IETF Logo Mail Archive

Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)

Sara Dickinson <sara@sinodun.com> Mon, 08 May 2017 08:21 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14F1712426E; Mon, 8 May 2017 01:21:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTHFj5S_GaNG; Mon, 8 May 2017 01:21:23 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [46.235.227.24]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23AE7120724; Mon, 8 May 2017 01:21:23 -0700 (PDT)
Received: from [2a02:8010:6126:0:a50b:3fa2:10d3:edf3] (port=50916) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <sara@sinodun.com>) id 1d7duu-0002As-Ji; Mon, 08 May 2017 09:21:19 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4A8C5307-C02B-41F5-8239-D10F65CCF7CD"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 08 May 2017 09:21:10 +0100
In-Reply-To: <149410267259.23107.8936430130975036477.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
To: Eric Rescorla <ekr@rtfm.com>
References: <149410267259.23107.8936430130975036477.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: -28
X-Mythic-Debug: State = no_sa; Score =
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/5j8R6DLpthPwR4F-YzW28B6w9XM>
Subject: Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 08:21:25 -0000

> On 6 May 2017, at 21:31, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Eric Rescorla has entered the following ballot position for
> draft-ietf-dprive-dtls-and-tls-profiles-09: Discuss

Many thanks for the review.

> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> S 9 mandates RFC 7250:
>   o  Raw public keys [RFC7250] which reduce the size of the
>      ServerHello, and can be used by servers that cannot obtain
>      certificates (e.g., DNS servers on private networks).
> 
> This needs to be updated to indicate that the client MUST NOT
> offer 7250 unless it has a preconfigured SPKI, otherwise
> you're going to have interop problems.

Agreed.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> TECHNICAL
> S 5.
>      subsequently connect.  The rationale for this is that requiring
>      Strict Privacy for such meta queries would introduce significant
>      deployment obstacles.  This profile provides strong privacy
>      guarantees to the client.  This Profile is discussed in detail in
>      Section 6.6.
> 
> This point seems unclear. If you do these queries unprotected, then
> you don't have strong privacy guarantees. I think you mean that
> you get them via some trusted mechanism such as DHCP.

No, we mean they could be done either via Opportunistic lookups or DHCP (see table 2.)
The meta queries contain no information about what DNS lookups the client is doing other than what DNS Privacy server they are going to use to do their queries. But you are correct that the ‘strong privacy guarentees’ apply only to the subsequent queries to the Privacy server and the text should be updated to clarify that.  

> 
>      widespread adoption of Strict Privacy.  It should be employed
> when
>      the DNS client might otherwise settle for cleartext; it provides
>      the maximum protection available.
> 
> I don't think this statement is accurate. It provides the best
> protection
> that the attacker will allow.

Agreed - will update. 

> 
> Table 1 seems to have N and D paired, so maybe you can coalesce them?

That specific question was asked on the WG mailing list and the answer was ‘no, please keep both’:
https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01541.html <https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01541.html>
> 
> 
> S 6.4.
>   A DNS client that is configured with both an authentication domain
>   name and a SPKI pinset for a DNS server SHOULD match on both a valid
>   credential for the authentication domain name and a valid SPKI
> pinset
>   (if both are available) when connecting to that DNS server.  The
>   overall authentication result should only be considered successful
> if
>   both authentication mechanisms are successful.
> 
> You should cover the topic of user-defined trust anchors. Here's the
> relevant text from 7469:
> 
>   For example, a UA may disable Pin Validation for Pinned Hosts whose
>   validated certificate chain terminates at a user-defined trust
>   anchor, rather than a trust anchor built-in to the UA (or underlying
>   platform).

We purposely avoided adding any details on the SPKI mechanisms in this document because this document simply refers to RFC7585 which then directly references RFC7469. But if you think this is needed here also then I’ll add it.

> 
> EDITORIAL
> Do you want to cite TLS 1.3 at this point?

Early on we chose not to include a normative reference to the TLS 1.3 draft to avoid the dependancy on that becoming an RFC but are you suggesting we do that now or just include an informative reference?

Do you think Section 9 the right place to talk about TLS 1.3 in general or do you feel there are specific points to made elsewhere in the text? 

> 
> S 3.
>   o  Any server identifier other than domain names, including IP
>      address, organizational name, country of origin, etc.
> 
> addresses, names, for parallel structure with domain names

Ack.

> 
> 
> S 9.
>   There are known attacks on (D)TLS, such as machine-in-the-middle and
>   protocol downgrade.  These are general attacks on (D)TLS and not
>   specific to DNS-over-TLS; please refer to the (D)TLS RFCs for
>   discussion of these security issues.
> 
> This text seems pretty unhelpful. Given that you are specifying 1.2,
> if you also require the relevant strong algorithms, then there should
> not be downgrade or MITM attacks.

How about moving the justification later in the section:

“ Clients and servers MUST adhere to the (D)TLS implementation
   recommendations and security considerations of [RFC7525] except with
   respect to (D)TLS version.

  Since encryption of DNS using (D)TLS is a green-field deployment DNS
   clients and servers MUST implement only (D)TLS 1.2 or later.

  These requirements ensure mitigation against known attacks on 
  (D)TLS, such as machine-in-the-middle and
  protocol downgrade.  These are general attacks on (D)TLS and not
  specific to DNS-over-TLS.”

Regards

Sara.

v2.23.0 | Report a Bug | By Email