Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Ben Schwartz <bemasc@google.com> Sat, 28 October 2017 16:03 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D723013FB01 for <dns-privacy@ietfa.amsl.com>; Sat, 28 Oct 2017 09:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_YHuw5XYzgE for <dns-privacy@ietfa.amsl.com>; Sat, 28 Oct 2017 09:03:48 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A34013FB19 for <dns-privacy@ietf.org>; Sat, 28 Oct 2017 09:03:38 -0700 (PDT)
Received: by mail-vk0-x22e.google.com with SMTP id h142so2414874vkf.7 for <dns-privacy@ietf.org>; Sat, 28 Oct 2017 09:03:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fzw9gxRCaoyt9fDKb7UHx0JYhQ1L4Z6A2yR0U5TMQcs=; b=iHqbz6KlaFko1BKXWpjinpvDtxkA19eAlMg3u15M89y6eP8EeEQYBSNMp0w9Fwoprt OAe8GO8gtoWX36XL5pKb6nbOEAWPiorB1TEqBpU15uUCKetuNh42ogXNKsFkkgq8Ep2X ukY6BXgAYlNMGw0B0DAz+ve2jWSlf1AUluKDQnmVKQS5O0pxsjkcosa4ALO6cR9WHPmW 2HAcxlPdbGXsR7YPxpZMJaMzTa7Re5o93btDJswwh5A//S/NjDURm5ETSvEpFWi8hTcX 7sh40SZtBPfrciIiB/SC3aCB0Ma1KisCVs1mhxBf25nfZLLONex/iVpuxP2gip0GyvMv TCcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fzw9gxRCaoyt9fDKb7UHx0JYhQ1L4Z6A2yR0U5TMQcs=; b=DF1S2l+XiOQbzIRM6b3Mcfvo7RPpew48snV2p4Ih2NOHX0u7zfZgFMh5NtO5gB6PQ1 cvVZ3M6aGL9k9l6uo3G0i6yuawhHUKsZxljQD6zrcM2w4o8B/966Pb9v1hj7GkoZ7shX 70KczxSAWMMBzVWFKfcmtb30mlpnw6exnZAsz9f1utGE1cQRN+t8QpEDpsYG+4FYoYH8 7VxAuK7CnyoNMgSn0dwGnrCEtKYylMcxHg8ky6wg6gD5rwempCDtDak+AWQWN5Mei9Ks 5nyJR/h/KHNl/B2DuXGMQ2qn2aeoo8htX84+pB41vdShJrlZ1TyXO/nXetCcQhHXXec8 ZJ9Q==
X-Gm-Message-State: AMCzsaVULo2i5mmzxE7h1ZJHva6PKO17Vov3s1ZqJHSTxQ+KHt1EltA3 rvsAg0Cw5YTYvGM4MdFWRv+E0Uoxgg9/2fevzidaUpGL
X-Google-Smtp-Source: ABhQp+T6m76FHm1sybhH0N6QFS0nb6CDSJJq2DBZQi81IaK5rtSn2BmLOZnMi07pTP9jnvSWHmg2GYe3sQLCBpsjOr4=
X-Received: by 10.31.248.203 with SMTP id w194mr3012539vkh.85.1509206617505; Sat, 28 Oct 2017 09:03:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.170.145 with HTTP; Sat, 28 Oct 2017 09:03:36 -0700 (PDT)
In-Reply-To: <878tfwey8w.fsf@fifthhorseman.net>
References: <878tfwey8w.fsf@fifthhorseman.net>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 28 Oct 2017 12:03:36 -0400
Message-ID: <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: dns-privacy@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c14c6846046fa055c9d8ceb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/AuHH-zbLa5t21UXm8o3n7bAoAfU>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Oct 2017 16:03:53 -0000
I agree with DKG's analysis. Also, as an implementor, I think this requirement would be onerous. In the software I am modifying, implementing DNS-over-TLS is dramatically easier than adding a validating stub resolver. I wouldn't be implementing DNS-over-TLS if DNSSEC were mandatory (in either mode). On Fri, Oct 27, 2017 at 11:40 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net > wrote: > Hey DPRIVE folks-- > > Apologies for the delay, and that this message is so long. I've tried > to reconstruct this discussion around > draft-ietf-dprive-dtls-and-tls-profiles-11 as best i can, and my > analysis follows. If i've misundertood or misanalyzed something, > please let me know. > > Summary > ------- > > I do not believe that DNSSEC validation is warranted as a mitigation > against an active attacker in the context of an opportunistic metaquery, > regardless of whether the client ultimately intends to follow either the > Strict or Opportunistic profile. > > Furthermore, i believe that the proposal in draft-11 of making DNSSEC > validation of metaqueries a MUST for the opportunistic profile is > *actively harmful* to the stated goal of the opportunistic profile > (i.e., "maximum chance of DNS service"). > > I like the reorganization and re-wording of the "Usage Profiles" > section in draft-11, and think we should keep it. But i think the > other changes between draft-10 and draft-11 are unwarranted and should > be reverted. > > > Analysis > -------- > > AIUI, the scenario under discussion is: > > * A DNS client (following either the strict or the opportunistic > profile) > * using opportunistic meta-queries to find the desired DNS resolver > * in the face of an active attacker > > We already know that an attacker capable of filtering the client's > *outbound* traffic can cause a denial of service (for clients following > the strict profile) or loss of privacy (for clients following the > opportunistic profile, because they fall back to cleartext) simply by > dropping outbound connections to *anywhere* TCP port 853. > > Likewise, We also know that an attacker capable of filtering the > client's *inbound* traffic can cause a denial of service (strict > clients) or loss of privacy (opportunistic clients) simply by dropping > inbound connections from any TCP port 853. > > But the introduction of an opportunistically-secured meta-query > introduces a DoS attack (strict clients) or loss of privacy > (opportunistic clients) that can be achieved by a weaker attacker. > Since we're talking about an attacker that is *not* in control of the > network, the following analysis assumes that the the network provides > "legitimate" DHCP service, which is supposed to point the client to a > "legitimate" standard DNS resolver (which may or may not be > privacy-enabled, but is sufficient for answering an opportunistic > metaquery correctly). > > In particular, the attacker needs only one of the following two > capabilities: > > (a) Controlling the "legitimate" DHCP server, or detecting the > client's DHCP request and racing the "legitimate" DHCP server to > return a DHCP response (this allows the attacker to set the > resolver used by the client for its opportunistic metaquery), or > > (b) Controlling the "legitimate" DNS resolver, or detecting the > client's opportunistic metaquery and racing the "legitimate" DNS > resolver to provide a malicious DNS response. > > In either case, the result is that the attacker has poisoned the > client's meta-cache -- its best guess at the location of the desired > privacy-enabled DNS resolver. A poisoned meta-cache results in a DoS > for clients in "Strict" mode because the attacker's answering DNS > resolver at the learned address cannot authenticate. A poisoned > meta-cache results in a loss of privacy for clients in "Opportunistic" > mode because they will connect without authentication to the attacker's > answering DNS resolver. > > Have i got that right? > > DNSSEC validation does not mitigate this attack. > > Regardless of the profile, the client has four options when it > discovers that the response to the metadata query was forged (or at > any rate is not validatable). It can: > > (0) ignore the response, resulting in a DoS regardless of profile, > or > > (1) ignore the validation failure, and try connecting to the > proposed address anyway (resulting in a DoS for strict clients > because the server does not validate, or a loss of privacy for > opportunistic clients), or > > (2) retry the metaquery (in the hopes that their attacker is in class > "b" and not in full control of the "legitimate" DNS resolver) and > maybe the legitimate DNS response will come in, or > > (3) abort the network connection and retry DHCP (in the hopes that the > attacker is in class "a" and not in full control of the > "legitimate" DHCP server) and maybe the legitimate DHCP response > will come in. > > Choice 0 is the same outcome as the non-DNSSEC-validating scenario for > strict clients (no mitigation), and *strictly worse* for opportunistic > clients, because it converts a loss of privacy to a DoS, which is in > direct opposition to the stated goal of the opportunistic profile. > > Choice 1 is exactly the same outcome as the non-DNSSEC-validating > scenario for all clients. (no mitigation) > > Choices 2 and 3 are interesting thought experiments, but are not > directly contemplated in the draft (and i think they would be a > distraction from the goal of the draft -- this draft is not "how to do > staged opportunistic fallback in the face of an arbitrarily corrupt > network"), so i won't go into them here. > > At best, DNSSEC validation of the metaquery could be used to provide > additional reporting information to any client-internal > auditing/reporting or other defensive measures; but again, this draft > should not go into those in any detail. > > Background > ---------- > > To be clear about where this analysis is coming from, my rule of thumb > for these two profiles is: > > * Strict > > Do whatever you can to connect to the preferred privacy-enabled > resolver, but don't actually send queries unless you're sure you > have authenticated the server. > > * Opportunistic > > Do whatever you can to connect to the preferred privacy-enabled > resolver, but go ahead and send your queries to it anyway, even if > it cannot be authenticated. > > Note that both modes can report (e.g., to a local system > auditor/monitor/policy-agent) any failures or errors they encounter. > But Strict mode will fail closed (DoS), and Opportunistic mode will > fail open (loss of privacy). > > To be clear: the client is *locally configured* to be either in Strict > or Opportunistic mode. Orthogonally, it is also locally configured with > some server authentication information. > > If its locally-configured server authentication information is of the > form "ADN" only, then -- even when configured in Strict mode -- it > will do an Opportunistic DNS resolution of the address of the desired > resolver. This is the "opportunistic meta-query". > > Many moons ago, ekr wrote: > > > I.e., if you determine whether to adopt a Strict policy based on > > Opportunistic queries, then you are back to the active attack > > setting. > > But the client is *not* determining whether to adopt a Strict policy > based on the opportunistic meta-query. It has already decided which > profile it is using, and the opportunistic meta-query merely to find > the IP address of its desired privacy-enabled DNS resolver. > > > So i guess i'm still DISCUSSing ekr's DISCUSS, which is an unfortunate > state for the draft to be in. :( > > > I welcome clarification if i've misunderstood the problem we're trying > to address here, or if i've somehow let myself lapse into some sort of > "privacy nihilism". > > --dkg > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy > >
- [dns-privacy] review of draft-ietf-dprive-dtls-an… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Ben Schwartz
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephane Bortzmeyer
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos