IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

Ben Schwartz <bemasc@google.com> Sat, 28 October 2017 16:03 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D723013FB01 for <dns-privacy@ietfa.amsl.com>; Sat, 28 Oct 2017 09:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_YHuw5XYzgE for <dns-privacy@ietfa.amsl.com>; Sat, 28 Oct 2017 09:03:48 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A34013FB19 for <dns-privacy@ietf.org>; Sat, 28 Oct 2017 09:03:38 -0700 (PDT)
Received: by mail-vk0-x22e.google.com with SMTP id h142so2414874vkf.7 for <dns-privacy@ietf.org>; Sat, 28 Oct 2017 09:03:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fzw9gxRCaoyt9fDKb7UHx0JYhQ1L4Z6A2yR0U5TMQcs=; b=iHqbz6KlaFko1BKXWpjinpvDtxkA19eAlMg3u15M89y6eP8EeEQYBSNMp0w9Fwoprt OAe8GO8gtoWX36XL5pKb6nbOEAWPiorB1TEqBpU15uUCKetuNh42ogXNKsFkkgq8Ep2X ukY6BXgAYlNMGw0B0DAz+ve2jWSlf1AUluKDQnmVKQS5O0pxsjkcosa4ALO6cR9WHPmW 2HAcxlPdbGXsR7YPxpZMJaMzTa7Re5o93btDJswwh5A//S/NjDURm5ETSvEpFWi8hTcX 7sh40SZtBPfrciIiB/SC3aCB0Ma1KisCVs1mhxBf25nfZLLONex/iVpuxP2gip0GyvMv TCcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fzw9gxRCaoyt9fDKb7UHx0JYhQ1L4Z6A2yR0U5TMQcs=; b=DF1S2l+XiOQbzIRM6b3Mcfvo7RPpew48snV2p4Ih2NOHX0u7zfZgFMh5NtO5gB6PQ1 cvVZ3M6aGL9k9l6uo3G0i6yuawhHUKsZxljQD6zrcM2w4o8B/966Pb9v1hj7GkoZ7shX 70KczxSAWMMBzVWFKfcmtb30mlpnw6exnZAsz9f1utGE1cQRN+t8QpEDpsYG+4FYoYH8 7VxAuK7CnyoNMgSn0dwGnrCEtKYylMcxHg8ky6wg6gD5rwempCDtDak+AWQWN5Mei9Ks 5nyJR/h/KHNl/B2DuXGMQ2qn2aeoo8htX84+pB41vdShJrlZ1TyXO/nXetCcQhHXXec8 ZJ9Q==
X-Gm-Message-State: AMCzsaVULo2i5mmzxE7h1ZJHva6PKO17Vov3s1ZqJHSTxQ+KHt1EltA3 rvsAg0Cw5YTYvGM4MdFWRv+E0Uoxgg9/2fevzidaUpGL
X-Google-Smtp-Source: ABhQp+T6m76FHm1sybhH0N6QFS0nb6CDSJJq2DBZQi81IaK5rtSn2BmLOZnMi07pTP9jnvSWHmg2GYe3sQLCBpsjOr4=
X-Received: by 10.31.248.203 with SMTP id w194mr3012539vkh.85.1509206617505; Sat, 28 Oct 2017 09:03:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.170.145 with HTTP; Sat, 28 Oct 2017 09:03:36 -0700 (PDT)
In-Reply-To: <878tfwey8w.fsf@fifthhorseman.net>
References: <878tfwey8w.fsf@fifthhorseman.net>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 28 Oct 2017 12:03:36 -0400
Message-ID: <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: dns-privacy@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c14c6846046fa055c9d8ceb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/AuHH-zbLa5t21UXm8o3n7bAoAfU>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Oct 2017 16:03:53 -0000

I agree with DKG's analysis.

Also, as an implementor, I think this requirement would be onerous.  In the
software I am modifying, implementing DNS-over-TLS is dramatically easier
than adding a validating stub resolver.  I wouldn't be implementing
DNS-over-TLS if DNSSEC were mandatory (in either mode).

On Fri, Oct 27, 2017 at 11:40 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net
> wrote:

> Hey DPRIVE folks--
>
> Apologies for the delay, and that this message is so long.  I've tried
> to reconstruct this discussion around
> draft-ietf-dprive-dtls-and-tls-profiles-11 as best i can, and my
> analysis follows.  If i've misundertood or misanalyzed something,
> please let me know.
>
> Summary
> -------
>
> I do not believe that DNSSEC validation is warranted as a mitigation
> against an active attacker in the context of an opportunistic metaquery,
> regardless of whether the client ultimately intends to follow either the
> Strict or Opportunistic profile.
>
> Furthermore, i believe that the proposal in draft-11 of making DNSSEC
> validation of metaqueries a MUST for the opportunistic profile is
> *actively harmful* to the stated goal of the opportunistic profile
> (i.e., "maximum chance of DNS service").
>
> I like the reorganization and re-wording of the "Usage Profiles"
> section in draft-11, and think we should keep it.  But i think the
> other changes between draft-10 and draft-11 are unwarranted and should
> be reverted.
>
>
> Analysis
> --------
>
> AIUI, the scenario under discussion is:
>
>  * A DNS client (following either the strict or the opportunistic
>    profile)
>  * using opportunistic meta-queries to find the desired DNS resolver
>  * in the face of an active attacker
>
> We already know that an attacker capable of filtering the client's
> *outbound* traffic can cause a denial of service (for clients following
> the strict profile) or loss of privacy (for clients following the
> opportunistic profile, because they fall back to cleartext) simply by
> dropping outbound connections to *anywhere* TCP port 853.
>
> Likewise, We also know that an attacker capable of filtering the
> client's *inbound* traffic can cause a denial of service (strict
> clients) or loss of privacy (opportunistic clients) simply by dropping
> inbound connections from any TCP port 853.
>
> But the introduction of an opportunistically-secured meta-query
> introduces a DoS attack (strict clients) or loss of privacy
> (opportunistic clients) that can be achieved by a weaker attacker.
> Since we're talking about an attacker that is *not* in control of the
> network, the following analysis assumes that the the network provides
> "legitimate" DHCP service, which is supposed to point the client to a
> "legitimate" standard DNS resolver (which may or may not be
> privacy-enabled, but is sufficient for answering an opportunistic
> metaquery correctly).
>
> In particular, the attacker needs only one of the following two
> capabilities:
>
>   (a) Controlling the "legitimate" DHCP server, or detecting the
>       client's DHCP request and racing the "legitimate" DHCP server to
>       return a DHCP response (this allows the attacker to set the
>       resolver used by the client for its opportunistic metaquery), or
>
>   (b) Controlling the "legitimate" DNS resolver, or detecting the
>       client's opportunistic metaquery and racing the "legitimate" DNS
>       resolver to provide a malicious DNS response.
>
> In either case, the result is that the attacker has poisoned the
> client's meta-cache -- its best guess at the location of the desired
> privacy-enabled DNS resolver.  A poisoned meta-cache results in a DoS
> for clients in "Strict" mode because the attacker's answering DNS
> resolver at the learned address cannot authenticate.  A poisoned
> meta-cache results in a loss of privacy for clients in "Opportunistic"
> mode because they will connect without authentication to the attacker's
> answering DNS resolver.
>
> Have i got that right?
>
> DNSSEC validation does not mitigate this attack.
>
> Regardless of the profile, the client has four options when it
> discovers that the response to the metadata query was forged (or at
> any rate is not validatable).  It can:
>
>   (0) ignore the response, resulting in a DoS regardless of profile,
>       or
>
>   (1) ignore the validation failure, and try connecting to the
>       proposed address anyway (resulting in a DoS for strict clients
>       because the server does not validate, or a loss of privacy for
>       opportunistic clients), or
>
>   (2) retry the metaquery (in the hopes that their attacker is in class
>       "b" and not in full control of the "legitimate" DNS resolver) and
>       maybe the legitimate DNS response will come in, or
>
>   (3) abort the network connection and retry DHCP (in the hopes that the
>       attacker is in class "a" and not in full control of the
>       "legitimate" DHCP server) and maybe the legitimate DHCP response
>       will come in.
>
> Choice 0 is the same outcome as the non-DNSSEC-validating scenario for
> strict clients (no mitigation), and *strictly worse* for opportunistic
> clients, because it converts a loss of privacy to a DoS, which is in
> direct opposition to the stated goal of the opportunistic profile.
>
> Choice 1 is exactly the same outcome as the non-DNSSEC-validating
> scenario for all clients. (no mitigation)
>
> Choices 2 and 3 are interesting thought experiments, but are not
> directly contemplated in the draft (and i think they would be a
> distraction from the goal of the draft -- this draft is not "how to do
> staged opportunistic fallback in the face of an arbitrarily corrupt
> network"), so i won't go into them here.
>
> At best, DNSSEC validation of the metaquery could be used to provide
> additional reporting information to any client-internal
> auditing/reporting or other defensive measures; but again, this draft
> should not go into those in any detail.
>
> Background
> ----------
>
> To be clear about where this analysis is coming from, my rule of thumb
> for these two profiles is:
>
>  * Strict
>
>    Do whatever you can to connect to the preferred privacy-enabled
>    resolver, but don't actually send queries unless you're sure you
>    have authenticated the server.
>
>  * Opportunistic
>
>    Do whatever you can to connect to the preferred privacy-enabled
>    resolver, but go ahead and send your queries to it anyway, even if
>    it cannot be authenticated.
>
> Note that both modes can report (e.g., to a local system
> auditor/monitor/policy-agent) any failures or errors they encounter.
> But Strict mode will fail closed (DoS), and Opportunistic mode will
> fail open (loss of privacy).
>
> To be clear: the client is *locally configured* to be either in Strict
> or Opportunistic mode.  Orthogonally, it is also locally configured with
> some server authentication information.
>
> If its locally-configured server authentication information is of the
> form "ADN" only, then -- even when configured in Strict mode -- it
> will do an Opportunistic DNS resolution of the address of the desired
> resolver.  This is the "opportunistic meta-query".
>
> Many moons ago, ekr wrote:
>
> > I.e., if you determine whether to adopt a Strict policy based on
> > Opportunistic queries, then you are back to the active attack
> > setting.
>
> But the client is *not* determining whether to adopt a Strict policy
> based on the opportunistic meta-query.  It has already decided which
> profile it is using, and the opportunistic meta-query merely to find
> the IP address of its desired privacy-enabled DNS resolver.
>
>
> So i guess i'm still DISCUSSing ekr's DISCUSS, which is an unfortunate
> state for the draft to be in. :(
>
>
> I welcome clarification if i've misunderstood the problem we're trying
> to address here, or if i've somehow let myself lapse into some sort of
> "privacy nihilism".
>
>          --dkg
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>
>

v2.23.0 | Report a Bug | By Email