IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Mike Bishop <Michael.Bishop@microsoft.com> Thu, 04 May 2017 02:53 UTC

Return-Path: <Michael.Bishop@microsoft.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40BA81296D2 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 19:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yB4FNWn3qnpM for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 19:53:42 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0090.outbound.protection.outlook.com [104.47.32.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FEB61296C9 for <dns-privacy@ietf.org>; Wed, 3 May 2017 19:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1KxOD8FbPj0rCfYt+lMzT0FYLIZFLtjfE8GqCtNPDcU=; b=e1a3QV4iHJiO2vcGO80t8AnpRH5TVa1H84rXhkrlHvlEU8CFQtIKf1aEqYv0SnOMiKFN57LK6R5E28Ld0pu8W/D0HV/3sRtuzCQ/7QZk7+rXi+KGK+00iA71i2Mb6EfZ/MxddiN11oQy5Phh2g4YaC/7NXUqVnX0yjlHtsqNbds=
Received: from BN6PR03MB2708.namprd03.prod.outlook.com (10.173.144.15) by BN6PR03MB2707.namprd03.prod.outlook.com (10.173.144.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1061.12; Thu, 4 May 2017 02:53:38 +0000
Received: from BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) by BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) with mapi id 15.01.1061.021; Thu, 4 May 2017 02:53:38 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Martin Thomson <martin.thomson@gmail.com>
CC: Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
Thread-Index: AQHSxGSVzArpJBnINkKlwlv/ObjAOKHjTeBggAACCwCAAAY+AIAAHrUg
Date: Thu, 04 May 2017 02:53:38 +0000
Message-ID: <BN6PR03MB2708762328EE8C91A229B9B987EA0@BN6PR03MB2708.namprd03.prod.outlook.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <CAOdDvNruCCyB2rsF9VgaVEOjQGD82wA0AiLAghiGjDM0SpBFPQ@mail.gmail.com> <87lgqdr0fr.fsf@fifthhorseman.net> <BN6PR03MB27085632B5CBA7324894699487EA0@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVLasxAfsezDp4H0cSOme5okHUY0ruG7EzgsNEW89SmDQ@mail.gmail.com> <87bmr9qwn7.fsf@fifthhorseman.net>
In-Reply-To: <87bmr9qwn7.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fifthhorseman.net; dkim=none (message not signed) header.d=none;fifthhorseman.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:8080:63a8:969:514e:fb21:d263]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2707; 7:vDj3ZzA0Poqg6bbFZT9wo203q+smOevwM7Cu865zCYD1lCHoN/xue6CrRZlp6isixDIRM2my3wrTfS4W51569WoKGeHxCO7hzPqu9mtr6Nl82Fnzw/oYPbQM6Zn1edC4VEvypawWhoZzz/Igk7VUdGsU1ZMdn4s21vr0AQlX5Wb4na04dzp5kvuq7cPmlQi8KZDlpOnAzNdwDqdLwCBdDv0c036uPNQZJBQoY/Ixef11yjNg0k3/Lpon5jXKunwLHkGPiaLALzxn9E+HTOtHq0VKOO9Ur87/oEbqLt+i2hCRp7pXMQvEjldbXqTUooZqEcrUkZstYvYWSXpt7BYKby2667hyjR6gvSb3nPpoX8k=
x-ms-office365-filtering-correlation-id: a719f59e-c7b5-4269-65dd-08d49298c3c2
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:BN6PR03MB2707;
x-microsoft-antispam-prvs: <BN6PR03MB2707F09D5AC6E666D32C41CD87EA0@BN6PR03MB2707.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(190756311086443)(158342451672863)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123564025)(20161123555025)(20161123562025)(20161123560025)(6072148); SRVR:BN6PR03MB2707; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2707;
x-forefront-prvs: 02973C87BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39850400002)(39400400002)(39410400002)(39860400002)(39840400002)(24454002)(377424004)(377454003)(13464003)(74316002)(53546009)(2950100002)(6116002)(5660300001)(8990500004)(10090500001)(7696004)(5005710100001)(2900100001)(102836003)(229853002)(305945005)(3660700001)(15650500001)(3280700002)(2906002)(7736002)(478600001)(189998001)(81166006)(8676002)(86612001)(38730400002)(93886004)(25786009)(10290500003)(230783001)(122556002)(86362001)(8936002)(33656002)(39060400002)(6436002)(53936002)(54906002)(76176999)(9686003)(99286003)(54356999)(4326008)(6246003)(6506006)(77096006)(55016002)(50986999); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2707; H:BN6PR03MB2708.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2017 02:53:38.1782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2707
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/J602h3rxExzo7WFFomgSZgzK0ds>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 02:53:44 -0000

No, the network observer can observe which clients are offering that protocol as one of a set of options -- selection happens server-side.  In TLS 1.3, the selection is part of the EncryptedExtensions, no?  Which means an observer can tell that the client offers it, but can't tell whether the server is selecting it at any given time.  (Without making the same offer to the server and seeing what it chooses for them, at least.)

As Martin says, if you can get a broad set of clients to start offering it all the time, a network controller would have to kill a lot of connections to be sure they didn't let DNS traffic out.  (Of course, if major networks start killing connections with this ALPN token, major implementations would probably find themselves having to implement a fallback, and you haven't won.)  My other major issue with your approach is something we learned while prototyping h2c:  Looking at the content of a message and dynamically swapping out parsers takes a lot of investment to do performantly.  You can bound it by only looking at the beginning of the stream, as you do, but it still hurts.

If you want to do this transparently inside of HTTP without looking different on the outside, define an HTTP/2 extension for tunneling DNS.  Unknown frame types and settings MUST be ignored -- the client can start shipping DNS queries on stream 0 speculatively and have them ignored if the server doesn't speak your extension, or wait to see if the server's SETTINGS frame indicates that it supports the extension (after 1 RTT), both without any loss of compatibility or performance (other than extra bytes).  It doesn't get you HTTP/1.x compatibility, but I'm dubious anything you do within that can be done performantly nor is it a long-term pool to hide in.

-----Original Message-----
From: Daniel Kahn Gillmor [mailto:dkg@fifthhorseman.net] 
Sent: Wednesday, May 3, 2017 5:44 PM
To: Martin Thomson <martin.thomson@gmail.com>; Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Patrick McManus <mcmanus@ducksong.com>; HTTP Working Group <ietf-http-wg@w3.org>; DNS Privacy Working Group <dns-privacy@ietf.org>
Subject: Re: Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

On Thu 2017-05-04 10:21:20 +1000, Martin Thomson wrote:
> On 4 May 2017 at 10:14, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
>> It's ALPN.  At first blush, I would pick a different ALPN token for
>> h2+DNS and define it as a new, derivative protocol.
>
> For DKG to realize his goal, every client would have to offer that 
> label.  That's not impossible, nor does it make it a bad choice, but 
> you have to realize that this isn't as good an outcome.

if you're going to define an ALPN label, you might as well just pick "dns" and then do straight DNS-over-TLS with it (no need for in-stream demuxing).  The problem with this approach is that the network monitor can observe which clients are picking "dns" and which ones are picking "http/1.1", which puts you back in the position where the network adversary can trivially hobble DNS-over-TLS requests while permitting HTTPS.

I address this in the draft section "Why not ALPN?" -- if anyone thinks the text there could be improved, i'd be happy to hear suggestions for how to change it.

All the best,

        --dkg

v2.23.0 | Report a Bug | By Email