IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2012 15:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5AAA21F85EF for <dane@ietfa.amsl.com>; Fri, 4 May 2012 08:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.868
X-Spam-Level:
X-Spam-Status: No, score=-102.868 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PmYf+3mbFtlq for <dane@ietfa.amsl.com>; Fri, 4 May 2012 08:11:21 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9AC6621F85F0 for <dane@ietf.org>; Fri, 4 May 2012 08:11:21 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so2518131vbb.31 for <dane@ietf.org>; Fri, 04 May 2012 08:11:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=L6qX5YnPXzFMllbVFZrCDyz0AdqNtULa7Z2abwQsEYU=; b=QOaOehcDebpJdJnRAyXvNEdL+tjzij5baFeRppNMxpxB+s+uI4xyBJH0mrY6Xt19hP jzezRu0FUL5vTk2s38ooKr7A3GDjBY4pIkINORUZ7zEr6h3q4nj7GEsDYQEkEKzkWECy qxWA3iYwePg0GIycSZcLX/QXRH+p8bNPrap9zEtGqJKZIFK/5o78CG/N1qFAlVCHW4v+ piuDNR3b/pbKFYHEI07o9is+DU3Sn2f6raWgFQYBDa1eqKFXiO8qquY+kmsuZY/PwV6D VHwKY0gcF62HBuWyXogkJ9iWxvaaN5F4fEtbrtzNZ0iyv4kpjBQHwyeAqm8VnX6jhzK1 StgQ==
Received: by 10.52.68.204 with SMTP id y12mr3280502vdt.53.1336144280928; Fri, 04 May 2012 08:11:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Fri, 4 May 2012 08:10:40 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <20120504144426.GD4929@mail.yitter.info>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <20120503223745.GC1804@mail.yitter.info> <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com> <20120504021044.GB4560@mail.yitter.info> <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu> <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 4 May 2012 08:10:40 -0700
Message-ID: <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkdZhDAD++1KX7xoiQhkAtDmlnQ/5wRY6KLR8k1P42ByepCU4npeqHzlLUHqDt2tO/+YbzM
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 15:11:22 -0000

On Fri, May 4, 2012 at 7:44 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> On Fri, May 04, 2012 at 06:48:20AM -0700, Eric Rescorla wrote:
>> On Fri, May 4, 2012 at 4:29 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
>> >
>> >    1.  The attacker is able to undermine some CA.
>> >
>> >    2.  The attacker is actually on-path and going to undermine my
>> >    connection.
>>
>> I'm confused by this answer: DANE (for the two constraints modes)
>> only offers security value if *both* of these things are true. If the
>> first is not true, then a PKIX certificate is sufficient to distinguish
>> between valid users and attackers and in the second is not true,
>> then even an attacker with an invalid certificate cannot get
>> your packts.
>
> Yes, of course.
>
> Your proposal is that, if I have a TLSA-enabled client, I
> automatically lose TLS support _for anything_ in the event I'm in a
> network with poor DNS support.  I was trying to argue that there is
> another sensible alternative: I could make a decision to allow TLSA
> responses not to work in some cases, because I think it is more likely
> that the network is broken than that (1) and (2) are both true.  But
> I might in general not trust CAs, and think that (1) is more likely
> that (2) most of the time, and therefore normally want to prefer
> TLSA.  Therefore, I ought to be able to decide to proceed in the face
> of the failure to get a TLSA record at all.

Again, I don't understand your reasoning here. It's not a matter of 1
*versus* 2. If you proceed in the face of no TLSA record, I claim you
might as well not do the TLSA check.


> Perhaps one would argue, however, that this amounts to saying, "I need
> to be able to turn TLSA off."  I could live with that.
>
> I am still opposed to anything that says we have to treat some
> reponses that are not DNSSEC-bogus "as bogus", because I think it
> muddies the DNSSEC evaluation waters even more than they already are.
> Could we come up with another way of saying this?  How about this:
>
>    In the event that all DNS queries for the TLSA record time out, or
>    return with RCODE 1 or RCODE 4-15, TLS MUST NOT be started or,
>    if the TLS negotiation is already in progress, MUST cause the
>    connection to be aborted.  Under these conditions, a user agent
>    MUST disable TLSA queries in order to undertage a TLS connection.

I don't really see how to operationalize this in a client in a useful way.


> Note that this does _not_ cause the connection to fail under the case
> we usually call "NODATA".  The case I mentioned yesterday, where AD is
> set and the upstream doesn't give you the DNSSEC data and you have a
> NODATA response is, AFAICT, just a case where there is no TLSA RRset
> and shouldn't result in TLS failure.

But the problem is that this is indistinguishable from the case where there
*was* a TLSA RRSET and you have a network attacker.


>  FWIW, I think the above is
> probaby too strong, but as long as we have something expicitly telling
> people that, if they thing DNS is broken where they are they need to
> turn of TLSA processing (i.e. a clue to implementers that they need
> this knob), I can live with it.

I'd rather not get bogged down in the exact RFC 2119 language and
discussion of what knobs must be provided just yet. But I do think it's
useful to think about this from the perspective of the implementor.
For convenience, consider the case of the browser. Currently, the
browser's algorithm is simple: check the PKIX cert and if it's valid,
connect and if not show a scary red dialog. [I'm ignoring cert pinning
for now.] And it's generally agreed that one should only proceed
past the scary dialog if either (a) you don't care who you are
connecting to, like in a captive network portal or (b) you are really
sure you are in a secure network environment.

Now, consider the perspective of an implementor who adds DANE
support for usages 0 and 1. The first arm of the decision, PKIX valid,
now becomes three branches.

- Verifiably no TLSA records via DNSSEC or Insecure/Indeterminate zone:
  continue with PKIX validation.
- Verifiable TLSA records via DNSSEC: PKIX validation plus the TLSA check
- Non-response: ???

Now, the implementor has three choices in this final arm:

1. Proceed with the TLS connection. (soft fail)
2. Show the scary red dialog. (hard fail)
3. Refuse to connect under any conditions (really hard fail, the way you
do with pinning).

I claim that if you do (1) you might as well not bother with the TLSA
check at all, since the attacker can just bypass it. I assume you are
saying that one should do (2)? I think that's fine, as long as that's
also how you treat other TLSA failures, such as certs which aren't
in the TLSA list. If you treat this case preferentially, then attackers
will just simulate it.

Important note: I am not claiming that route (2) is good. If the
infrastructure is indeed as bad as you say, then users will find
themselves having to click through all the time and DANE is likely
not a useful signal.


>> Again, this is logical, but as far as I can tell it obviates the security
>> provided by DANE. I'd like to repeat the question I asked in my
>> previous message: can you describe a set of attacker capabilities
>> which would be sufficient for an attacker to mount a successful
>> attack on TLS pre-DANE but would not post-DANE, provided
>> that clients react to TLSA non-response by falling back to pre-DANE
>> behavior?
>
> No, and I never thought that was the point of TLSA.  I thought the
> point of TLSA was to enable people to use TLS, provably securely
> but without the X.509 PKI infrastructure, if they wanted to.
> Usability enhancements are security improvements too, IMO.

TLSA includes two types of records:

1. Records which constrain the set of valid certificates but which still
require PKIX validation of the certificate (Usages 0 and 1).
2. Records which allow a client to use keying material which would
otherwise not pass PKIX validation (Usages 2 and 3).

What we're talking about here is Usages 0 and 1. I agree that the
analysis is different for usages 2 and 3.

-Ekr

v2.8.7 | Report a Bug | By Email