Re: [dane] IPSECA
Paul Wouters <paul@nohats.ca> Wed, 25 March 2015 18:38 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78AC1B2A07 for <dane@ietfa.amsl.com>; Wed, 25 Mar 2015 11:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.81
X-Spam-Level:
X-Spam-Status: No, score=-0.81 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_47=0.6, J_CHICKENPOX_57=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTiX3ea9wqiv for <dane@ietfa.amsl.com>; Wed, 25 Mar 2015 11:38:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C0A91B2A5A for <dane@ietf.org>; Wed, 25 Mar 2015 11:38:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3lByrP0G3KzB4w for <dane@ietf.org>; Wed, 25 Mar 2015 19:38:28 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=WCjk1KFT
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id UHOf9ITcmtLL for <dane@ietf.org>; Wed, 25 Mar 2015 19:38:28 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dane@ietf.org>; Wed, 25 Mar 2015 19:38:28 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 42DC9803E0 for <dane@ietf.org>; Wed, 25 Mar 2015 14:38:27 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1427308707; bh=R1/L22L/O2hgaSl8i56AeATO/wm6UhipxzA+9SmUnZc=; h=Date:From:To:Subject:In-Reply-To:References; b=WCjk1KFTj6c/KuMN+zRfs/StJR5+JfsLYvne/tLNN9UBpPCkw0FvNdzv9yME+64Kg rlmn6DQ2SWTMmubQhBfGDHOHR43P3Mj26MHjb3hg/3YU1t9xQ0o9CXiGvn+N1MSPe5 rU7OoAp9xl71EqrS7IHQRZjGdNgk9MqWCDaG94Jk=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t2PIcRqw018067 for <dane@ietf.org>; Wed, 25 Mar 2015 14:38:27 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 25 Mar 2015 14:38:27 -0400
From: Paul Wouters <paul@nohats.ca>
To: dane@ietf.org
In-Reply-To: <20150325163044.GJ21586@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1503251435480.22291@bofh.nohats.ca>
References: <9735F7C2-D87A-4A33-9302-49C54A644EDA@verisign.com> <20150325163044.GJ21586@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/lZkJdC2tGAHiI7YvkqK_UUSc3Ow>
Subject: Re: [dane] IPSECA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 18:38:31 -0000
On Wed, 25 Mar 2015, Viktor Dukhovni wrote: > Finally, what I think is the biggest issue: > > --- IPSEC and forward DNS > > [ The below was explained to me by Paul Wouters in London, > thanks Paul. Any mistakes in the below are mine, so if I've > got the wrong end of the stick, that's not Paul's fault. ] > > Creating IPSEC security associations based on forward DNS names > is rather problematic. There is no discussion of the associated > issues. Suppose we have: > > ns1.saint.example. IN A 192.0.2.1 > _53.saint.example. IN IPSECA 0 1 1 <saintly-digest> > > serving the saint.example domain. Clients secure their connections > to this nameserver by creating an IPSEC association with 192.0.2.1 > using the given key material. Along comes: > > ns1.evil.example. IN A 192.0.2.1 > _53.evil.example. IN IPSECA 3 1 1 <evil-digest> > > publishing the same IP address as a nameserver for his own evil.example > domain. Now clients create a replacement IPSEC tunnel to 192.0.2.1 > (there can only be one) and suddenly evil.example is free to > intercept saint.example's traffic. Actually, you cannot intercept the traffic. Assuming the real IKE daemon on 192.0.2.1 is configured with the "saint key", the client will see that the server fails authentication. But this does provide a denial of service against both the client and the saint server. And if the client would fail to clear based on evil.example, than it could potentially cause all saint traffic to end up in the clear as wel. Paul
- [dane] IPSECA Osterweil, Eric
- Re: [dane] IPSECA James Cloos
- Re: [dane] IPSECA Osterweil, Eric
- Re: [dane] IPSECA Viktor Dukhovni
- Re: [dane] IPSECA Nico Williams
- Re: [dane] IPSECA Nico Williams
- Re: [dane] IPSECA Paul Wouters
- Re: [dane] IPSECA Paul Wouters
- Re: [dane] IPSECA Osterweil, Eric
- Re: [dane] IPSECA Nico Williams
- Re: [dane] IPSECA Paul Wouters