IETF Logo Mail Archive

Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)

Sara Dickinson <sara@sinodun.com> Thu, 11 May 2017 12:01 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ADCB12EBCD; Thu, 11 May 2017 05:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSZm90xadB_h; Thu, 11 May 2017 05:01:15 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [46.235.227.24]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79577129AD5; Thu, 11 May 2017 04:59:05 -0700 (PDT)
Received: from [2a02:8010:6126:0:bc7d:946c:833c:205e] (port=56957) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <sara@sinodun.com>) id 1d8mkH-000286-IN; Thu, 11 May 2017 12:59:03 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <B4C244A6-E0DC-4A06-BEF4-B992C968BD1F@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6BF5E805-3FD7-4E2E-83EC-627FDA53D94D"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 11 May 2017 12:58:55 +0100
In-Reply-To: <CABcZeBPcVqUNor-9NOSBQ+XcqD9N28d90qYpQsPzE3L4nrPvYQ@mail.gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
To: Eric Rescorla <ekr@rtfm.com>
References: <149410267259.23107.8936430130975036477.idtracker@ietfa.amsl.com> <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com> <CABcZeBPcVqUNor-9NOSBQ+XcqD9N28d90qYpQsPzE3L4nrPvYQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: -28
X-Mythic-Debug: State = no_sa; Score =
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/8tdf2d7IUi_gb8-3SSUXm-h27Ns>
Subject: Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 12:01:19 -0000

Hi Ekr (and Kathleen),

> On 8 May 2017, at 13:01, Eric Rescorla <ekr@rtfm.com> wrote:
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> TECHNICAL
>> S 5.
>>      subsequently connect.  The rationale for this is that requiring
>>      Strict Privacy for such meta queries would introduce significant
>>      deployment obstacles.  This profile provides strong privacy
>>      guarantees to the client.  This Profile is discussed in detail in
>>      Section 6.6.
>> 
>> This point seems unclear. If you do these queries unprotected, then
>> you don't have strong privacy guarantees. I think you mean that
>> you get them via some trusted mechanism such as DHCP.
> 
> No, we mean they could be done either via Opportunistic lookups or DHCP (see table 2.)
> The meta queries contain no information about what DNS lookups the client is doing other than what DNS Privacy server they are going to use to do their queries. But you are correct that the ‘strong privacy guarentees’ apply only to the subsequent queries to the Privacy server and the text should be updated to clarify that.  
> 
> Well, per my previous comment, I think you need to focus on the entire strategy.
> 
> I.e., if you determine whether to adopt a Strict policy based on Opportunistic queries, then you are back to the active attack setting. I don't have a problem with your design here, which seems to be about as good as one can do; I'm just trying to make sure the description is accurate...

Oh, I think I see your point now:

- Strict without meta queries to an untrusted source (i.e. name and IP both configured or obtained from a ’trusted’ source) will connect directly to the correct the Privacy server
- Strict with meta queries to an untrusted source provides the opportunity for the attacker to return incorrect answers, directing the client to a bogus Privacy server which the client will not be able to authenticate and therefore the client will not proceed to perform queries. 

so the two approaches are different in terms of mitigating attacks. 

Even if the meta queries were secured with DNSSEC (as they were until a recent version of the draft) this doesn’t help because if the answers are bogus then again, the client won’t continue. 

> 
>> S 6.4.
>>   A DNS client that is configured with both an authentication domain
>>   name and a SPKI pinset for a DNS server SHOULD match on both a valid
>>   credential for the authentication domain name and a valid SPKI
>> pinset
>>   (if both are available) when connecting to that DNS server.  The
>>   overall authentication result should only be considered successful
>> if
>>   both authentication mechanisms are successful.
>> 
>> You should cover the topic of user-defined trust anchors. Here's the
>> relevant text from 7469:
>> 
>>   For example, a UA may disable Pin Validation for Pinned Hosts whose
>>   validated certificate chain terminates at a user-defined trust
>>   anchor, rather than a trust anchor built-in to the UA (or underlying
>>   platform).
> 
> We purposely avoided adding any details on the SPKI mechanisms in this document because this document simply refers to RFC7585 which then directly references RFC7469. But if you think this is needed here also then I’ll add it.
> 
> The concern I have is that this guidance seems to implicitly contradict the guidance from 7469. So I think you should either just say that if you have both you treat it like a 7469 pin, or say something like "successful, with the possible exception of certificates which chain to local trust anchors, as described in..." Or, alternately really prohibit this. Also, should -> SHOULD.

Got it. I think I would lean towards "if you have both you treat it like a 7469 pin” but would like to hear other views on this. 

>> 
>> EDITORIAL
>> Do you want to cite TLS 1.3 at this point?
> 
> Early on we chose not to include a normative reference to the TLS 1.3 draft to avoid the dependancy on that becoming an RFC but are you suggesting we do that now or just include an informative reference?
> 
> I would think at least an informative reference would be useful.
> 
> 
> Do you think Section 9 the right place to talk about TLS 1.3 in general or do you feel there are specific points to made elsewhere in the text? 
> 
> 1.3 has pretty much the same properties here, so I think you might just cite 1.3 and make it informative. I'm not sure what the right actual mechanics are here, but surely such a thing is possible.

An informative reference makes total sense - I’ll add that. 

> 
>   These requirements ensure mitigation against known attacks on 
>   (D)TLS, such as machine-in-the-middle and
>   protocol downgrade.  These are general attacks on (D)TLS and not
>   specific to DNS-over-TLS.”
> 
> My complaint is that this seems kinda FUDdy.

OK - I’ll remove. 

Sara.

v2.23.0 | Report a Bug | By Email