IETF Logo Mail Archive

Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification

Ben Schwartz <bemasc@google.com> Wed, 09 September 2020 14:35 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2E93A0CDB for <dns-privacy@ietfa.amsl.com>; Wed, 9 Sep 2020 07:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fr9dnDk2vyls for <dns-privacy@ietfa.amsl.com>; Wed, 9 Sep 2020 07:35:45 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D55F3A0CD9 for <dns-privacy@ietf.org>; Wed, 9 Sep 2020 07:35:45 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id u20so2529777ilk.6 for <dns-privacy@ietf.org>; Wed, 09 Sep 2020 07:35:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/9MOGc5R//pEhD9uz1mz/4x7DfFKRZo0Ux4dF65w0Ps=; b=dE1iB00htE2OhwKUduUv/bzCmftYQkj9cP0d5wBoN70+y6EO53Pv02p16kf7bihSYg XNjY3V9XAdW7EmG/UT6PmWWsIRDx/UOwVysGmIP2Mkp3BTpjJtAHpfB2NS2FAqHF6RxP xO3bBOKoEcpe5zHHxycmp7OX12Qnih7LZr7u6hAn7srC2i2p+s51NvCzpPUFrtAM8ndX GGWtF0bcEgDRc2RWw0TgbG4MTR90weP4YWm0J6apapAAXGf+jepiiJZP9RCyAoU2pZb9 VttY8gQw5/gw5cFVRx0JXPEw8BFvJOkNHyVkfIIALUn9hrhEWymR1X0VsRNhl3N6EVXF dooA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/9MOGc5R//pEhD9uz1mz/4x7DfFKRZo0Ux4dF65w0Ps=; b=kDXdATUO6wAVHHc6u4gT1rPqtyZTcQJ/mf1w0P3/utkbwqKKBD1fTdJmnbNxhn1biA u1PabzxGqz3sOOq3kKGNRDMtl3EobbUbTZiMSWxLiEvd+SSKbGSi2CEFXDGhYG4sLvML cF3yPhiMH9ekQCzR7yV6QK4vemsrzZrpv1B6p5ruoF4naQyGEU/5NgKwfkO/3PQBLOse dlo46hyWA1NDnAUYUIiDg+7VUikk5h8AakRj/Gm9nkMl3EjpGXYEEERgdBxRKCwJEvoD oO0jt5l+APRB/VctFzCizFJoHHm4/+z1OFScXMRD7PDqMMWsnDg+LPNVohLgPx51UDKg LbHg==
X-Gm-Message-State: AOAM533QBn1WSth0JfaNu5WmA+k/m3sSV5ObVWPrs/O99iQtdnHQ4x9Q aWZq9doMZ/4qoAC//zhmUlC9HbjkXfF1GK0dUK+S8Fbxexc=
X-Google-Smtp-Source: ABdhPJxOXXX2ziUxHAkRpT5DHcsf75TkztzBk2OHThhw+PL515XcrGynhwxVneo8RynYxeoLvMWkKTK8lv8JWhootus=
X-Received: by 2002:a92:d347:: with SMTP id a7mr4228608ilh.263.1599662144370; Wed, 09 Sep 2020 07:35:44 -0700 (PDT)
MIME-Version: 1.0
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk> <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com> <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk> <CAHbrMsC=kOYUL_Ei1uSnWJ3hGxu=7c10eRofXJ=w5sQzcbu6mA@mail.gmail.com> <3A9BCDDD-883D-470E-A547-79839149F8EE@sky.uk>
In-Reply-To: <3A9BCDDD-883D-470E-A547-79839149F8EE@sky.uk>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 09 Sep 2020 10:35:33 -0400
Message-ID: <CAHbrMsDVZMNNhwqTUexRL3R=HoEfDTWsoXnr=bdTaWyTXV_=rw@mail.gmail.com>
To: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>
Cc: Neil Cook <neil.cook@noware.co.uk>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000e76b6f05aee25d3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/2pKEH_t7JKTWnYbGD8w2ShKfoqE>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 14:35:47 -0000

On Tue, Sep 8, 2020 at 6:05 PM Winfield, Alister <Alister.Winfield=
40sky.uk@dmarc.ietf.org> wrote:

> That's an interesting use case, and I think it deserves more exposition.
> To me, it raises questions like
>
> * How did the client get configured to use the specified URI template in
> the first place?
>
>
>
> Hopefully some process defined by the working group but right now perhaps
> it’s from an auto-upgrade list in the client.
>

My hope is that we can solve this problem in that process, _before_ the
client receives a DoH URI.  The "auto-upgrade list" is, I believe, a
temporary state of affairs that the ADD process will ultimately resolve.

* Why should the client use the CPE resolver instead of the central
> resolver, if they are administered by the same entity?
>
>
>
> The idea would be that some process as yet undefined gives the URI
> template to the client but assuming we want to be able to change the
> template to support differential services possibly changing with time of
> day eg (malware filtering, no filtering, security monitored etc) plus…
>
>
>
>    1. First mile latency often accounts for >90% of total latency with
>    many home connections so even with a slow CPE cache its faster than going
>    to a central service.
>    2. DoH creates a large connection count issue which you can throw
>    compute and other hardware at to solve but its far easier to reduce it
>    where possible eg reduce the many clients to 1 connection from each CPE to
>    the DoH service. Far easier to scale. To give an idea there is often >10
>    devices per network service if each connects once you have a problem if
>    it’s actually ~5 clients per device then we have to handle x50 connections.
>    A reasonable sized ISP might be worried about supporting 100,000,000’s of
>    stateful connections instead of 1,000,000’s of nearly stateless requests.
>    (likely overestimating but it’s not hard to get to huge numbers if lots of
>    people, devices and clients use DoH)
>    3. If the customer wants it, the CPE resolver can chose different
>    settings on a per-device basis at the CPE. Yes you can configure different
>    URLs in the clients but that’s hard to get customers to do right.
>    Especially if you have to do it to each application separately.
>    4. Caching at the CPE reduces upstream resolver load by quite a lot
>    more than you might imagine not actually a big problem but it’s nice to
>    avoid adding compute if there is a cheaper solution trivially available.
>
> It sounds like the key goal here is caching at the CPE; the other goals
could be served by client-specific logic at the central resolver.  Do
ISP-provided CPEs normally operate a DNS cache?  My understanding was that
they are usually mostly-stateless forwarders.

* How does the server know which CPE to redirect the client to?
>
>
>
> I’m are assuming here that this is an ISP running both elements so knowing
> how to map the incoming IP to the name its currently using / was told to
> use is relatively trivial.
>

Trivial, perhaps, but not necessarily secure.  An adversary in the network
could alter the IP headers to change the apparent client location, causing
the client to be redirected to an attacker-controlled CPE, thus defeating
the integrity assurances of DoH.

v2.29.0 | Report a Bug | By Email | System Status