Re: [dane] AD review of draft-ietf-dane-smtp-with-dane
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 16 April 2015 18:29 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6A01B342E for <dane@ietfa.amsl.com>; Thu, 16 Apr 2015 11:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQEBLh1LUJhl for <dane@ietfa.amsl.com>; Thu, 16 Apr 2015 11:29:12 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FAA21B2F0D for <dane@ietf.org>; Thu, 16 Apr 2015 11:29:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7DFA7BEFC for <dane@ietf.org>; Thu, 16 Apr 2015 19:29:09 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9J9e9QS0lA2y for <dane@ietf.org>; Thu, 16 Apr 2015 19:29:06 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.41.51.113]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 39408BE8E for <dane@ietf.org>; Thu, 16 Apr 2015 19:29:06 +0100 (IST)
Message-ID: <552FFF6A.2040305@cs.tcd.ie>
Date: Thu, 16 Apr 2015 19:28:58 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: dane@ietf.org
References: <552FD4E5.8080407@cs.tcd.ie> <20150416173722.GG17637@mournblade.imrryr.org>
In-Reply-To: <20150416173722.GG17637@mournblade.imrryr.org>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/-z2YfnBqrM3BOI9aLic_yC_9-UM>
Subject: Re: [dane] AD review of draft-ietf-dane-smtp-with-dane
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 18:29:16 -0000
Hiya, On 16/04/15 18:37, Viktor Dukhovni wrote: > On Thu, Apr 16, 2015 at 04:27:33PM +0100, Stephen Farrell wrote: > >> (1) What is the behaviour when all RRs required for this are >> published except for no DNSSEC RRs? I have heard tell of some >> people who would like to experiment in that way, and would >> like to know if the WG have a clear answer for them as to >> what ought happen. Is that answer here? (If so, it's fairly >> well hidden;-) > > The specified and implemented (Postfix and Exim) behaviour is that > the records are ignored when not "secure". Thus DNSSEC is a > prerequisite. Opportunistic TLS happens anyway (even without TLSA > record validation), so it is not clear why one would bother with > incomplete (easily defeated) attempts at protecting against active > attacks. My understanding is that some people wanted to experiment with TLSA without having to have had DNSSEC deployed. But I take your answer to be that no such behaviour is defined here, which is fine. So consider this one answered. > >> (2) Doesn't this need to be consistent with other recent IETF >> documents, in particular the generic UTA BCP and deprecating >> SSL 3.0? I don't believe it current is entirely consistent >> with either. (See minor comments below for details.) Why is >> that ok? > > This is an opportunistic protocol, hence some security is better > than none. If all that the server has is SSL 3.0, it can still > publish TLSA RRs, and POODLE et. al, are primary attacks on HTTPS > not SMTP. > > In any case this draft was ready (and has been largely unchanged) > for about a year now, *before* all the fuss about SSL 3.0. Clients > MUST support at least TLS 1.0 (to use SNI). Servers MAY support > SSL 3.0 (allowing them to publish TLSA RRs with whatever they're > running today). At this point we can set the floor at TLS 1.0 if > that's better "optics", the number of servers doing just SSL 3.0, > whose admins might be tempted to publish DANE TLSA RRs is likely > zero. I see Paul has replied so I'll see how the discussion develops and join in later. A few bits more below on the non-blocking things. > > There is no reason to require anything beyond SSL 3.0 (server-side) > in this protocol, and it does not preclude other documents from > setting a higher bar. > >> The rest (below) are more minor comments, please treat these >> as IETF LC comments. >> > > Responding to a subset, leaving out mostly editorial fixes. > >> - 1.3.2, The MX lookup is vulnerable as stated but isn't the >> A/AAAA similarly vulnerable? I think you ought note that too, >> but also that this specification can mean that DNSSEC for >> that lookup is not needed based on the name in the MX >> response being bound (via x.509 or tlsa) to the TLS server >> private key. (Well, that assumes I've gotten that correct:-) >> Without DNSSEC for the MX name->address mapping a bad actor >> could however, insert themselves into the path and gain >> whatever can be gained via traffic analysis of the SMTP/TLS >> session. > > The address records are not security relevant. MX is because > authenticating the origin domain does not work, and the MX, > absent DNSSEC, is insecure (but widely done anyway). > > While, the A records don't a-priori need to be secured, we skip > TLSA records for MX hosts whose A/AAAA records are "insecure" in > order to avoid interop problems with (Microsoft's and similar) > domains whose non-DNSSEC nameservers are allergic to unsupported > RRtypes (the "mail.protection.outlook.com" nameservers botch > TLSA queries). > > Traffic hijacking can be done with BGP (this is far more common, > and is more difficult to observe) even without changing the addresses. > Or by tapping into the cables. So I think the threat is that someone who fakes the A record can do traffic analysis as they can direct the SMTP and STARTTLS traffic through their chosen host. I think that's work noting, in and of itself. If we had more to say (that's well founded) about traffic analysis if SMTP/TLS that'd be interesting but I'm not familiar with any work in the space (though I've not looked). > >> - 2.1.1, the term anchorless should probably get a mention in >> 1.1 with a forward pointer to 2.1.1. Or maybe you can avoid >> the term since it's not used much. (Just in 2 adjacent >> paragraphs.) > > Yeah, that's a bit tricky, just need some way to avoid local > repetition and to make it clear when we're describing the "4034" > type of "indeterminate" once the definition of the term is aligned > with "4035". Specific suggestions welcome, if this is important > to "fix". I'm fine if you just take a peek again and decide what to do. > >> - 2.1.1, what does "securely opted out" mean? > > That's about a parent domain providing proof of non-existence of > DS records, possibly with NSEC or NSEC3 for the domain itself, or > perhaps via NSEC3 for neighbour domains with the opt-out bit set. > Thus the domain is an "insecure" sub-domain of a "secure" parent > domain. I'm open to better language if the current is confusing. I think that's needed, or perhaps a reference. In my reading I never even considered DS RR's. Now that might be my relative ignorance of DNSSEC terminology, but that's a new one on me so please either define it if it's a neologism or else just add a reference if it's a know term of art. > >> - 2.2, Could "authenticated" here mean mutually authenticated >> with TLS client certs? If not, maybe say so. (And for the >> last sentence before 2.2.1, what about the client cert names >> - what's done with those?) > > There is no protocol for specifying mutual authentication until > someone (I volunteered) writes the DANE draft for locating client > TLSA RRs and how that works for SMTP. Some of the signaling > (client -> server: please check for my TLSA records) will be > application protocol specific. Could be worth saying that mutually authenticated TLS is out of scope so servers SHOULD (or MUST) NOT send a certificate request. > >> - 3.1.2 - does the MUST include TA in the TLS handshake >> conflict with common implementations of 5246? 5246 section >> 7.4.2, says that the TA MAY be omitted, but I wonder if we >> might be causing ourselves trouble (some) with running code. > > No, this is not a conflict. 5246 allows a shorter chain, > but does not require it. With DANE the "optimization" > is not available. > > Since verification without the TA cert is impossible, there is no > choice. The requirement is a statement of logical fact, not a > design choice. > > Running code is working just fine. The only real consequence is > that some Microsoft (surprise?) Exchange servers reportedly can't > actually add self-signed certs to their chain, so if they use a > DANE-TA(2) trust anchor, it needs to be an intermediate. [ Either > the admin tooling, Schannel, or something else in the stack does > not make it possible to specify a server chain that includes a root > CA. ] Ok, it's that latter I was after. If someone maintains that those specific server deployments are significant they can make that case during last call I guess. Ta. > >> - 8.1, para 1: We've (the IETF) just deprecated SSL 3.0, [1] >> so don't you need to reference that and say to not do that? >> At least the MAY at the end of that paragraph seems not to >> conform with the BCP. I think a ref to [1] is needed. >> >> [1] https://tools.ietf.org/html/draft-ietf-tls-sslv3-diediedie > > See above. The BCP does not claim applicability to opportunistic > TLS. This protocol is (still) opportunistic TLS, but with > authentication not just unauthenticated encryption. However, at > this point SSL 3.0 has largely been phased out, so raising the bar > to TLS 1.0 would have little practical effect. Server operators > will ignore whatever we say here anyway and will support whatever > they support. So whatever you want for "optics" is fine, though > I still don't like erecting needless hurdles as a matter of principle. I'll chime in later. > >> - 8.2: This is already handled by the generic UTA BCP. Why is >> it needed here? > > I don't see any discussion of anon-DH in the UTA BCP (which in any > case disclaims applicability to opportunistic TLS). Ditto. > >> - 9.2, 2nd para: isn't that repetitive? That seems like a bad >> idea. > > Are we looking at the same draft version? Perhaps your 8.2/9.2 is > not what I'm looking at (version 15). Sorry, I meant that lots of 9.2 repeats things said earlier in this document. Cheers, S. >
- [dane] AD review of draft-ietf-dane-smtp-with-dane Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Paul Wouters
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Paul Wouters
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Jeremy Harris
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Paul Wouters
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Olafur Gudmundsson
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Nico Williams
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Nico Williams
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Nico Williams
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Paul Wouters
- Re: [dane] AD review of draft-ietf-dane-smtp-with… stephen.farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Olafur Gudmundsson
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Viktor Dukhovni
- Re: [dane] AD review of draft-ietf-dane-smtp-with… Stephen Farrell
- [dane] SMTP draft -16 updates (was: AD review of … Viktor Dukhovni
- Re: [dane] SMTP draft -16 updates Stephen Farrell
- Re: [dane] SMTP draft -16 updates Stephen Farrell