IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Eric Rescorla <ekr@rtfm.com> Thu, 23 January 2020 13:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7901912009C for <dns-privacy@ietfa.amsl.com>; Thu, 23 Jan 2020 05:54:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxv9CCaT0jA9 for <dns-privacy@ietfa.amsl.com>; Thu, 23 Jan 2020 05:54:06 -0800 (PST)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC161200B9 for <dns-privacy@ietf.org>; Thu, 23 Jan 2020 05:54:06 -0800 (PST)
Received: by mail-lj1-x241.google.com with SMTP id y6so3522009lji.0 for <dns-privacy@ietf.org>; Thu, 23 Jan 2020 05:54:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xfy2vqPdaEUX5sUiZJ8qeFvCj4VQNc480uaf/06D3zE=; b=kNCiZlTjXclN4HyWx/EsZk1wfnJr4DVlLjT1HxeG+SEEtlkSOadeEg5ZpGFWCF+aDg ryyW7Qd/cUTSMhKL3FzzNaAypslw1nrdv+v9z9PkpWCoE8O0DNqDylTB4o7eFbH4cb2s 5d3dUeXNBsLDPO18H/1CULfAUweNwY9ZNbI0yrA/ofJ271qHr7BziCoGU24zmwqwreKm /pBH4lFGE/lLXojrIBJVYFyzhdQ3g6SDwCTISyHaGO6rvmJFDD7+L3e6tdWk650T2vkM yyHwrThZQUn0tEvRjWxdDrxr/L6nGicWkITecvLR4/e2hleMEYo7Pqi1CXM7c68qzCRd pcRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xfy2vqPdaEUX5sUiZJ8qeFvCj4VQNc480uaf/06D3zE=; b=IcWvkzh/i6JUpV54HbSsVtMttX+er8c1bqOIxOfnXjQqBXHdUpAZWXWYYMxabdJATH +UUpYy08O+ZT4c7xGe846le4MnP6Vc+gYjHfBT/51Ru/WMGdsbc5jbVnslcVtor/ZBxX OGHnJRFXus6luQwHSytpZ2jmjEINpCaiT7rlAUZ5x5wy7HldIjR7um240OxgZJ8wpq4b RBsnYq4TJJ1reuiL/Jyfoyyuj47wpd/l+/HVhMf9S+zEdlVnz6BUTdQnWB6iD6mveE+2 pcb8KNat4SP0COsBcf8KIWNOX/otLnKeMBe06jFGl+Cfp9HByItFCJDJyVjWZeanIyqO aiJw==
X-Gm-Message-State: APjAAAVrnCgyyyINOGl0WcpcmhEmalIh9lzuX7TJcvNhRkcUMREBZcPc 9GjO8zI2u56FUykBc4nipL0+mXyxEWrNJzicxxJhZA==
X-Google-Smtp-Source: APXvYqy2kOpEKLzwxcblzHCKq8lOtxWWcgPgi9fIs1lGfs+8fqhMX7M2dm/tN05m7vAiHct4pNKn04m9x8ODS2Kkhck=
X-Received: by 2002:a05:651c:8f:: with SMTP id 15mr23393077ljq.109.1579787643590; Thu, 23 Jan 2020 05:54:03 -0800 (PST)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com>
In-Reply-To: <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 23 Jan 2020 05:53:26 -0800
Message-ID: <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000051306e059ccef955"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/5kB_UjCdCVHUSQmjsJtcKKLS9Gc>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 13:54:11 -0000

On Thu, Jan 23, 2020 at 5:08 AM Sara Dickinson <sara@sinodun.com> wrote:

>
>
> On 20 Jan 2020, at 22:37, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Review comments attached:
>
>
> COMMENTS
> S 3.1.
> >      described above, and may not have any confidentiality requirements.
> >      However, the same is not true of a single transaction or a sequence
> >      of transactions; that transaction is not / should not be public.  A
> >      typical example from outside the DNS world is: the web site of
> >      Alcoholics Anonymous is public; the fact that you visit it should
> not
> >      be.
>
> Well, technically what you want to conceal is the origin of the
> transaction or its linkage to other transactions. The existence of the
> query for that A record isn't secret.
>
>
> Suggest:
>
> “that transaction (and specifically the origin of that transaction) is not
> / should not be public."
>

The parenthetical swallows the main sentence. The accurate thing to say is:

In general, the existence of a single query is not sensitive -- though
there may be exceptions
for some very low use domains. However, the origin of a given query may
leak information
about specific users and the ability to link queries reveals information
about individual use
patterns.


>
>
>
>
> S 3.4.2.
> >      fingerprint [2] values can be used to fingerprint client OS's or
> that
> >      various techniques can be used to de-NAT DNS queries dns-de-nat [3].
> >
> >      Note that even when using encrypted transports the use of clear text
> >      transport options to decrease latency can provide correlation of a
> >      users' connections e.g.  using TCP Fast Open [RFC7413] with TLS 1.2.
>
> Why does this say TLS 1.2? Any use of TFO will have the same
> properties.
>
> Perhaps you are thinking of TLS session tickets here?
>
>
> Sorry - hangover from earlier text, will remove. The last previously
> agreed text was (in email of 31 Dec):
>
> “Note that even when using encrypted transports the use of clear text
> transport options to decrease latency can provide correlation of a users'
> connections e.g. using TCP Fast Open [RFC7413]."
>

Yes, I think that's fine.



>
>
>
>
> S 3.4.2.
> >      services available.  Given this, the choice of a user to configure a
> >      single resolver (or a fixed set of resolvers) and an encrypted
> >      transport to use in all network environments can actually serve to
> >      identify the user as one that desires privacy and can provide an
> >      added mechanism to track them as they move across network
> >      environments.
>
> I don't understand this paragraph. It's not the choice of specific
> resolvers that leaks data, but the choice to turn on encryption, In
> fact, from an identification purpose, the more resolvers that support
> encrypted transport, the better signal this is.
>
>
> This was driven by an observation that many early adopters set up their
> own DoT server and used that from all their devices, which could act as a
> way to identify that user.
>

1. This seems like an edge case.
2. We already have plenty of people running their own unencrypted resolvers
for other reasons.


>
> S 3.5.1.1.2.
> >
> >      o  communicate clearly the change in default to users
> >
> >      o  provide configuration options to change the default
> >
> >      o  provide configuration options to always use the system resolver
>
> I get that you think this is neutral, but all of this is equally true
> about dynamic discovery via DHCP, it's just that that's the status
> quo, so you don't notice it. In this context, this text is tendentious.
>
>
> The first paragraph of section 3.5.1.1 talks about the variability of DNS
> resolution privacy with network (assuming DHCP). I can add some text there
> to better explain the status quo if you think it is needed. Suggest:
>
> “Typically joining a new network requires some form of user action (e.g
> physically plugging in a cable or selecting a network in a OS dialogue) and
> so a user is also implicitly choosing to use the DHCP-provided resolver via
> this action too."
>

The user has no idea that such a DHCP resolver even exists. And you could
say the same thing about the user's choice to install an application with
its own resolver selection logic.


> I can’t think of a mobile or desktop OS that doesn’t allow users to
> override the DHCP provided DNS settings…. but I could text about that in
> section 5.1.1. if you really think it is needed?
>

This isn't about that. AFAICT most major applications also allow you to use
the system resolver choices. Rather, the issue here is the repeated
arguments in this discussion (which you implicitly accept above) that the
current status quo somehow represents user choice whereas an application
choosing its own resolver does not. And both this text and your proposed
text implicitly takes a position on that.


> The point in section 3.5.1.1.2  terms of privacy considerations is that
> any application that uses an application specific DNS setting introduces
> another control point on the device for the DNS resolution setting (which
> with the current offerings is independent of the network used), and if or
> how that is exposed is entirely up to the application. I suggest adding
> this text at the start of the second paragraph:
>
> "Such application-specific settings introduce new control points on end
> user devices for DNS resolution settings in addition to the historically
> used system settings."
>

Well, I suppose this is true, but it's also true of (for instance) allowing
the user to set a proxy, which we've done forever.


>
> S 3.5.1.1.2.
> >
> >      Application-specific changes to default destinations for users' DNS
> >      queries might increase or decrease user privacy - it is highly
> >      dependent on the network context and the application-specific
> >      default.  This is an area of active debate and the IETF is working
> on
> >      a number of issues related to application-specific DNS settings.
>
> This, too, could be said about the current situation.
>
>
> See above.
>

And my response above.

-Ekr


> Sara.
>
>
> On Mon, Jan 20, 2020 at 1:47 PM Eric Vyncke (evyncke) <evyncke@cisco.com>
> wrote:
>
>> Thanks to Sara and Stéphane for the -04 revised I-D.
>>
>> After reading the -04, I think that most of the IETF Last Call comments
>> are addressed (and consensus needs to be balanced -- even for informational
>> document) and that the document sticks to facts.
>>
>> But, as section 3.5.1 ("in the recursive resolvers") raised a lot of
>> discussions during the first IETF Last Call, and as the authors reacted to
>> those comments by deep changes in the text, let's have a new IETF Last Call
>> before proceeding with IESG evaluation.
>>
>> Again, thank you to the reviewers and the authors
>>
>> Regards,
>>
>> -éric
>>
>>
>> On 20/01/2020, 22:34, "IETF Secretariat" <
>> ietf-secretariat-reply@ietf.org> wrote:
>>
>>     IESG state changed:
>>
>>     New State: Last Call Requested
>>
>>     (The previous state was Waiting for AD Go-Ahead::AD Followup)
>>
>>     The previous last call raised several points. The authors have worked
>> on those points and this new informational IETF draft has substantive
>> changes; enough to go trigger a new IETF Last Call.
>>
>>     -éric
>>
>>     Datatracker URL:
>> https://datatracker.ietf.org/doc/draft-ietf-dprive-rfc7626-bis/
>>
>>
>>
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>>
>
>

v2.23.0 | Report a Bug | By Email