IETF Logo Mail Archive

Re: [Add] Soliciting input on "DDR and Forwarders"

tirumal reddy <kondtir@gmail.com> Wed, 09 March 2022 08:50 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 228E03A190A for <add@ietfa.amsl.com>; Wed, 9 Mar 2022 00:50:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vf-gk1mzpIBj for <add@ietfa.amsl.com>; Wed, 9 Mar 2022 00:50:37 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD223A1909 for <add@ietf.org>; Wed, 9 Mar 2022 00:50:36 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id l20so2430809lfg.12 for <add@ietf.org>; Wed, 09 Mar 2022 00:50:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c5Hv+5XAXkaZcSzPSrCkLMBRVY7OUo2NhhGM8RZKT4E=; b=J2+l+AWdctuROMNfmMgqs4u7lbM7qV8maocAOKcXq1MbUpOycliBmBSYMTAfDT8Sf1 DTzlU0ed3wAqCEvfWkq/KYT1l1JiembZKfBktGuqqlD+5KDpVQmkZPs3U7lyS7oJOGs6 BWxJsVc3imOOompW1W+c87x4e6nmoMC0eFY2iV77ZMtnqX59fPssa4/R1YstPXNQt66C 3NKoEXT62EZzjFlU2vVhR/nIk8sfdZLZQKfNeyCvX/bHCRxzFw/4RVgeCXNrDd6YI3T1 bN4jYFSxFLsACdgUK3xoba+uEOSVBMBsHKcgAU7gKVYcFe3uX93u266KqN1xqhVWJtEm 9Nng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c5Hv+5XAXkaZcSzPSrCkLMBRVY7OUo2NhhGM8RZKT4E=; b=6w5WdhIoRd7bkNuHzKWJR9coLlE6LFefkuosQiS65yoKt6EGUO8YGLyV+rIqB8CCYp RFg69fHxkWui0/r1Fj0flhT3fJbe9e8f165I0juFgqwpVg+iHqG1KOFuFk8n0I0KQu0s HHeCevITHet6M4Ln2lfl3oqFRESO75jq3wrz6Il+Twd81nJymx4XsjmN7yEQow2wvSvz l+Ldh/+w/2kYFhP/5Pu4pUUsqmj+XIe7se4WmBTjNUM67JOvB/4QNhBoyJrd/jfzAOq1 UW7cKsBSxF7XwWzfUK+fHuGEOuGzZ3tw1nk6R+uwcNvAX6mZzrDb2IU2177RUl5W90wt FbPw==
X-Gm-Message-State: AOAM532P8TFVAWPD7sQ6xYZRjvi6J/kwNx/MZISDpKRFWFEFPmtUzUL7 yKvZW6BZ7jDvl3oU51dNZ8it5lfpGU5zcWtQx50=
X-Google-Smtp-Source: ABdhPJzub2PEKuReulQtx/ZN3AAVArTR4NCcxI6Op+BPKj8PgMMEIyKIfCOKvn+RCyuVVSi5kbbeBLSvpAo2A3vLN6A=
X-Received: by 2002:ac2:5de7:0:b0:448:3021:dc44 with SMTP id z7-20020ac25de7000000b004483021dc44mr8875122lfq.345.1646815834252; Wed, 09 Mar 2022 00:50:34 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsAYf6p7kA=MpFS0moo5h2sy2oMh9dVZTRYJj54WpTV-qQ@mail.gmail.com> <CAFpG3gdJybWK56-4aNrkFk24SDgeZHazMYm8B1eShhTt9am1XQ@mail.gmail.com> <CAHbrMsA+xcz_-BsiUVA3_4ePp8QU-GWqxJHArCeaaYD4_EuAKA@mail.gmail.com>
In-Reply-To: <CAHbrMsA+xcz_-BsiUVA3_4ePp8QU-GWqxJHArCeaaYD4_EuAKA@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 09 Mar 2022 14:20:22 +0530
Message-ID: <CAFpG3gdOyW5cBga1t7MF--GL4GBUhEWR04k=XVV=_RfrCR+6wg@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cfab6b05d9c530d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/zdDwovgKNxrX1RW2bXqMOLPS748>
Subject: Re: [Add] Soliciting input on "DDR and Forwarders"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 08:50:42 -0000

Hi Ben,

Please see inline

On Wed, 9 Mar 2022 at 04:06, Ben Schwartz <bemasc@google.com> wrote:

> Thanks for the comments, Tiru.  I've posted a PR to address some of them
> here: https://github.com/bemasc/ddr-forwarders/pull/4
>
> On Tue, Mar 8, 2022 at 2:44 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>> Hi Ben,
>>
>> Agree with the legacy DNS forwarder problem and the proposed solution:
>>
>> Comments below:
>>
>> 1. Any network device will have vulnerabilities (including cloud
>> workloads) and needs to be updated periodically to fixed versions. The home
>> routers that cannot be upgraded are most likely already compromised because
>> of existing vulnerabilities. It will be helpful to articulate this threat
>> and assume the attacker will always be on-path residing on the legacy
>> unpatchable home router.
>>
>
> This is a good point, but nothing here assumes that the router is
> "unpatchable".  The problem is that implementing DDR on a pre-existing
> gateway device is far from trivial.  It requires running an encrypted DNS
> (IMHO likely DoH) server, which may be difficult or impossible on legacy
> hardware.
>

Home networks will have both legacy routers and routers with network
security services. For instance, several security companies offer home
network network security on home routers (e.g.,
https://www.mcafee.com/consumer/en-au/store/SHP.html,
https://www.trendmicro.com/en_us/forHome/products/homenetworksecurity.html
etc.).
In my previous company, Secure Home Platform (SHP) is shipped on millions
of home routers with hardened OpenWRT. We are able provision a DoH/DoT
forwarder and each router was provisioned with a unique domain name (e.g.,
cpe1.example.com) and was assigned a PKIX certificate using ACME (see
https://datatracker.ietf.org/doc/html/draft-boucadair-add-deployment-considerations-00#section-4.1
for more details).

The legacy routers fall into three categories (1) cannot upgrade to support
encrypted DNS forwarder but patchable (2) cannot upgrade to support encrypted
DNS forwarder, not patchable and configuration cannot be modified (3) cannot
upgrade to support encrypted DNS forwarder but configuration is updated to
use the ISP DNS resolver (both encrypted and unencrypted).

My understanding is the proposed mechanism in your draft can be used for
both (1) and (2) deployments.


>
> 2. I like using the reputation of the resolver without burdening an
>> average user. A public database or consensus algorithm among OS and
>> browsers would increase the number of trusted resolvers. It would also
>> reduce the burden of an ISP to reach each and every OS and browser vendor
>> (to be added to the TRR).
>>
>
> I have no objection to that, but I don't think it's something that can
> happen inside the IETF.
>

It could be an experimental draft just like certificate transparency.


>
> 3.
>> https://datatracker.ietf.org/doc/html/draft-schwartz-add-ddr-forwarders-01#section-7.4,
>> it may not work with headless IoT devices.
>>
>
> I don't see a problem.  IoT devices still need to be administered by
> somebody through some controls, even if those controls are over the network.
>

IoT devices can be on-boarded both automatically and with user assistance
(see
https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-secure-bootstrapping).
However, I agree the latter mode is popular today.


>
> 4. A timeline (e.g., 5 or 10 years) to sunset the proposed mechanism would
>> be helpful.
>>
>
> I added a note related to this in the PR.  I don't think a fixed timeline
> is appropriate, but it's a good reminder that we don't expect this to be
> relevant forever.
>

Works for me.


>
> 5. If the discovered resolver is not trusted, a warning to the user will
>> be helpful (e.g., to upgrade the router).
>>
>
> Added.
>

Thanks.


>
> 6. I don't get the relevance of sections 4.1, 4.2 and 4.3 to this
>> specification.
>>
>
> This is an Informational document, providing an overview of the topic,
> including problems and various mitigations.  Section 4 discusses some less
> problematic aspects of this situation.
>

The draft is relaxing the mandatory validation discussed in DDR and is an
update to DDR. I am not sure about the Informational status of the draft !


>
> 7.
>> https://datatracker.ietf.org/doc/html/draft-schwartz-add-ddr-forwarders-01#section-7.1
>>
>> a) what kind of split-horizon namespaces are you referring to in home
>> networks ?
>>
>
> This document is not limited to home networks.  Even if this problem is
> only present in home networks, devices don't know whether a given network
> is a "home network", so we need to consider the impact on enterprise
> networks as well.
>

I thought the problem was specific to home networks.


>
> I do think there are some home networks with split DNS, but probably not
> too many.
>

I doubt if any home network would have split DNS with legacy forwarders.


>
>
>> b) I don't think this type of network will support homenet (see
>> https://datatracker.ietf.org/doc/html/rfc8375) ?
>>
>
> I'm not sure I understand.  NXDOMAIN fallback would seem to enable support
> for .home.arpa and
> https://datatracker.ietf.org/doc/html/rfc8375#section-6.3 discusses
> possible client behavior changes as well.
>

Yes, but my comment was if these legacy forwarders would even understand
DNS queries with ".home.arpa" and not forward it.

-Tiru

v2.23.0 | Report a Bug | By Email