Re: [Add] Private IPs, DDR, and PR#11
Eric Rescorla <ekr@rtfm.com> Thu, 08 July 2021 13:10 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F273A1852 for <add@ietfa.amsl.com>; Thu, 8 Jul 2021 06:10:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuGtf1nNm6dx for <add@ietfa.amsl.com>; Thu, 8 Jul 2021 06:10:19 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35863A1847 for <add@ietf.org>; Thu, 8 Jul 2021 06:10:19 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id y8so8036503iop.13 for <add@ietf.org>; Thu, 08 Jul 2021 06:10:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PmFjcywoQpyu2FcFqIoFf2Gpx6eQCM6JwnCUPVqojf8=; b=QcUY865An/819Lo992wyK1jjrosyB1IgVsk7HyOyJbnAr0yzoTCna7FzXSG5uj+Sg7 Fzw7l8x9PZFOrXkA0dZlE/aRAtii+EBrDVXTUYBXbH9F3tVgSySHsHinhZbx1+LySaTY xiZz/A5ImQ9Lkuq1d6tgdlbrol+PGlgzA+ElSS/062hEqh4KJ5/FWdHfP1wSM7W3zEq4 61tisnXGjLdd7ZR0SF8RX4O3dq1GT5a6hdWvkv5X90rQszTmpD/mInRSopDD5yeXdUVV wtV4XHmEYQYuFtSfCCo8mG2YYcum4JIyjQVc4CGPhhniHZlrWMDi9qt3jRzs17oBsOLY xOGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PmFjcywoQpyu2FcFqIoFf2Gpx6eQCM6JwnCUPVqojf8=; b=NnoJgLSKTlJNZDgf1GMDvokC1V6GLnTK4pKl3n5CmQySNV8fmxbQKWuTyeQbTnOfBi qdYSTUB0WX6QfP+m3p1DiAzPZInC6LouBOjbGNTeo6ha9cYzpYnD2HS3sHLP4WWhvQB/ F+qFZahcK17HnN4ZAAZtKvOjyaCi0IpjOTkZPg3+Bnkh14zWSq69WlGQFRpR1bGCoBJo USdb0XbyuYNxg/IPNJj/iznKkBltU8pc5NmI7FRrC7ai3El2kRZ0KYMe/afrkGazDLpj bR9LmT+gdi8jYBY5dOZTj9B/3lcXYunGeMN6NIXPSYTzn8TOYyhX+wtCxP4TMAB2qNqM sXVQ==
X-Gm-Message-State: AOAM530m/E+PpJgU/yTMf43ldzALKBETQbxGo+v79K5p1RMhHt0uL912 VeQVMI84ZotKp1l4euR/T+QKia2g5apab2fiNVMbcR/yqwINtQ==
X-Google-Smtp-Source: ABdhPJwEpg5fpMVz5iLg4M3fudTrp2OK8MDauQFBa+lTW6cy701p2b2KXcdb2JJdYDtstX6pn8HDAoBFUuTO1+d9Xtg=
X-Received: by 2002:a6b:6205:: with SMTP id f5mr23859773iog.60.1625749818726; Thu, 08 Jul 2021 06:10:18 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOf2C9dSoYr2w6tEOLkpL_pBu5EhBh3HJWKf+iyAfafKg@mail.gmail.com> <CAHbrMsBDT1G2qT8g1e+5yOdQkq7nfKw1vNemYE4zJ7J5qL8z=A@mail.gmail.com> <CABcZeBMYavozy81+OiytxsE7QZ0EOPfucx6wHzFbB9M9ag5Z8w@mail.gmail.com> <CAHbrMsD20xGp5qsS069r0gYMF4wyV-yOVgghkTnBQNmFDAcNFA@mail.gmail.com>
In-Reply-To: <CAHbrMsD20xGp5qsS069r0gYMF4wyV-yOVgghkTnBQNmFDAcNFA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Jul 2021 06:09:42 -0700
Message-ID: <CABcZeBP5CspvyBejA9m+TSp1Y0=X5P4PD3b=1tJmLgBkbDuqKQ@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000070750505c69c6066"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/xacSHfosWGz7GSz3MJcKIUZicaI>
Subject: Re: [Add] Private IPs, DDR, and PR#11
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 13:10:25 -0000
On Thu, Jul 8, 2021 at 5:25 AM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > > > On Wed, Jul 7, 2021 at 11:11 PM Eric Rescorla <ekr@rtfm.com> wrote: > >> >> >> On Wed, Jul 7, 2021 at 8:01 AM Ben Schwartz <bemasc@google.com> wrote: >> >>> >>> On Thu, Jul 1, 2021 at 6:18 PM Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> Can we get this documented before we start designing mechanisms? >>>> >>> >>> I'm not sure what you mean. Section 5 of the requirements draft [1] says >>> >>> +-------------+---------------------------------------------------+ >>> | R4.1 | If the local network resolver is a forwarder that | >>> | | does not offer encrypted DNS service, an upstream | >>> | | encrypted resolver SHOULD be retrievable via | >>> | | queries sent to that forwarder. | >>> +-------------+---------------------------------------------------+ >>> | R4.2 | Achieving requirement 4.1 SHOULD NOT require any | >>> | | changes to DNS forwarders hosted on non- | >>> | | upgradable legacy network devices. | >>> +-------------+---------------------------------------------------+ >>> | R5.1 | Discovery MUST NOT worsen a client's security or | >>> | | privacy posture. | >>> +-------------+---------------------------------------------------+ >>> | R5.2 | Threat modelling MUST assume that there is a | >>> | | passive eavesdropping attacker on the local | >>> | | network. | >>> +-------------+---------------------------------------------------+ >>> | R5.3 | Threat modelling MUST assume that an attacker can | >>> | | actively attack from outside the local network. | >>> +-------------+---------------------------------------------------+ >>> | R5.4 | Attackers MUST NOT be able to redirect encrypted | >>> | | DNS traffic to themselves when they would not | >>> | | otherwise handle DNS traffic. | >>> +-------------+---------------------------------------------------+ >>> >>> I think these requirements (except perhaps R5.3) represent the goal of >>> PR #11. >>> >> >> I think perhaps I missed 5.2, but I don't think it really answers my >> question: what actual network environment does this correspond to? How >> common is it? The rationale for the original DDR was that DHCP was somehow >> special and could be trusted to deliver the IP address of the resolver, but >> that's not true here. >> > > The clearest use case is where the local network is free of adversaries, > and there is a passive adversary on the public link. I think this is > likely a common scenario ... perhaps the most common scenario of all. > I'm just going to repeat my question here. Do you have any evidence that this scenario is at all common? -Ekr > [1] >>> https://datatracker.ietf.org/doc/html/draft-ietf-add-requirements#section-5 >>> >>> That would also help understand the effectiveness of the 5 minute >>>> timeout. >>>> >>>> >>>> Finally, assuming I've understood things correctly, reaching through >>>> the CPE in this way seems like it has the potential to bypass any >>>> CPE-specific filtering that the user has has installed. Suppose I have >>>> some CPE that uses the ISP DNS but filters out certain names; if the >>>> ISP posts a _SVCB record that directs me to their resolver, doesn't >>>> that cause that filtering not to work? >>>> >>> >>> Yes, but the CPE controls whether this upgrade occurs. To control the >>> DDR process, the CPE replies to the SVCB query (ideally advertising its own >>> encrypted endpoint, but NODATA/NXDOMAIN will also work). >>> >> >> I would say rather that the CPE has the opportunity to prevent the >> upgrade from occurring. However, as I understand the situation, the current >> CPEs that do filtering will simply be invisible to this process. >> > > Perhaps, but such filtering lists generally have to be updated frequently > as the destinations of concern change. The Mozilla canary experiment has > demonstrated that such CPEs are generally able to block the probe domain > (be it use-application-dns.net or _dns.resolver.arpa), > avoiding disruptions in practice. > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] Private IPs, DDR, and PR#11 Eric Rescorla
- Re: [Add] Private IPs, DDR, and PR#11 Michael Richardson
- Re: [Add] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 Tommy Jensen
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] [EXTERNAL] Private IPs, DDR, and PR#11 STARK, BARBARA H
- Re: [Add] Private IPs, DDR, and PR#11 Eric Rescorla
- Re: [Add] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] Private IPs, DDR, and PR#11 Andrew Campling
- Re: [Add] Private IPs, DDR, and PR#11 Eric Rescorla
- Re: [Add] Private IPs, DDR, and PR#11 Ben Schwartz
- Re: [Add] [EXTERNAL] Re: Private IPs, DDR, and PR… Tommy Jensen
- Re: [Add] Private IPs, DDR, and PR#11 Eric Rescorla