Re: [dns-privacy] Threat Model
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 01 November 2019 19:54 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4D8F120828 for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 12:54:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_QBZookYgUh for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 12:54:34 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FA3212007A for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 12:54:34 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id o3so3232539ual.12 for <dns-privacy@ietf.org>; Fri, 01 Nov 2019 12:54:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OilAOAj/nikq6buRyLFh1clfYOWQLstSAzztcemcbqM=; b=JP9grNx8XN1qFLjAa0SDhjNd/JhHCsXbztdr20BkEfN8cN13piETfWXKs3JYY5twrX Feg3TnKIM6gdwopr2mo7vjwnSyr3yhDTP+pAEVV7AA/Ib7L2Z75MITJ4/26z2prDnFac 2EonffSKi2Mj+VrkqH9i85sGp7ZUUYYXXUqxSY9unJjkUJJWGXMZ+8OpYV15Qf16OLjL 7EBP9vYpJMfeCADw+P1O90AmuybHGwd6KZE490OpInbcMUUrDjDQpPDH/LkFmVSFEUUq iZUjm4aVuzQ4beekwH/doYGVMVBdFKrEnzFWP1OASbHRfEjchVly7k/8bX/Y+45z2bmd Izyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OilAOAj/nikq6buRyLFh1clfYOWQLstSAzztcemcbqM=; b=X29pybwggTt7YxgYVeyU8kr0DFEfYStmqmi/gAVrF0Ed70FUhgGksg92zmrXQ4WuHJ TRXNpyHTCZb2KVUK4gZ73IYcRWHp2m59JaXLdlpxIQo4ZAScOcleOfbpN+NYE+beeJGO THJqoK0rzfE0/FRt05kUn64xIicdNs6g8BpCwYan9inOWYOHziG+2rIRwPgMz87psX5q vV3jD3Ouk1Rfj7CMg3D3pv0qi++Vtd8vzAD2naxDoOmON8nR+m/CYxvJwHlJkHy+8sTO pASc4byzpK4fkniXXF/n4L8ZfnEAWr3iZgMT2EQ+dk83qQSn573kaiVwuVFBKwCRVnzJ wZcw==
X-Gm-Message-State: APjAAAWOiFNKJIjbFUuhpcoyFzxj48CMCefZLNekpKOrB7jfhydvpovd 19kDl2J5lhRkLSy+EAZXHdVCI6s9PCxEzcR+Wc0s8lqzgaA=
X-Google-Smtp-Source: APXvYqzuseILXLsS2ZHZMhX3IBs2SeTjRdb+F7T1YS0y3PEBdxerWalPJflcGGgfQaADDyYWS2TDoWJCkgCxo6mBmp8=
X-Received: by 2002:ab0:2e98:: with SMTP id f24mr5169382uaa.48.1572638073134; Fri, 01 Nov 2019 12:54:33 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com>
In-Reply-To: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 01 Nov 2019 14:54:21 -0500
Message-ID: <CAH1iCiphfkJKAAFTGw78ps-4O9BBRW2kKyWhXvnOJHx9VGHkuw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b5a5a105964e55a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/BLrI4UlY9wosupv8gY_wRO8jykE>
Subject: Re: [dns-privacy] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 19:54:37 -0000
On Fri, Nov 1, 2019 at 1:10 PM Eric Rescorla <ekr@rtfm.com> wrote: > It seemed like it might be a good idea to take a step back and talk > about threat model to see if we're all on the same page. > > The set of threats I am concerned with is primarily about an on-path > active attacker who learns the query stream (i.e., the domains being > queried) coming out of the recursive resolver. It's of course mostly > inevitable that the attacker learns which authoritative servers are > being queried, but I think we can all agree there's still plenty of > information to leak here [0]. > This is where IMHO there is a major distinction between the C2R and R2A query streams and respective privacy metrics. C2R traffic is always PII, since the client ID (IP address) and query are combined (literally) in the query and answer. (NB: the proposal for "oblivious DNS" is an interesting approach that decouples those in such a way that the resolver itself no longer has that PII.) There are two related considerations: - Does the attacker has access to timing data (source/dest IP plus port number indicating that DNS is being queried), even if the C2R traffic is encrypted? - How frequently has a query previously been seen (possibly "never", to "only from one client", to "frequently and widely seen")? If the attacker does not have access to the timing data, IMHO the R2A queries expose no PII, since the query data cannot be associated with an originating client. In this case, an on-path active attacker isn't actually a threat (!!). If the attacker does have access to the timing data (or raw query data), then the details of the second question come into play, including when and how the resolver performs queries. Here are possibilities that I can think of (which might not cover all possibilities, everyone is welcome to add to this list): 1. First query ever, never been cached. Must obtain from authority in response to new query. 2. Only queried once, about to expire (TTL), can be preemptively obtained to keep the cache full. 3. Queried multiple times by a single client, about to expire (TTL), can be preemptively obtained to keep the cache full. 4. Only queried once, expired. Must obtain from authority in response to new query. 5. Queried multiple times by a single client, expired. Must be obtained from authority in response to new query. 6. Queried multiple times by multiple clients, about to expire (TTL), can be preemptively obtained to keep cache full. 7. Queried multiple times by multiple clients, expired. Must be obtained from authority in response to new query. Case #1 is obviously a rather unique case. It will always leak information. The other 6 cases are pairs with the same semantic on the three cases that differ only in numbers of queries and numbers of clients. The following apply to all 3 of those pairs: If the cache entry is allowed to expire, the next query would necessarily leak information, as it becomes effectively a degenerate version of case #1. If the cache entry is not allowed to expire (by preemptively doing a query to keep the cache fresh), there might not be an association between the query traffic (C2R) and the cache refresh traffic (R2A). I.e. there might not be any information leak. I believe it is the case that: 1. If no cache entry exists and the R2A query is encrypted, there is no leakage. (Required for case #1, or TTL expiry every occurs). 2. If a particular cache entry that has not been sent in the clear previously, and is refreshed before TTL expires, no information leak occurs, and it can continue to be treated as if it has never been sent in the clear. 3. Only if a query has never been seen, or the TTL expires, AND the next query resulting in R2A is sent in the clear, does information leak. If this strategy is used, this creates an interesting side effect. On a busy enough resolver, the regular cache refresh traffic may be significant enough to negatively impact timing attacks against encrypted C2R traffic in determing IP/QNAME matches, even if port 853 is blocked and all traffic is on port 53. > > In the current DNS, such an attacker can of course just perform a > passive attack by listening to the DNS query traffic. It's possible to > straightforwardly exclude this attack by opportunistically attempting > DoT [1] to the authoritative. However, an active attacker can mount a > downgrade attack on the negotiation, forcing you back to > cleartext. So, unless you have a secure way of: > > (1) knowing the expected name of the authoritative for a given query > and that it supports DoT > (2) verifying that the server you are connecting to actually has > that name > > Then the attacker can just mount a MITM attack on your connections and > collect this data by proxying the traffic to the true authoritative. > This MITM attack method would work, and should be protected against, in response to downgrade attacks against traffic that would otherwise leak information. This risk needs to be given context, specifically where are the client, the recursive, and authoritative, and whether an attacker is able to block port 853 to cause the downgrade? The current passive attack does not require the attacker to expose her existence, while port blocking reveals the existence (if not the identity) of the attacker. Clearly there are places where such attackers are well known and unavoidable. The scenarios to consider include when the R2A connection is not in such an environment, but the C2R is, and when the R2A is in such an environment but the C2R is not, and when both connections are (even if any one of the hosts is not in that environment). > > Do people agree with this assessment of the situation? Is this form > of attack something they agree should be in scope? > Modulo the nuances enumerated above, I think it is necessary to analyze the attacks to determine requirements, and to evaluate the design(s) being proposed to validate their ability to resist the attacks (as well as expected costs). Brian > > -Ekr > > [0] There are of course also integrity issues here, but (1) those > are addressed by DNSSEC and (2) if you solved the active attack > problem, that would provide some measure of integrity for the data. > > [1] Or any secure transport such as DoH, DoQ, tcpcrypt, etc. > but given the focus of this group, I'll just say DoT. > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Threat Model Eric Rescorla
- Re: [dns-privacy] Threat Model Christian Huitema
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] Threat Model Ted Hardie
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John Levine
- Re: [dns-privacy] what's good enough, or Threat M… Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John R Levine
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model David Conrad
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] Threat Model Livingood, Jason
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Dan Wing
- Re: [dns-privacy] [Ext] Threat Model Mark Andrews
- Re: [dns-privacy] [Ext] Threat Model Ralf Weber
- Re: [dns-privacy] [Ext] Threat Model Hugo Connery
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Ted Hardie
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Ebersman
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model sthaug