Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
Neil Cook <neil.cook@noware.co.uk> Wed, 09 September 2020 15:31 UTC
Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E0293A0D73 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Sep 2020 08:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=noware.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytMrEJCTfx8L for <dns-privacy@ietfa.amsl.com>; Wed, 9 Sep 2020 08:31:21 -0700 (PDT)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id CED813A0D72 for <dns-privacy@ietf.org>; Wed, 9 Sep 2020 08:31:20 -0700 (PDT)
Received: from [192.168.1.170] (unknown [109.156.119.142]) by mail.noware.co.uk (Postfix) with ESMTPSA id CF6B91DC957; Wed, 9 Sep 2020 15:28:45 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.noware.co.uk CF6B91DC957
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=noware.co.uk; s=default; t=1599665326; bh=TkHb+3zVALwHdSqYYNFaF7oV76ZPi5HZsiS6+Qw5Wtk=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=ryBwn9OMZtQkkCcBL9k+rnefHlGxiQnXD3xeobz/UuwtjrNUbDpvrTIrGFbYFuIve F+lgJ+RUzB5SXOkzq+ZKD6eFIPgBw3ycT6+48YNU3PUPb9m2UGKEnYhnaQqayBRTUS AsQcgiKNzlLvS6fx23WTExTIfKv/iXXmEEiIwX6M=
From: Neil Cook <neil.cook@noware.co.uk>
Message-Id: <C8137D01-5903-4CFA-A315-67D7012EC583@noware.co.uk>
Content-Type: multipart/alternative; boundary="Apple-Mail=_563D2485-9F5A-4F81-A923-208EF953E4C1"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 09 Sep 2020 16:31:18 +0100
In-Reply-To: <CAHbrMsDVZMNNhwqTUexRL3R=HoEfDTWsoXnr=bdTaWyTXV_=rw@mail.gmail.com>
Cc: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk> <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com> <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk> <CAHbrMsC=kOYUL_Ei1uSnWJ3hGxu=7c10eRofXJ=w5sQzcbu6mA@mail.gmail.com> <3A9BCDDD-883D-470E-A547-79839149F8EE@sky.uk> <CAHbrMsDVZMNNhwqTUexRL3R=HoEfDTWsoXnr=bdTaWyTXV_=rw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: -100
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgkeeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecupffgkffnvefqqffmnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeenucfhrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqnecuggftrfgrthhtvghrnhepjeeugfegvddtjeetkeeuueeigfdugfekjedufeekjedvveeftddvieduvdekleehnecukfhppedutdelrdduheeirdduudelrddugedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddtledrudehiedrudduledrudegvddphhgvlhhopegludelvddrudeikedruddrudejtdgnpdhmrghilhhfrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqpdhrtghpthhtohepsggvmhgrshgtpeegtdhgohhoghhlvgdrtghomhesughmrghrtgdrihgvthhfrdhorhhgpdhrtghpthhtoheptehlihhsthgvrhdrhghinhhfihgvlhgupeegtdhskhihrdhukhesughmrghrtgdrihgvthhfrdhorhhgpdhrtghpthhtohepughnshdqphhrihhvrggthiesihgvthhfrdhorhhg
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/7_1e9l2qy09IGKjAZAdgFAnG7dI>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 15:31:22 -0000
> On 9 Sep 2020, at 15:35, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: > > Caching at the CPE reduces upstream resolver load by quite a lot more than you might imagine not actually a big problem but it’s nice to avoid adding compute if there is a cheaper solution trivially available. > It sounds like the key goal here is caching at the CPE; the other goals could be served by client-specific logic at the central resolver. Do ISP-provided CPEs normally operate a DNS cache? My understanding was that they are usually mostly-stateless forwarders. > Yes lots of ISP-provided CPEs do caching. There is a draft in the ADD WG that describes this for at least 3 large ISPs in Europe. There are other reasons for wanting to do DoH in the CPE, such as performing DNS filtering on the CPE. BTW I’d interested in how “client-specific logic at the central resolver” solves the connection count issue? > * How does the server know which CPE to redirect the client to? > > > > I’m are assuming here that this is an ISP running both elements so knowing how to map the incoming IP to the name its currently using / was told to use is relatively trivial. > > > Trivial, perhaps, but not necessarily secure. An adversary in the network could alter the IP headers to change the apparent client location, causing the client to be redirected to an attacker-controlled CPE, thus defeating the integrity assurances of DoH. Possible, but I’m not sure this is a practical attack. The attacker would need to be able to also change all the IP headers in the return packets to their original values (that’s hard enough to do for legit purposes). Also, the attacker has to have compromised an ISP-managed CPE, and that CPE still needs to be running on an ISP-managed network connection. Neil
- [dns-privacy] Review request: draft-btw-dprive-rf… Brian Haberman
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] Review request: draft-btw-dpriv… Martin Thomson
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Rob Sayre
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Konda, Tirumaleswar Reddy