IETF Logo Mail Archive

Re: [dns-privacy] [Last-Call] Review of draft-ietf-dprive-rfc7626-bis-03

Eric Rescorla <ekr@rtfm.com> Mon, 02 December 2019 14:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8170120073 for <dns-privacy@ietfa.amsl.com>; Mon, 2 Dec 2019 06:00:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6TUY-pYHgr4 for <dns-privacy@ietfa.amsl.com>; Mon, 2 Dec 2019 06:00:33 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F891200A1 for <dns-privacy@ietf.org>; Mon, 2 Dec 2019 06:00:32 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id r14so11814976lfm.5 for <dns-privacy@ietf.org>; Mon, 02 Dec 2019 06:00:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+prdNWr2ZdT3VUuiJ3mrt4qGimoMsBCOnCcWRogqo1E=; b=mZtZqsi8Xqu+If7nxG73KxafsxqsnWOefbpxbv13/DklYbfl6cnOPtyVm2ll6zQNRf BAsQXgrf82R3KSjSuBmrrHuVdQtEsnjDa3SaKMen2/EJCtcp45UbpryDyiTMzPBAwRlV lLMbFNTITSV7ci2hKlcboP2GwBVIPkVJ+NHQiB+T2M8tOAb8xOsRIXOO6SaGx1uGf7mk jyNjBscilyE0L+LVql4y0e7dVGnEWblVAoSTlDl1MDjDPsdo91JI8SGGiAtw9rCRIYuM lYirO7oXBdZncM242n7qPTUKhn8YOyjelrS6AVcXI9bM0r3SYojbGRHd050Brim/0BBx jYGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+prdNWr2ZdT3VUuiJ3mrt4qGimoMsBCOnCcWRogqo1E=; b=U95hUEzfnjF5kpyyi5CGdLIROyK89vRxOdN0zmJSu4p4a4PFDbEKz7y2UvXEXy3cUq pvsSIhZJ+oWbTCoappFq5n+TFETzgno7XKtjILZzjtNVthlZJUlKuPOrfpVNXRgj7HR4 fwMyyT5yd1idkx361z1qdx7bjevr9LB+pnCIImjfh2MYGNbrjZWHrguJIeXXaj/sJ/dl RkaiaNsOZQLRD8rCU20JbjFYgeKm1R788VIhLYuho3HF1s1UWZSn4KgBTCrY//2+F9cx +vQhLUSxWJgII1hv/4fUHAq5dHuTj9lpfQYDfl2axEovY2/+5ftjMYlVItH/RktatT5h M1FQ==
X-Gm-Message-State: APjAAAUiYuB+NzUjqAeOytpDAgHhgzhN5fyZr8QkSQ+3It5yv/zeQJYr ge/GgTMudepatfbpjHg7vvsMf0LJ6ZbqO5IW26pXcg==
X-Google-Smtp-Source: APXvYqwhyxZboqpmh6BK8e/XAsanqA9ijh8kaZIRqhHcuN14vNKrpIA8juW5XGdVnQFe1mcVbdrIeKGiJEkWemvJcGQ=
X-Received: by 2002:a19:7b1a:: with SMTP id w26mr2562338lfc.17.1575295230726; Mon, 02 Dec 2019 06:00:30 -0800 (PST)
MIME-Version: 1.0
References: <4639bd67-6fca-47d1-aaeb-85fcd0394f46@www.fastmail.com>
In-Reply-To: <4639bd67-6fca-47d1-aaeb-85fcd0394f46@www.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Dec 2019 05:59:54 -0800
Message-ID: <CABcZeBO4zLuXSjymh1S1g91m_e8sKcBbt-Ff4kkcqeAXPFWF_A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: last-call@ietf.org, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a4dc910598b900f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/9TjdwYu7TnYjO9c867XkRQWO_3E>
Subject: Re: [dns-privacy] [Last-Call] Review of draft-ietf-dprive-rfc7626-bis-03
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 14:00:37 -0000

Unsurprisingly, I agree with MT here. There is a pile of material
here which is precisely the set of topics failing to achieve
consensus in ADD, so it can hardly be published as having IETF
consensus through dprive.

By example, let's focus on the following two paragraphs in
S 3.5.1.1.

   If applications enable application-specific DNS settings without
   properly informing the user of the change (or do not provide an
   option for user configuration of the application's recursive
   resolver) there is a potential privacy issue; depending on the
   network context and the application default, the application might
   use a recursive server that provides less privacy protection than the
   default network-provided server without the user's full knowledge.
   Users that are fully aware of an application specific DNS setting may
   want to actively override any default in favour of their chosen
   recursive resolver.

This is not really what one would call a neutral framing, as it fails
to acknowledge that in the general case the user has no way of knowing
what the network provided resolver is or what its policies are and
that in many cases the privacy protections offered by application
default resolvers will be superior to those offered by the
network-provided resolver. Moreover, in the current technical
environment, they have no real way of knowing they are even connecting
to the intended network-provided resolver or that their connection
to it is not under attack.

In addition, the context of this paragraph is highly misleading
coming as it does after a discussion of Firefox's plans. However,
Firefox will (1) notify users before changing their resolvers
and (2) allow the users to configure their own resolvers or disable
DoH, despite the implication in this text to the contrary.


   There are also concerns that, should the trend towards using large
   public resolvers increase, this will itself provide a privacy
   concern, due to a small number of operators having visibility of the
   majority of DNS requests globally and the potential for aggregating
   data across services about a user. Additionally the operating
   organisation of the resolver may be in a different legal jurisdiction
   than the user, which creates further privacy concerns around legal
   protections of and access to the data collected by the operator.

This too is a pile of contested statements. In particular, the legal
environment around privacy for a public resolver might be better or
worse than that for the user's network default resolver, depending on
local regulation.

-Ekr





On Sun, Dec 1, 2019 at 4:01 PM Martin Thomson <mt@lowentropy.net> wrote:

> Prompted by my surprise at seeing Brian Trammell's mention of a
> '[firefox]' reference in this document, I reviewed the contents of this
> draft more closely.
>
> Summary
>
> I found a number of issues with the additions in this -bis document.  Of
> particular concern is Section 3.5.1 (formerly Section 2.5.1 in RFC 7626),
> which has been expanded from one paragraph to four pages.  That there is a
> need for new content here is clear.  One thing that has become very clear
> is that our understanding of the role of recursive resolvers has evolved a
> lot in the past year.  However, I don't believe that the current text is a
> fair representation of the problems we're facing.  Right now, the community
> is in the middle of highly contentious debate on the general topic, and I
> don't think that the new content reflects consensus.
>
> It does appear as though there is an attempt here to address the invariant
> technical characteristics without engaging more controversial positions.  I
> don't believe that has been successful.  The effect is to preempt an active
> area of contention.
>
> I am opposed to the IETF publishing this document in its current form.
>
> Section 2
>
> > This document does not attempt a comparison of specific privacy
> protections provided by individual networks or organisations, it makes only
> general observations about typical current practices.
>
> Having been called out here, I would question whether this claim is indeed
> correct.
>
> BTW, what is "HTTPS destination IP address fingerprinting"?  Was the
> intent of this paragraph to say that this document only examines the DNS
> protocol independent of the greater context in which it is used?  That is,
> it looks at DNS without considering how privacy risks might result from the
> use of DNS in combination with other protocols?
>
> Section 3.4.2
>
> This section appears to address several related issues around the use of
> TLS primarily: fingerprinting, identification, and linkability (the
> document uses the word "correlation" in line with RFC 6973).  There are
> parts where fingerprinting is equated with identification or linkability in
> ways that appear confused.
>
> For instance,
>
> > The use of clear text transport options to optimize latency may also
> identify a user, e.g., using TCP Fast Open with TLS 1.2 [RFC7413].
>
> The use of TFO is a linkability issue, not an identification one.  TFO can
> also be used without encrypted transport.
>
> However, this seems overly negative. Resumption and TFO cookies - and
> therefore any linkability they might provide - is discretionary on the part
> of clients. You might (as is done later) raise the question here about the
> competing concerns of individuals and implementations, but that's a
> meta-level question that I'll get back to.
>
> As a minor note here, TLS 1.3 resumption also provides a server with the
> ability to link sessions.  This document seems to assume that this is a
> property of TLS 1.2 only, which is incorrect.  There are proposals that
> might allow for unlinkable resumption, but those are still just proposals.
>
> Also on linkability and identification:
>
> > Certain configuration options for encrypted transports could also in
> principle fingerprint a user or client application.
>
> Though there are definitely ways in which the listed options contribute to
> fingerprinting, the paragraph talks about session resumption, where the
> concern is primarily linkability.  Mixing these concepts only serves to
> confuse rather than enlighten.
>
> When it comes to fingerprinting, it's important to distinguish between an
> ability to identify the software in use (Windows vs. Linux, Safari vs.
> Chrome) and the ability to distinguish different users.  The text here
> conflates these notions in an unhelpful fashion. The fingerprinting
> highlighted is a result of characteristics inherent to the software, not
> user-specific details.
>
> For the most part, we (as protocol designers) accept that distinguishing
> software is possible and we don't generally attempt to erase differences
> that only serve to reinforce those signals. Suppressing differences in wire
> image across implementations generally runs counter to the desire for
> diversity in implementation choices.  This text - perhaps unintentionally -
> takes the somewhat sensational position that distinguishing between FreeBSD
> and Solaris is as relevant as the sort of fingerprinting that might be used
> to isolate individuals.  It does that by concentrating on choices that are
> usually made by implementations not individuals.
>
> This is where a clear recognition of the distinction between
> implementation choices and how implementations represent (or maybe don't
> represent, if that is the way you feel) the choices of individuals requires
> a little more care.  I don't know how easy it is to engage on that topic
> without also engaging with the current debate though.
>
> Section 3.5.1.1
>
> This section references announcements of product plans that will
> eventually - even by the time that this document is published - be
> outdated.  This is, in my view, the most controversial section of the
> document, and it is all based on somewhat tenuous information.
>
> All the "at the time of writing" text in this section would need to be
> removed in order for me to be comfortable with the publication of this
> document.
>
> Similarly, I find the following text problematic:
>
> > If applications enable application-specific DNS settings without
> properly informing the user of the change (or do not provide an option for
> user configuration of the application's recursive resolver) there is a
> potential privacy issue; depending on the network context and the
> application default, the application might use a recursive server that
> provides less privacy protection than the default network-provided server
> without the user's full knowledge.
>
> This text presumes a great deal about the environment into which these
> applications are being deployed.  It appeals to a status quo bias by
> examining an area of a larger change that might have negative consequences
> without regarding the effect in the aggregate. Moreover, it sets
> unrealistic expectations - "the user's full knowledge" - about what might
> an application might need to do in order to make these deployment
> decisions.  In other words, whether it was intended or not, this takes a
> firm stance on the current rather contentious debate.
>
> Separately, I appreciate that some people believe that these developments
> signal a move toward greater centralization of the DNS service, but that
> too is the subject of the ongoing debate.
>
> Maybe there is a version of this section that the IETF can publish, but
> not until we actually have consensus on these subjects.  I have to most
> strenuously object to any attempt to publish a document if this section
> remains.
>
> Section 3.5.1.2
>
> I admit that I don't understand the purpose of this section. Concentrating
> on minutiae, like the details of DHCP or ARP/NDP spoofing, is far too low
> level. If we were to simply assume the usual threat model [RFC3552], then
> the conclusions here are obvious: if you fail to authenticate the server,
> then you get the server that an attacker chooses.
>
> I would remove this section in favour of improving Section 3.5.1.4, which
> addresses the most pertinent question.
>
> Section 3.5.1.3
>
> The arguments here again fall under an area of active debate. The second
> paragraph makes the claim that in-network blocking of encrypted DNS might
> be done for reasons that benefit users. That relies on a number of unstated
> assumptions. More seriously, this particular subject is one of the most
> contentious parts of the current debate and it has no place in a document
> that purports to represent community consensus.
>
> Either way, I think that RFC 7754 has a far better treatment of the
> broader topic.  This section might be better served with a reference to
> that.
>
> Section 3.5.1.4
>
> Again, this might be too close to the current debate, but I find it odd
> that there is no connection drawn between authentication of resolvers and
> choosing the resolver that receives the potentially privacy-sensitive
> information in queries. This choice is the single overriding issue upon
> which the entirety of the difficult debate depends.  Maybe there was a
> conscious decision to gloss over the point to avoid the controversy.  Given
> the significance of this point to the topic, I don't see how it can be
> avoided.
>
> There's an unstated assumption throughout the document that the best
> defense for privacy is some form of active choice or at least informed
> consent on the part of end users. That too is an area where there is some
> contention.
>
> Section 3.5.1.5.1
>
> The arguments here repeat those from Section 3.4.2 (nit: not 3.4 as
> stated).  A section reference would be enough.
>
> Section 3.5.1.5.2
>
> I can't see anything in this section that Section 8 of RFC 8484 doesn't
> already say.
>
> The text here does claim that the use of DoH rather than Do<other> is a
> choice to trade privacy for some other vaguely-defined property, which I
> might read as convenience. It is hard to read the extended treatment of
> this as anything other than prejudicial.  For instance, by labeling DoH as
> complex and requiring of detailed analysis, it implies that there are
> unstated intricacies that are traps for the unwary. This document is
> intended to demystify the privacy properties of DNS as a whole, so would it
> not be better to explain what the essential properties are?
>
> The one new piece is the claim that there is fingerprinting information
> inherent to the use of HTTP.  While there is perhaps some merit in the
> argument that a narrow range of options for encoding the same semantics
> produce less variance, it is not clear that DNS is any more free of this
> sort of variance than HTTP.  Maybe HTTP has more options for the creation
> of side channels, but DNS isn't free of those. Aside from the
> Accept-Language thing - which RFC 8484 addresses - I believe that these
> leaks are implementation-specific and rarely an individual-specific choice,
> but the document strongly implies that there is a risk to individual
> privacy.  If that is indeed the claim, it could be made directly in more
> concrete terms.
>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>

v2.23.0 | Report a Bug | By Email