IETF Logo Mail Archive

Re: [Add] WGLC for draft-ietf-add-dnr

Chris Box <chris.box.ietf@gmail.com> Wed, 09 March 2022 17:36 UTC

Return-Path: <chris.box.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4343C3A0E7E for <add@ietfa.amsl.com>; Wed, 9 Mar 2022 09:36:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egE_p_ZJGGIX for <add@ietfa.amsl.com>; Wed, 9 Mar 2022 09:36:17 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC0A3A1003 for <add@ietf.org>; Wed, 9 Mar 2022 09:36:14 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id a1so2463983qta.13 for <add@ietf.org>; Wed, 09 Mar 2022 09:36:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qe8sgzeJkiTNkr+jek9POflRJt8Rc/ap4wVaeJbQq2k=; b=c71gr7Eolsh3yZ7mzx3JbELLtmAiMrdOaLmk657DwyotZ+9hDA9iU+sHVdX8qNRg0Y mSVkZnQv7Lv7bHZi0DkWYD6YsRvuzv2cTar611tTeAk4I6gxSkalYIWBh6Nfa9WA4Pqc EaoPT4WzZr+Gwe1MhHXF3Qu37vNvuj3/e71Ij0kAV1XRRoBkpz6tkTg6hlM2m6pegDu3 FjO947NZ3rNg0ZPEc2MTCIzh5RiymkQpDydU7OmUXiG0BTGgydzwoDH543EsLG1ctP0f +jpLvTzpo42x/sjXbsuEZ78/1Ceb+0cHXzQi1oFiXbamNnyxPuUj1XAyxjWKARZscT0q HRnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qe8sgzeJkiTNkr+jek9POflRJt8Rc/ap4wVaeJbQq2k=; b=d7BriJSmF2gD7115KXiYgDTnM2aMxBwl7UPC6SkYV83xMn1HLBoVwzhernV6YwT7v1 8HbDoe0AuAA3E0kVP8eLip2OjeYMq5x+AGne5/BGSdTuz5wEEL1E3nKA8z0zpFrc8WdB Psr21c3nd2QrSkSrfHs1p2zRoAj3XQn/+w4qRyDdvq8VaUfdH7W2tSahsu0DXb2XOw/z r94rABY3XZ0d9ObtYf0wrXFwrR/Yvs2dj3do+7nbIgoB7lEDGBe/TMLh2f1myMJKXiE4 J9HY8RFOhFWSwapjmtIsJL32gGHx7dQQBP0h6OF0ZmqtArfxDiyZqaFuwzwNpR09QYgK Pamw==
X-Gm-Message-State: AOAM532Wk6XI9G2olJHA0kAhnbmGyRpL3MQ+gv7tIkRvNdw0YmX4g4pX mYwgpMQMymEGs00xevSytLaAfvao3xyytAOdy6A=
X-Google-Smtp-Source: ABdhPJzYI1TaiOLLd4OTwsv2kJ1/v6QjvGIQrw7W0cYYx+pqWRChPwmLdGazEdYuTqDkAbQs4fSXrLqRfhFetIP+Kr0=
X-Received: by 2002:a05:622a:1709:b0:2e1:2cbd:6139 with SMTP id h9-20020a05622a170900b002e12cbd6139mr694389qtk.578.1646847372443; Wed, 09 Mar 2022 09:36:12 -0800 (PST)
MIME-Version: 1.0
References: <16DE320C-B15A-4674-9359-B35B5C263D00@comcast.com>
In-Reply-To: <16DE320C-B15A-4674-9359-B35B5C263D00@comcast.com>
From: Chris Box <chris.box.ietf@gmail.com>
Date: Wed, 09 Mar 2022 17:36:01 +0000
Message-ID: <CACJ6M15D6MNeUP8ydHQgCHQ9dzQQURc5UnWBN7KCYs=xyhkrdA@mail.gmail.com>
To: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a2454905d9cc882a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/tuDg6Y0r85AUxYE9UsvHj-37Fok>
Subject: Re: [Add] WGLC for draft-ietf-add-dnr
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 17:36:21 -0000

Hi everyone.

I've assessed DNR against relevant parts of draft-ietf-add-requirements.
Here's the first.

    +=============+===================================================+
    | Requirement | Description                                       |
    +=============+===================================================+
    | R1.1        | Discovery SHOULD provide a local network the      |
    |             | ability to announce to clients a set of, or       |
    |             | absence of, designated resolvers.                 |

It's not clear to me how you use DNR to advertise the *absence *of
local encrypted DNS. Are we saying the router should send a frame with
zero option length (if that is considered a multiple of 16), and zero
ADN length? If yes, we should write that. If that's a bad design, we
should think about what is better.

    +-------------+---------------------------------------------------+
    | R1.3        | Discovery SHOULD support all encrypted DNS        |
    |             | protocols standardised by the IETF.               |

The requirement is approximately met, by virtue of building on SVCB.
However I think the draft should normatively depend on
draft-ietf-add-svcb-dns rather than the generic
draft-ietf-dnsop-svcb-https.

There's a point to clarify. It is not stated whether it is useful or
valid for the SVCB Service Priority to be zero (i.e. AliasMode). I
suspect not since it would mean the mandatory SvcParams could not be
populated, and may require the client to perform an additional
bootstrapping query, potentially over Do53.

    | R2.1        | Networks SHOULD be able to announce one or more   |
    |             | designated encrypted DNS resolvers using existing |
    |             | mechanisms such as DHCPv4, DHCPv6, IPv6 Router    |
    |             | Advertisement, and the Point-to-Point Protocol.   |

Met for the first three mechanisms, but PPP is missing. I'll come back
to that in a minute.

    +-------------+---------------------------------------------------+
    | R2.2        | The format for resolver designation SHOULD be     |
    |             | specified such that provisioning mechanisms       |
    |             | defined outside of the IETF can advertise         |
    |             | encrypted DNS resolvers.                          |
    +-------------+---------------------------------------------------+
    | R2.3        | This format SHOULD convey, at minimum, the        |
    |             | information the client needs to make contact with |
    |             | each designated resolver.                         |
    +-------------+---------------------------------------------------+
    | R2.4        | This format MAY convey additional resolver        |
    |             | information.                                      |

Not met, and it seems to be an easy thing to add. Doing so could make
it easier and more consistent for use over, for example, 3GPP mobile
networks.

What should it look like? If we follow the example of the provided
DHCP formats, it would require two blob formats, one each for IPv4 and
IPv6.

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Service Priority        |         Addr Length           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~                      ipv6-address(es)                         ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          ADN Length           |                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
~                  authentication-domain-name                   ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~                 Service Parameters (SvcParams)                ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Service Priority        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Addr Length  |               |
+-+-+-+-+-+-+-+-+               +
~        IPv4 Address(es)       ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   ADN Length  |               |
+-+-+-+-+-+-+-+-+               +
~  authentication-domain-name   ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~Service Parameters (SvcParams) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I am more drawn to Ben's suggestion:

After the option code, length, and (for RA) lifetime fields, I propose
that we use the following format for all versions:
> 1. A 1-byte unsigned integer indicating the number of IP addresses
> 2. That many IP addresses (v4 or v6 depending on context)
> 3. The SvcPriority, ADN, and SvcParams, encoded as in SVCB RDATA

Which, for those who like pictures, probably means something along the
lines of this.

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  # of Addrs   |               |
+-+-+-+-+-+-+-+-+               +
~          Address(es)          ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Service Priority        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~  Authentication-domain-name   ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~Service Parameters (SvcParams) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Whichever generic format we select, it could then also be applied to
PPP IPCP as a new extension:

  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |    Type TBA   |    Length     |      Encrypted-DNS-Server
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Encrypted-DNS-Server (cont)   |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Now I'll cover the final set of requirements.

    +-------------+---------------------------------------------------+
    | R5.1        | Discovery MUST NOT worsen a client's security or  |
    |             | privacy posture.                                  |

Section 7 discusses security. I can't spot any way in which DNR makes it worse.

    +-------------+---------------------------------------------------+
    | R5.2        | Threat modelling MUST assume that there is a      |
    |             | passive eavesdropping attacker on the local       |
    |             | network.                                          |

Section 7.3 has two sentences on this so it's been considered, but I
don't know if it needs expanding.

    +-------------+---------------------------------------------------+
    | R5.3        | Threat modelling MUST assume that an attacker can |
    |             | actively attack from outside the local network.   |

Section 7.1 considers active attack from both inside and outside.
However I suggest the word "CPE" is made more generic to refer to any
such router at the boundary of the local network.

    +-------------+---------------------------------------------------+
    | R5.4        | Attackers MUST NOT be able to redirect encrypted  |
    |             | DNS traffic to themselves when they would not     |
    |             | otherwise handle DNS traffic.                     |
    +-------------+---------------------------------------------------+

This seems to be met.

So in summary I would prefer to see some changes before it leaves the WG.
To make this easier, can we please maintain it in
https://github.com/ietf-wg-add/draft-ietf-add-dnr?

Thanks
Chris


On Thu, 24 Feb 2022 at 15:57, Deen, Glenn <Glenn_Deen=
40comcast.com@dmarc.ietf.org> wrote:

> The ADD draft DHCP and Router Advertisement Options for the Discovery of
> Network-designated Resolvers (DNR)
> https://datatracker.ietf.org/doc/draft-ietf-add-dnr/ is ready for WGLC.
>
> WGLC will run until March 14th, please post all comments to the ADD
> mailing list.
>
> ADD Co-chairs
> Glenn Deen & David Lawrence
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email