IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)

Christian Huitema <huitema@huitema.net> Tue, 15 September 2020 22:18 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863A83A0AA0 for <add@ietfa.amsl.com>; Tue, 15 Sep 2020 15:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABqJA7TphpHP for <add@ietfa.amsl.com>; Tue, 15 Sep 2020 15:18:07 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 629793A09D8 for <add@ietf.org>; Tue, 15 Sep 2020 15:18:07 -0700 (PDT)
Received: from xse430.mail2web.com ([66.113.197.176] helo=xse.mail2web.com) by mx165.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kIJGv-000n3C-N9 for add@ietf.org; Wed, 16 Sep 2020 00:18:01 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4BrX9Z0DKBz1rbv9 for <add@ietf.org>; Tue, 15 Sep 2020 11:40:50 -0700 (PDT)
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kIFsn-0003h4-TJ for add@ietf.org; Tue, 15 Sep 2020 11:40:49 -0700
Received: (qmail 15887 invoked from network); 15 Sep 2020 18:48:04 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.98]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <Glenn_Deen@comcast.com>; 15 Sep 2020 18:48:04 -0000
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>
Cc: ADD Mailing list <add@ietf.org>, "Deen, Glenn" <Glenn_Deen@comcast.com>
References: <CABcZeBPuq86Fj0VYQ+1j8ZWo+4BT1bDJGfnRmi82oUc8Xns=PQ@mail.gmail.com> <A332081D-69AE-45F8-9E61-6ACA3D071C1E@apple.com> <1557871922.1625.1600173809868@appsuite-gw2.open-xchange.com> <BY5PR00MB07731B1505ECFCC3074EF9D0FA201@BY5PR00MB0773.namprd00.prod.outlook.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <a5a5bbd6-2695-f97f-26b3-eef0f25aa9cf@huitema.net>
Date: Tue, 15 Sep 2020 11:40:50 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <BY5PR00MB07731B1505ECFCC3074EF9D0FA201@BY5PR00MB0773.namprd00.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------DC71FB65CDD5C9DFA0102ADE"
Content-Language: en-US
X-Originating-IP: 66.113.197.176
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0Z1apovzGPsYhEeBL1aoZmqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDNzOpszOkW3faMySFwG163+fH zJ6mVE7ewsipSVIfs4YP7E7VWz5Pqronwoqe0pDigyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cAdwcW/8Ox85Le8wqlbs5XUz0sPgnpAk2KA2vJwMd1uY6jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhLSQQ4vSj0QEim26t/Moy0UPX5E73H1QfrH/5kkrV/Cr0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAm65NdfLN8K9b ke08A4pcSPusgSYeYCQMSlpJmALhsMXclT6fAqJTuB+3A0eeZuflLAoqRgT89NxfhhZheX75APB8 g2fGU86cSswil+kDetUfttbLHdNhiUq2jBEvMVLlZ4GThCScvU0cCIiHSQbmcVLXMAeAMbRFc86R noqT1OeMIPeg9WrzDXOtahmLPdT6/PPLs1LQFZoHQbpkrXy2z3qfciBVAO80OI2ItqpC3+GhXPWl FdaGOH191uXjgjQN/RTaYTLUj/RFhcnr3QktcdjMi594HcstItMFUldqxogd1vEjHyvS2QZiR+AZ YvfxEvZFKu+ZM2mB1CpThxyaBpbeNHk15VolAGHS5rCXQKDyCQUljhSWDhWh87HBSLhNUo4qiB0X MVQG2R7iUfOzATaF5R3hQJk8CwyURYKQ0Ye0iR3bHfnMCIEU+nrglojKwJanfcoq9IsR6l/OZb9V MEM=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ukB77NTx7-Gr59c9HCBg5GTK0N0>
Subject: Re: [Add] [EXTERNAL] Re: Authentication Sub-topics for Tuesday Interim (homework for Tuesday's meeting)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 22:18:09 -0000

On 9/15/2020 11:03 AM, Tommy Jensen wrote:
> Hey Vittorio,
>
> To follow up on this and from our conversation on Jabber for the same
> proposal:
>
> > What would be the security problem if 10.0.0.1 via Do53 received a
> "resolver discovery" query, forwarded it to the main resolver,
> received a DNSSEC-signed response, forwarded you the response, and the
> response included both a DoH URI and a TLSA record that the DoH
> resolver's certificate has to match?
>
> The problem is there's no name associated with the original Do53
> server. The client, in order to trust the DNSSEC claim, needs to know
> the name being signed in advance. Otherwise, an attacker can intercept
> and replace the DNSSEC-signed DoH URI and TLSA record with their own
> DoH server information, correctly DNSSEC signed. 
>
> A client in this scenario can't distinguish between valid signed data
> for "doh.exmaple-isp.com" and "doh.example-attacker.com".
> Realistically, this will complicate any attempt to validate ownership
> between a non-public Do53 IP address and a DoH server. Until the
> network authentication problem is more generally solved, I don't think
> authenticating local DNS servers is a good use of the WG's time.


But is that problem even solvable? The chain of event seems to be:


1) Connect to some random network

2) Get the IP address of the local Do53 resolver using DHCP

3) Infer the identity of the equivalent DoH resolver

4) Connect to said resolver

5) Verify that it is equivalent to the Do53 resolver


Step 5 checks that the identity verified by TLS identity matches the DoH
identity discovered in step 3. Thus, it cannot be more secure that the
process used to infer that identity. In the case of "random networks", I
don't see how that can be secured. You might push it one layer down if
the L2 network is somehow configured, and for example associate a DoH
identity with a Wi-Fi network ID, but then we are not considering random
networks anymore. Do we want to replace "random network" with "well
identified network"?


-- Christian Huitema

v2.23.0 | Report a Bug | By Email