IETF Logo Mail Archive

Re: [Add] Private IPs, DDR, and PR#11

Eric Rescorla <ekr@rtfm.com> Thu, 08 July 2021 13:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F273A1852 for <add@ietfa.amsl.com>; Thu, 8 Jul 2021 06:10:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuGtf1nNm6dx for <add@ietfa.amsl.com>; Thu, 8 Jul 2021 06:10:19 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35863A1847 for <add@ietf.org>; Thu, 8 Jul 2021 06:10:19 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id y8so8036503iop.13 for <add@ietf.org>; Thu, 08 Jul 2021 06:10:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PmFjcywoQpyu2FcFqIoFf2Gpx6eQCM6JwnCUPVqojf8=; b=QcUY865An/819Lo992wyK1jjrosyB1IgVsk7HyOyJbnAr0yzoTCna7FzXSG5uj+Sg7 Fzw7l8x9PZFOrXkA0dZlE/aRAtii+EBrDVXTUYBXbH9F3tVgSySHsHinhZbx1+LySaTY xiZz/A5ImQ9Lkuq1d6tgdlbrol+PGlgzA+ElSS/062hEqh4KJ5/FWdHfP1wSM7W3zEq4 61tisnXGjLdd7ZR0SF8RX4O3dq1GT5a6hdWvkv5X90rQszTmpD/mInRSopDD5yeXdUVV wtV4XHmEYQYuFtSfCCo8mG2YYcum4JIyjQVc4CGPhhniHZlrWMDi9qt3jRzs17oBsOLY xOGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PmFjcywoQpyu2FcFqIoFf2Gpx6eQCM6JwnCUPVqojf8=; b=NnoJgLSKTlJNZDgf1GMDvokC1V6GLnTK4pKl3n5CmQySNV8fmxbQKWuTyeQbTnOfBi qdYSTUB0WX6QfP+m3p1DiAzPZInC6LouBOjbGNTeo6ha9cYzpYnD2HS3sHLP4WWhvQB/ F+qFZahcK17HnN4ZAAZtKvOjyaCi0IpjOTkZPg3+Bnkh14zWSq69WlGQFRpR1bGCoBJo USdb0XbyuYNxg/IPNJj/iznKkBltU8pc5NmI7FRrC7ai3El2kRZ0KYMe/afrkGazDLpj bR9LmT+gdi8jYBY5dOZTj9B/3lcXYunGeMN6NIXPSYTzn8TOYyhX+wtCxP4TMAB2qNqM sXVQ==
X-Gm-Message-State: AOAM530m/E+PpJgU/yTMf43ldzALKBETQbxGo+v79K5p1RMhHt0uL912 VeQVMI84ZotKp1l4euR/T+QKia2g5apab2fiNVMbcR/yqwINtQ==
X-Google-Smtp-Source: ABdhPJwEpg5fpMVz5iLg4M3fudTrp2OK8MDauQFBa+lTW6cy701p2b2KXcdb2JJdYDtstX6pn8HDAoBFUuTO1+d9Xtg=
X-Received: by 2002:a6b:6205:: with SMTP id f5mr23859773iog.60.1625749818726; Thu, 08 Jul 2021 06:10:18 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com> <CAHbrMsBDT1G2qT8g1e+5yOdQkq7nfKw1vNemYE4zJ7J5qL8z=A@mail.gmail.com> <CABcZeBMYavozy81+OiytxsE7QZ0EOPfucx6wHzFbB9M9ag5Z8w@mail.gmail.com> <CAHbrMsD20xGp5qsS069r0gYMF4wyV-yOVgghkTnBQNmFDAcNFA@mail.gmail.com>
In-Reply-To: <CAHbrMsD20xGp5qsS069r0gYMF4wyV-yOVgghkTnBQNmFDAcNFA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Jul 2021 06:09:42 -0700
Message-ID: <CABcZeBP5CspvyBejA9m+TSp1Y0=X5P4PD3b=1tJmLgBkbDuqKQ@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000070750505c69c6066"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/xacSHfosWGz7GSz3MJcKIUZicaI>
Subject: Re: [Add] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 13:10:25 -0000

On Thu, Jul 8, 2021 at 5:25 AM Ben Schwartz <bemasc=
40google.com@dmarc.ietf.org> wrote:

>
>
> On Wed, Jul 7, 2021 at 11:11 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Wed, Jul 7, 2021 at 8:01 AM Ben Schwartz <bemasc@google.com> wrote:
>>
>>>
>>> On Thu, Jul 1, 2021 at 6:18 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>> Can we get this documented before we start designing mechanisms?
>>>>
>>>
>>> I'm not sure what you mean.  Section 5 of the requirements draft [1] says
>>>
>>>     +-------------+---------------------------------------------------+
>>>     | R4.1        | If the local network resolver is a forwarder that |
>>>     |             | does not offer encrypted DNS service, an upstream |
>>>     |             | encrypted resolver SHOULD be retrievable via      |
>>>     |             | queries sent to that forwarder.                   |
>>>     +-------------+---------------------------------------------------+
>>>     | R4.2        | Achieving requirement 4.1 SHOULD NOT require any  |
>>>     |             | changes to DNS forwarders hosted on non-          |
>>>     |             | upgradable legacy network devices.                |
>>>     +-------------+---------------------------------------------------+
>>>     | R5.1        | Discovery MUST NOT worsen a client's security or  |
>>>     |             | privacy posture.                                  |
>>>     +-------------+---------------------------------------------------+
>>>     | R5.2        | Threat modelling MUST assume that there is a      |
>>>     |             | passive eavesdropping attacker on the local       |
>>>     |             | network.                                          |
>>>     +-------------+---------------------------------------------------+
>>>     | R5.3        | Threat modelling MUST assume that an attacker can |
>>>     |             | actively attack from outside the local network.   |
>>>     +-------------+---------------------------------------------------+
>>>     | R5.4        | Attackers MUST NOT be able to redirect encrypted  |
>>>     |             | DNS traffic to themselves when they would not     |
>>>     |             | otherwise handle DNS traffic.                     |
>>>     +-------------+---------------------------------------------------+
>>>
>>> I think these requirements (except perhaps R5.3) represent the goal of
>>> PR #11.
>>>
>>
>> I think perhaps I missed 5.2, but I don't think it really answers my
>> question: what actual network environment does this correspond to? How
>> common is it? The rationale for the original DDR was that DHCP was somehow
>> special and could be trusted to deliver the IP address of the resolver, but
>> that's not true here.
>>
>
> The clearest use case is where the local network is free of adversaries,
> and there is a passive adversary on the public link.  I think this is
> likely a common scenario ... perhaps the most common scenario of all.
>

I'm just going to repeat my question here. Do you have any evidence that
this scenario is at all common?

-Ekr


> [1]
>>> https://datatracker.ietf.org/doc/html/draft-ietf-add-requirements#section-5
>>>
>>> That would also help understand the effectiveness of the 5 minute
>>>> timeout.
>>>>
>>>>
>>>> Finally, assuming I've understood things correctly, reaching through
>>>> the CPE in this way seems like it has the potential to bypass any
>>>> CPE-specific filtering that the user has has installed. Suppose I have
>>>> some CPE that uses the ISP DNS but filters out certain names; if the
>>>> ISP posts a _SVCB record that directs me to their resolver, doesn't
>>>> that cause that filtering not to work?
>>>>
>>>
>>> Yes, but the CPE controls whether this upgrade occurs.  To control the
>>> DDR process, the CPE replies to the SVCB query (ideally advertising its own
>>> encrypted endpoint, but NODATA/NXDOMAIN will also work).
>>>
>>
>> I would say rather that the CPE has the opportunity to prevent the
>> upgrade from occurring. However, as I understand the situation, the current
>> CPEs that do filtering will simply be invisible to this process.
>>
>
> Perhaps, but such filtering lists generally have to be updated frequently
> as the destinations of concern change.  The Mozilla canary experiment has
> demonstrated that such CPEs are generally able to block the probe domain
> (be it use-application-dns.net or _dns.resolver.arpa),
> avoiding disruptions in practice.
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email