received: from LNXP123MB2251.GBRP123.PROD.OUTLOOK.COM (20.179.129.203) by LNXP123MB1819.GBRP123.PROD.OUTLOOK.COM (20.179.128.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.16; Thu, 25 Jul 2019 22:59:43 +0000
Received: from LNXP123MB2251.GBRP123.PROD.OUTLOOK.COM ([fe80::bd55:fd83:b21b:fe8]) by LNXP123MB2251.GBRP123.PROD.OUTLOOK.COM ([fe80::bd55:fd83:b21b:fe8%7]) with mapi id 15.20.2094.013; Thu, 25 Jul 2019 22:59:43 +0000
From: chris.box@bt.com
To: add@ietf.org
Thread-Topic: [Add] My longer list of questions [from partial distribution at the MIC]
Thread-Index: AQHVQjN0tT3yle6xtE+bNqymiwuK46bb3Ohw
Date: Thu, 25 Jul 2019 22:59:43 +0000
Message-ID: <LNXP123MB2251705C07B39DA2B0C6FCE09BC10@LNXP123MB2251.GBRP123.PROD.OUTLOOK.COM>
References: <ybl8ssna2en.fsf@wu.hardakers.net>
In-Reply-To: <ybl8ssna2en.fsf@wu.hardakers.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=chris.box@bt.com;
x-originating-ip: [31.133.151.116]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fa301b7f-de42-4a08-1e80-08d71153c87d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LNXP123MB1819;
x-ms-traffictypediagnostic: LNXP123MB1819:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <LNXP123MB18193AE49960F51978AD85D49BC10@LNXP123MB1819.GBRP123.PROD.OUTLOOK.COM>
x-antispam-2: 1
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(346002)(136003)(376002)(366004)(13464003)(52314003)(189003)(199004)(6506007)(52536014)(64756008)(66556008)(25786009)(66476007)(2501003)(76116006)(66946007)(14444005)(446003)(7736002)(966005)(5660300002)(71200400001)(66446008)(2906002)(256004)(71190400001)(66574012)(86362001)(74316002)(478600001)(99286004)(6436002)(55016002)(9686003)(2351001)(566174002)(66066001)(33656002)(476003)(8676002)(68736007)(6116002)(6916009)(316002)(11346002)(7696005)(8936002)(486006)(26005)(3846002)(6306002)(81166006)(81156014)(53546011)(5640700003)(53936002)(1730700003)(76176011)(14454004)(186003)(305945005)(102836004)(148743002); DIR:OUT; SFP:1101; SCL:1; SRVR:LNXP123MB1819; H:LNXP123MB2251.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: bt.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: rzth4QZQ9uHQ7fHqXxS6/o7CzYWR6vq0RuozUgOiA5QbEjj0/V0BvoCQFJB9vhHlsL+7qguQeQxBHvHYpva2TIZrmWOEaLZVb+NP+iiCFD6dCYTooEQFM7l2pFP8Icb264tXGImvAN8go2YydndkyyWDmQaYdFRSjpmygsq/mkHbRE6QXUHvDiMSM+ER6gYyA3o+mYAY6u1f1j/KRBq1ceMCiilQtSC9TLWBmx0H5+5pfluX1Ad3P8Cpfuuo1StK2oldJ3oZcXREcCk7IyEovQSxxt8hyJi3jjsB7fukRSe9CzMwivsahyAfF89FpRU7/pqB2wsws9f23AECAMDYw8erz71dKCT9BnnsBlcjjqXqw1/CvYyPRio8x4b41aY4HtLFOk2JeV34hSbFds0EA775VilDWhgnH6d6cilUQrg=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fa301b7f-de42-4a08-1e80-08d71153c87d
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 22:59:43.8066 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a7f35688-9c00-4d5e-ba41-29f146377ab0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: chris.box@bt.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP123MB1819
X-OriginatorOrg: bt.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/toHRB9HFtBC5F7EFB1VILv9eBeU>
Subject: [Add] My longer list of questions [from partial distribution at the MIC]
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 22:59:56 -0000

Wes posted a set of 8 thought-provoking questions to the list yesterday. Below is my attempt at a response to each one. Also I fully agree that protocols are not evil, and have never suggested that one is. It is the use of them that we are considering.

Anyway, to the questions.

1. My goals are to add privacy and security to DNS while not breaking things, still keeping a lid on malware, not astonishing end users, obtaining their informed consent for any necessary data processing, and for the provider of the access network (such as an ISP) to be able to offer support to users who are experiencing problems. The architecture described by Brian Dickson in https://mailarchive.ietf.org/arch/msg/add/HlKG81q7N-3WdAzIhsM0j-IEjuI makes some first steps on this journey, by arranging for all compliant applications to use the same route out of the users' device.

2. If browsers honor the DoH-Preference header described in draft-schinazi-httpbis-doh-preference-hints, yes, this can split the global name space. If google.com tells me to use chrisboxatbt.dns.google.com for all google.com resolutions, then Google is at liberty to respond to my queries there in an entirely different way than they would for their public authoritative zones. It also makes it trivially easy to identify me.

3. One ramification of the above is that it would not be possible for an enterprise firewall to dynamically permit outbound access to an IP address because it had seen the related DNS answer that provided the IP, and it's satisfied that the domain being connected to is ok. There will be many others.

4. Descriptions of many operational impacts of both encryption and centralization can be found in draft-reid-doh-operator and draft-livingood-doh-implementation-risks-issues.

5. I think we have an obligation to inform users which companies will be recording where they go on the internet. It can be argued that if users choose to purchase access from provider X, then they have consented to X handling this in some way. Similar when users choose to go to website Y, they have consented that Y will know about this. Beyond that, users will be surprised, and customer support will be at best difficult, at worst impossible.

6. If we were starting from scratch, obviously we would begin with the requirements, but these are still up for debate because we are talking about privacy and it's not yet clear who has the right to know about, and influence, network access. I think we need rough consensus on the requirements before design could begin.

7. It's clear to me that a ramification of fragmented DNS is a lower rate of caching, and higher latency. In an environment such as Uganda it can be highly impacting: https://mailarchive.ietf.org/arch/msg/add/qkbGVukRPkh1wuiGCHmPPn6TwOw

8. You ask for "localized, encrypted resolution that preserves user DNS resolution privacy". In part this depends on the extent to which the user is happy with sharing data with the local network provider. If they trust BT as an ISP, and are at home, using the BT network, then the answer is simple - they could use BT's local DoH server for everything. In less straightforward cases, perhaps there needs to be access to both a local resolver and a more central resolver that this user has chosen to trust. We could extend this with the resolvers owned by websites they are accessing, but this leads to the tracking and split namespace issues described above.

I do not know the optimal solution here; all I know is there are a set of problems waiting to be solved.

Chris

-----Original Message-----
From: Add <add-bounces@ietf.org> On Behalf Of Wes Hardaker
Sent: 24 July 2019 11:17
To: add@ietf.org
Subject: [Add] My longer list of questions [from partial distribution at the MIC]


Below is the longer list of thoughts at questions about ADD that I started at the microphone.  Thank you especially to those that encouraged me to write these up.

# Thoughts:

## Protocols themselves are not evil

They're just bits on a wire.  It's only misuse of the bits that is a problem.  DNS is not a problem.  DoH is not a problem.  It's ONE solution to an underlying problem: solving a privacy problem by encrypting DNS requests and responses help to ensure user privacy, and DoH is one mechanism to attempt to solve aspects of that problem.  It does so by shifting who can see the traffic, which is all encryption can ever easily do.  We have multiple choices in front of us, and I don't find any of them ideal with "no cons".

## Routing DNS requests

Today, devices are already routing DNS requests to places different than the access point initially offered them.  They do this sometimes by routing everything through a different network, such as when a VPN is in use.  Split-tunnel VPNs are a bit more tricky, as typically all DNS requests are routed to the VPN's DNS server (for split-DNS "benefits") even though traffic sent to resolved addresses may not be.  In both of these cases, users are typically aware that they're operating in a special environment.  The average user does not, however, use a VPN.

ADD technologies, which include DoH, DoT, global resolvers (e.g. google, cloudflare, quad9, opendns), and in-application full resolution required for in-app DNSSEC validation, all have the potential to change where resolution occurs at a much more granular level.  DNS requests may be handled by completely different services based on the application type (e.g. web browser vs an email application displaying html) or even implementation (e.g. Firefox vs Opera).  It is highly unlikely that the average user will be aware of this DNS request distribution architecture, however. Users will have trouble selecting where to send trouble ticket requests when "some aspect" of the Internet isn't working for them when "it's always the DNS".  For example, a newly emerging issue may be a website that may suddenly not work under Chrome when it does under Safari, with the underlying reason being solely where DNS resolution happens.

[Note: I'm not labeling this change as good or bad, just calling it out as something worth consideration]

## User understanding becomes tricky

# Questions outstanding in my mind:

The above has led me to a series of questions, that I would love community input and thought about.

1. Our primary goal in the IETF is standardization when interoperability over individually different implementation is beneficial.  As multiple application stacks are trending toward their own initial implementations of DNS resolution, what are the goals of promoting interoperability and
(hopefully) interchangeability?  What features and benefits are we architecting for?  What can we make simpler?  What is the right/best architecture for the problem?

2. Does splitting the DNS resolution paths into small pieces (possibly with a potential side-effect of centralization if only a few resolution services are offered), have the potential to split the global name space (further)?  If DNSSEC validation is only performed at the resolver, and never in the application, then resolvers have the freedom to answer for names that may not exist, or not answer for names that they are censoring by choice (spam, malware protection) or by force (government mandate through jurisdictional control).  What concerns should we be focusing on in this area to ensure the continuation of a consistent global name space under the dual threat/benefit of possible centralization?

3. What other ramifications exist by promoting a per-protocol or per-application or per-vendor DNS resolution solution?

4. What operational impacts will there be from encrypting all DNS traffic, both good and bad?  Just like TLS in the data-center issues have made debugging user problems difficult (and expensive), DoH and similar technologies may render ISP/access-point help desk's functionally unhelpful.

5. Do we and how do we inform users of this new architecture? Do users need to know what the resolution default path's are for of each OS, service and application?  What are the ramifications of adding another service that makes it harder for them to provide support desks with the necessary details of issues they're observing.

6. If we were architecting this from scratch, what protocol would be select today?  Would it be DoH?  Would it be DoT?  Would it be DNSCurve?
If we didn't have the deployment impediments that are getting in the way today (e.g. forced filtering), what would we select?  Are we architecting solutions for impediments over good engineering because we must?  Is there a better middle ground?

7. Deployment optimization is always difficult, and with a distributed DNS resolution system/fragmentation, architecting effective resolution caching becomes even more challenging.  What ramifications are likely to appear as a result of having multiple caches with different contents on end-user devices?  What are the ramifications of such a system in a low-bandwidth, or high-loss environment?

8. How does application-centric resolution affect and get affected by localization efforts and constant mobility?  Is centralization likely because a global-scale, low-latency resolution is difficult for small-scale deployments?  Can we achieve localized, encrypted resolution that preserves user DNS resolution privacy without requiring centralization?



[side thought this morning: I was imagining an airline attendant resetting the entire plane's network because of multiple complaints by passengers having network trouble, when the reality was they were all using a web browser pointing to a single (default?) DoH vendor and it had nothing to do with the local access point, but all passengers had to suffer the reset]

--
Wes Hardaker
USC/ISI

--
Add mailing list
Add@ietf.org
https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email