IETF Logo Mail Archive

Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt

"zuopeng@cnnic.cn" <zuopeng@cnnic.cn> Fri, 10 July 2015 09:09 UTC

Return-Path: <zuopeng@cnnic.cn>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F2E1A8A01 for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jul 2015 02:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZJ9xONVH_Nd for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jul 2015 02:09:56 -0700 (PDT)
Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 10D5E1A8A08 for <dns-privacy@ietf.org>; Fri, 10 Jul 2015 02:09:49 -0700 (PDT)
Received: from Foxmail (unknown [218.241.104.65]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0AZIITziJ9VFeeLBw--.5777S2; Fri, 10 Jul 2015 16:57:23 +0800 (CST)
Date: Fri, 10 Jul 2015 16:57:15 +0800
From: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
To: Ted Hardie <ted.ietf@gmail.com>, yaojk <yaojk@cnnic.cn>
References: <2015070714161016259349@cnnic.cn>, <CA+9kkMAoRAiiLf7uFKP_UFpfvKpT-d=i_KpNxaFQKXcPaxZkMA@mail.gmail.com>, <2015070815195960707175@cnnic.cn>, <CA+9kkMBN70mQ0ZE5NpPmNSsOpWrSsG8hf+ZysAcUoAyUkvndhQ@mail.gmail.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 6, 40[cn]
Mime-Version: 1.0
Message-ID: <2015071016571191624810@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart246236012085_=----"
X-CM-TRANSID: AQAAf0AZIITziJ9VFeeLBw--.5777S2
X-Coremail-Antispam: 1UD129KBjvJXoW7Ww18tw4fJw17KFy3WFykXwb_yoW8Cw18pF Z5W34rKw1DXFWxJFn7Aw48ZrWrGrWrJFW3t397JrWqy3y5JryfKFy2yw4a9a48Aw1kJw42 vayvvr4UAa1v9a7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPI14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40E57IF67AEF4xIwI1l5I8CrVCF0I0E 4I0vr24lYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4 IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFcxC 0VAYjxAxZF0Ew4CEw7xC0wACY4xI67k04243AVC20s07MxkIecxEwVAFwVW8ZwCF04k20x vY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r106r1rMI8I 3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jrv_JF1lIxkGc2Ij64vIr41lIx AIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAI cVCF04k26cxKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z2 80aVCY1x0267AKxVWUJVW8JwCE64xvF2IEb7IF0Fy7YxBIdaVFxhVjvjDU0xZFpf9x0JUf kucUUUUU=
X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/-lxDWlDSIgm8cEqevvsIeu2qUjc>
Cc: dns-privacy <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 09:09:58 -0000

 
From: Ted Hardie
Date: 2015-07-10 02:04
To: yaojk
CC: dns-privacy
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
On Wed, Jul 8, 2015 at 12:21 AM, Jiankang Yao <yaojk@cnnic.cn> wrote:


It's also not clear to me, given that the stub public key is sent in the query to the recursive resolver how you avoid an attacker standing up a back-to-back user agent which strips that option, substitutes its own public key, gets the data and then passes it on.  (It may be, of course, that this attack is out of scope).
[Jiankang Yao] 
 Yes, the attacker standing up a back-to-back user agent can strip that option, substitute its own public key, get the data and then pass it on. 
 but I think that it should be no use because the attacker can not know the contents of the DNS packet send by the stub.
​I think I wasn't clear enough about the attack.  If the attacker strips the option and sends it with its own public key​, it can decrypt the response.  It can send its version in advance of sending the original packet along, so it can see the response and potentially drop packets that match some policy.  (If they are acceptable, it just sends the queued packet along).  It can also be done along side the original packet, to enable tracking without applying policy.  That's mildly detectable, since the recursive resolver would see multiple queries, but it would be pretty easy to obfuscate by generating new client public keys and varying the query interval.

Does that make sense?

[Peng Zuo]
since the whole DNS query packet(except the DNS header) is encrypted by the stub using the public key of the recursive resolver, the dns packet structure becomes invisable to attackers, attackers could not locate the additional section of the DNS query, so i think it would be difficult for the attacker to substitute it with its own key.

regards,




zuopeng@cnnic.cn

v2.23.0 | Report a Bug | By Email