Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-dnsoquic-10: (with COMMENT)
Martin Duke <martin.h.duke@gmail.com> Sun, 27 March 2022 21:32 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC153A15B6; Sun, 27 Mar 2022 14:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtU4xV3VpgE4; Sun, 27 Mar 2022 14:32:40 -0700 (PDT)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17BE53A15B4; Sun, 27 Mar 2022 14:32:40 -0700 (PDT)
Received: by mail-vk1-xa35.google.com with SMTP id w123so6984255vkg.7; Sun, 27 Mar 2022 14:32:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=246TMn3WSjn28o8JX1p7FmxzvGehgH4KEk+3RzyAP0U=; b=gg40pydzYyCs4Jd4n637gH8vYhIFQ2D5kaWonQU78a4TZWGMMGFnZlA+FvIqrqoeVU BxmdxJS3lTb5ntRNP0GSEhCPRX/QmAZvkHGIiGzgx1rS6eR/y5a5GXjsLzok++IZDNk7 wDW4nSbufmMhKPCEHWJw+oI635aFkIFGHcKXALbkI3WxBBvZVD+W+gSLLlo3yn7YP6D3 v6ctQEdNIvnPH9NnR2Jb645CNvCR96Q4dnu5sYauAFuCOaGtEWhQ8TVhw21nUAXaZidw 3XeflFcsje3Gm8iz+ZnTRlX7J0pQKFnvNoXzjbETelMQPw2iChTaNHO/CeKVW90gocO4 F+dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=246TMn3WSjn28o8JX1p7FmxzvGehgH4KEk+3RzyAP0U=; b=HcWTKNzTihHBhRbD2RWAUBxO9dUEbhzIame+RShnfhHBg+xsdPN5Vy0QDIPwKVVHeA B3Qcj9qfaSBceAtWep3LPU+/lKOwRo7UjIjcsNS/i98F9hDKPziQBTTCK3BD5a8AWh94 ni3tZxzPMylFQmzEnYODd2a5rwfgHkGo89NjFUQbaBpDKkUX7j91vr1O2+OKHSJ3i9ZA 1tcIRk9y2tL4K0G85HG8Rb6107FiKtIGUfLqEZESvtzSTbeeaUJrxQYTYgqEhWoI++zD 9ZKDY4NmveLvTZ76OMIZnHf6Z4G0tkraTeGWRu6G2NssBl/1rN2ocoAkAdTSoGUa4UfF fUSg==
X-Gm-Message-State: AOAM5314TU9oWY3Qqcjw/Y4ibkXi7p0Pe53Qb1+zpkg4QIKnJq5rxEFb 2p9eRLtnWS7r418YOTy7+A4u0vCWP0zMmG8MoLyg16Qm
X-Google-Smtp-Source: ABdhPJyVur6Ynm8/HgD+t4wxitnG0NdVmlcj7cn4rVNjEg/qg97bQ41sP0JurKi6qR6RpAmKuTlGL46kPy08SEfJBAA=
X-Received: by 2002:a05:6122:653:b0:330:d5ca:873 with SMTP id h19-20020a056122065300b00330d5ca0873mr8699697vkp.32.1648416758588; Sun, 27 Mar 2022 14:32:38 -0700 (PDT)
MIME-Version: 1.0
References: <164684766454.27683.16970508061933986550@ietfa.amsl.com> <8392E6A2-34F5-47FA-B744-6AA5E7B93CC3@sinodun.com>
In-Reply-To: <8392E6A2-34F5-47FA-B744-6AA5E7B93CC3@sinodun.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Sun, 27 Mar 2022 14:32:28 -0700
Message-ID: <CAM4esxRYb0yNHbX9CbJTcoOvVQABczanAw+PKy6BiamyGCDU=g@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dnsoquic@ietf.org, dprive-chairs@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, brian@innovationslab.net
Content-Type: multipart/alternative; boundary="000000000000566b5805db39effd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Iweq2Uz-zYDQOTuy-FifoTjidEg>
Subject: Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-dnsoquic-10: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Mar 2022 21:32:45 -0000
LGTM On Tue, Mar 22, 2022 at 2:40 AM Sara Dickinson <sara@sinodun.com> wrote: > > > > On 9 Mar 2022, at 17:41, Martin Duke via Datatracker <noreply@ietf.org> > wrote: > > > > Martin Duke has entered the following ballot position for > > draft-ietf-dprive-dnsoquic-10: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > > for more information about how to handle DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsoquic/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thanks for this draft! It was very easy to read. > > Hi Martin, > > Many thanks for the comments - please see the updates in version -11 which > was just published, which we hope address your comments. > > > > > (4.3) says: > > > > "Using QUIC might allow a protocol to disguise its purpose from devices > on the > > network path using encryption and traffic analysis resistance techniques > like > > padding. This specification does not include any measures that are > designed to > > avoid such classification." > > > > but then Sec 6.4 has a detailed, normative discussion of how to use > padding to > > avoid classification. I suggest you delete or edit the bit in 4.3. > > We’ve update the last sentence to be: > “This specification does not > include any measures that are designed to avoid such classification -- > the padding mechanisms defined in {{padding}} are intended to obfuscate > the specific > records contained in DNS queries and responses, but not the fact that > this is DNS traffic." > > > > > (5.3.1) Clients are allowed to send STOP_SENDING and servers are allowed > to > > send RESET_STREAM. Servers sending STOP_SENDING break the connection. > Given the > > prescriptiveness of these rules, it's odd that you don't address clients > > sending RESET_STREAM. IMO this should be allowed, but either way it > should be > > specified. > > We’ve added an additional paragraph at the end of this section to try to > address this - please review. > > > > > (6.5.4) and (9.4) I hesitate to write this, as Christian is as well > aware as > > anyone, but IMO QUIC address migration is not quite as > privacy-destroying as > > this draft suggests. RFC9000 has a number of normative requirements to > reduce > > linkability, and work is ongoing to reduce it further. Granted, no > > anti-linkability mitigation is perfect, and if this is a primary goal of > DoQ > > it's OK to discourage migration as you've done here. > > As I think you discussed with Christian, the issue being addressed is > actually about disclosing the client location to the server. > > Best regards > > Sara.
- [dns-privacy] Martin Duke's No Objection on draft… Martin Duke via Datatracker
- Re: [dns-privacy] Martin Duke's No Objection on d… Sara Dickinson
- Re: [dns-privacy] Martin Duke's No Objection on d… Martin Duke