IETF Logo Mail Archive

Re: [dns-privacy] Call for Adoption: draft-hal-adot-operational-considerations

Hugo Connery <hmco@env.dtu.dk> Thu, 15 August 2019 12:49 UTC

Return-Path: <hmco@env.dtu.dk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD349120046 for <dns-privacy@ietfa.amsl.com>; Thu, 15 Aug 2019 05:49:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=env.dtu.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Prwk0at3H4q for <dns-privacy@ietfa.amsl.com>; Thu, 15 Aug 2019 05:48:58 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40069.outbound.protection.outlook.com [40.107.4.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6CB512003E for <dns-privacy@ietf.org>; Thu, 15 Aug 2019 05:48:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=moC+J9ZA9GXdHd7OZdEQN+YXCKvtjA1JmGH3NIKI9XP9wbRBMRfz+CPoYpAsPRahri1eg9cd+YZC5wj/kUgx15i5zhnrz/0k/QYdfNOVigrkjfLhvCSS3hA0flURu4wDT9itBuyzfMi2z7X/k3E346+BJ25HSAAq3MeZsJ1fad/Z99KbeWCIPnWkrJpR4By1xzIPrzoeMnsNBlsRNgw3Sk84bn+UBXKxKAIWyqMx9UWvF3AQSmM3mQPqCVYCYvmm9qKvKc0gJvT6nbca7iNZL+2DUYSDNTFwX6iWSLpJszuebHqHFo5EY7gAzwyInzeGcDEqRoRQrTuVj4Fjp2//6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y0htmM2wEu8QMKM5Fq6wo5Z/RPpDwI4CSwRE8Vez0BE=; b=EEOHC7oeLx9uWQfBNHLdMk/eOOzR8wFJuS88EDG50xWcuJHG91FbNWvgCgznIdIZ+Qqw6qeKwJtgc6cBE+12HEvVLEfZkZ17/oNG1yvmR720z6eDYwjG6MXXfHfsIf0JfBylDkSC8FeOyKiwPyJD4KmV6p0XVtIcKRwjmwQsPLkLy+Pejvci2pSbTaTtldb9raCRqjlGAq10NVjfX8ULdYCdoLYUPsr0i+TtDDJE9/AVZjpVTKlhZ6hEuptF/9+8BaFWFEsbD3eYOuX+CF8E7g4E5yJUeEwNmGb9PCiHYerr7YqN2o1+BsdUL/sk+ezzj9fO9NJIbP+mpWvY73EEsA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.38.82.194) smtp.rcpttodomain=innovationslab.net smtp.mailfrom=env.dtu.dk; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=env.dtu.dk; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=env.dtu.dk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y0htmM2wEu8QMKM5Fq6wo5Z/RPpDwI4CSwRE8Vez0BE=; b=ibcUO9uT0VFBXe5ge9+tOKgBH1NND2+2fdtC9vpgW4Y019Mv8JxTgm8I0mKilVTKIm7aGnrr88ynxo+kkQgudexqiQncM4G6lKU2k+2233xfmCzwqszzgADiq0OSq/ppUC1d418ZrfRn0DIJ0QWf4J9yCJVNIVZKD0oxIBcS4GI=
Received: from DB6P192CA0005.EURP192.PROD.OUTLOOK.COM (2603:10a6:4:b8::15) by AM6P192MB0453.EURP192.PROD.OUTLOOK.COM (2603:10a6:209:3c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.18; Thu, 15 Aug 2019 12:48:55 +0000
Received: from VE1EUR01FT033.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e01::202) by DB6P192CA0005.outlook.office365.com (2603:10a6:4:b8::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2157.21 via Frontend Transport; Thu, 15 Aug 2019 12:48:55 +0000
Authentication-Results: spf=pass (sender IP is 192.38.82.194) smtp.mailfrom=env.dtu.dk; innovationslab.net; dkim=none (message not signed) header.d=none;innovationslab.net; dmarc=pass action=none header.from=env.dtu.dk;
Received-SPF: Pass (protection.outlook.com: domain of env.dtu.dk designates 192.38.82.194 as permitted sender) receiver=protection.outlook.com; client-ip=192.38.82.194; helo=mail.win.dtu.dk;
Received: from mail.win.dtu.dk (192.38.82.194) by VE1EUR01FT033.mail.protection.outlook.com (10.152.2.230) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2178.16 via Frontend Transport; Thu, 15 Aug 2019 12:48:54 +0000
Received: from ait-pexsrv02.win.dtu.dk (192.38.82.195) by ait-pexsrv01.win.dtu.dk (192.38.82.194) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Thu, 15 Aug 2019 14:48:53 +0200
Received: from 0x525.env.dtu.dk (192.38.82.8) by ait-pexsrv02.win.dtu.dk (192.38.82.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Thu, 15 Aug 2019 14:48:52 +0200
Message-ID: <2737006b51b48ac6bf89829a9599d42aaf847550.camel@env.dtu.dk>
From: Hugo Connery <hmco@env.dtu.dk>
To: Brian Haberman <brian@innovationslab.net>, dns-privacy@ietf.org
Date: Thu, 15 Aug 2019 14:48:52 +0200
In-Reply-To: <5352e08c-3280-999c-0c3f-d15a9f02a7b4@innovationslab.net>
References: <5352e08c-3280-999c-0c3f-d15a9f02a7b4@innovationslab.net>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5 (3.30.5-1.fc29)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Originating-IP: [192.38.82.8]
X-ClientProxiedBy: ait-pexsrv03.win.dtu.dk (192.38.82.196) To ait-pexsrv02.win.dtu.dk (192.38.82.195)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.38.82.194; IPV:CAL; SCL:-1; CTRY:DK; EFV:NLI; SFV:NSPM; SFS:(10009020)(346002)(136003)(396003)(376002)(39860400002)(2980300002)(199004)(189003)(476003)(2906002)(26005)(2616005)(386003)(7736002)(956004)(7696005)(5820100001)(11346002)(76176011)(966005)(486006)(53416004)(5660300002)(23676004)(305945005)(446003)(86362001)(126002)(50466002)(16526019)(356004)(336012)(229853002)(186003)(6306002)(8676002)(8936002)(70206006)(3846002)(6246003)(6116002)(66066001)(76130400001)(26826003)(14444005)(106002)(70586007)(110136005)(246002)(36756003)(118296001)(58126008)(230700001)(316002)(47776003)(478600001)(786003)(53386004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6P192MB0453; H:mail.win.dtu.dk; FPR:; SPF:Pass; LANG:en; PTR:ait-pexsrv01.win.dtu.dk; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 131041c5-e8a6-4034-aea8-08d7217eee8e
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(4709080)(1401327)(2017052603328)(7193020); SRVR:AM6P192MB0453;
X-MS-TrafficTypeDiagnostic: AM6P192MB0453:
X-MS-Exchange-PUrlCount: 3
X-Microsoft-Antispam-PRVS: <AM6P192MB045350737187B71AE6A8F73CE4AC0@AM6P192MB0453.EURP192.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 01304918F3
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: ZOYPBsY/XhR4Nfl8YfPeBFQzi4mo9RXi9hhA/9NZkDebSXMUSUX9pb1gqjkyuXftaM5uMIy+xw4dd64Eo+eEb2ZbVNsbnupcOcccttjxT8M1pwh13BuBRT+yz7PhoJGyAxENDfx7ltsseJyz07mSr/H8TMNEIqI4yqbPyeTcVZ8OmgYHMuWjNzcFg7j0rW2j2AOn/xE24hX66ODe7zS/EB66ax/Qm57RlQ+NpJDTZMlB0fWerWlB76ZCYKkuzFOPFc9KNawviWCEHRiHEMmli83kV1WyvkGqAVZxGgUmSzDtloMKlyDm/I7AzXx2+UljCim9aaVMzqlB/6ibVdA4Qze7uZjMq7F8KLb/mTVi2TYlgyWhHYHSowUxY+ni4qDQDnxn4NwgSPYN/Oql5tT+pnMzASQmuMDotF+AqVYV6/w=
X-OriginatorOrg: env.dtu.dk
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Aug 2019 12:48:54.7217 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 131041c5-e8a6-4034-aea8-08d7217eee8e
X-MS-Exchange-CrossTenant-Id: f251f123-c9ce-448e-9277-34bb285911d9
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f251f123-c9ce-448e-9277-34bb285911d9; Ip=[192.38.82.194]; Helo=[mail.win.dtu.dk]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6P192MB0453
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/GKqmQx8teLYvCb1tKuFYJVlI2s4>
Subject: Re: [dns-privacy] Call for Adoption: draft-hal-adot-operational-considerations
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 12:49:01 -0000

Hi DPRIVE,


Firstly, I concur with Stephen Farrell's comments.

I support the document and further work on it.  My comments are:

1.1.1

spelling: proection -> protection

  "Initial deployments of ADoT may offer an immediate expansion of the
   attack surface (additional port, transport protocol, and
   computationally expensive crypto operations for an attacker to
   exploit) while, in some cases, providing limited protection to end
   users."

I find this a little "scareware".  An additional port is not a threat.
It what's running behind it.  The "transport protocol" is worked out,
right?  TLS v1.3.  "computationally expensive ...".  Haven't our 
chip manufacturing friends provided hardware primitives to correspond
to much of the "expensive" calculations?

Yes, there will be a new service, and thus one must do the security
analysis that you recommend.  And, yes, TLSv1.3 means crypto and
potentially many concurrent connections and that will place additional
load on the AHoT server infrastructure.  But "immediate expansion of
the attack surface ... expensive crypto ... attacker to exploit ..."
seems designed, along with the MUSTs for the studies, to scare CEOs
and delay things.

1.1.2

paragraph 2: I presume you are referring to CDN's.  Why not specify
that?

3.2

 "Static use of a pre-defined port provides on-path adversaries the
  ability to more easily drop or manipulate traffic intended for that
  port, possibly triggering resolvers to downgrade a connection back to
  a traditional DNS query, eliminating the encryption protections."

How, if we're using TLSv1.3 with good crypto is "manipulate traffic"
going to work?  Without breaking the crypto you can't re-write queries
successfully. Yes, you can drop it.  But, this is always true.  (Yes,
its a downgrade attack.)

"This attack is more likely to happen on the stub-to-recursive
connection but is also a possible threat for recursive-to-authoritative 
connections."

Why?  Please justify.  Airport and hotel networks?

Regards,  Hugo Connery

PS: I am happy to continue to review.

On Wed, 2019-08-14 at 16:40 -0400, Brian Haberman wrote:
> This starts a Call for Adoption for
> draft-hal-adot-operational-considerations
> 
> The draft is available here:
> https://datatracker.ietf.org/doc/draft-hal-adot-operational-considerations/
> 
> Please review this draft to see if you think it is suitable for
> adoption
> by DPRIVE, and comment to the list, clearly stating your view.
> 
> Please also indicate if you are willing to contribute text, review,
> etc.
> 
> This call for adoption ends: 28 August 2019
> 
> Thanks,
> Brian & Tim
> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
-- 
Hugo Connery, Head of IT, Dept. Environmental Engineering
Technical University of Denmark, http://www.env.dtu.dk
:(){:|:;};:

v2.23.0 | Report a Bug | By Email