IETF Logo Mail Archive

Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

Adam Roach <adam@nostrum.com> Thu, 06 February 2020 20:58 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55164120832 for <dns-privacy@ietfa.amsl.com>; Thu, 6 Feb 2020 12:58:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Level:
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jRi_QFM98I0 for <dns-privacy@ietfa.amsl.com>; Thu, 6 Feb 2020 12:58:03 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12CF112081C for <dns-privacy@ietf.org>; Thu, 6 Feb 2020 12:58:02 -0800 (PST)
Received: from Zephyrus.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id 016KvwG4060786 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 6 Feb 2020 14:58:00 -0600 (CST) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1581022681; bh=CUQ9XrBr6qOWArc30eFUrvw+SZX2OMKUDuiQiOv9ndI=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=OOeuxOvVZw6+oWb+iij51H295Nd3DwroJktmFgdGd+s5PM8tNmcfTBdyPRKS7krte czAoI8hKQsmNR5qiLZaL05SKSSYExIRRCEFsqBdiLrYLSlYOc17dael+pmdSFSuY9F WAP7W4ZNbxqkBEjSrPyM/2EHJDuYVQakuxwvXQNw=
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Zephyrus.local
To: Brian Dickson <brian.peter.dickson@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dprive-bcp-op@ietf.org, dprive-chairs@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, The IESG <iesg@ietf.org>
References: <158096547226.30514.2103023305468871108.idtracker@ietfa.amsl.com> <CAH1iCiqLwP8UOJe_vWQAr7iu8j7LF2Y4+386XNimM+3wJ-2RzQ@mail.gmail.com> <9fe99917-347b-ab79-7a9c-3e8da67a5246@nostrum.com> <364cf548-9114-fcb3-52b6-a73be08b55c4@nostrum.com> <CAH1iCirzvzQUAcbctzC4Bete_mDicT7MYJL5vnaSFZnVNAUbPg@mail.gmail.com> <9104d41b-2c78-0216-3262-4ed50f389ea7@nostrum.com> <CABcZeBMF2CT--gdKNuVWw+e8CvLYjL3yX0YtMj54CQBvdZ0o0A@mail.gmail.com> <CAH1iCirLPsLX-OebLxKTfR4FDXaejcNy+TONw5FuLP2_r6GBOw@mail.gmail.com> <CABcZeBPkLaFB5fv6WigJmY9QhOJnJf3YwrmooN0BRbm8fKxLog@mail.gmail.com> <CAH1iCiq555QF=we5moHBStmCRsJ_kZ=hzYacJ=GYSKvcqEBcvA@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <fd597abc-2994-aa97-0b7d-f34b51cd4be6@nostrum.com>
Date: Thu, 06 Feb 2020 14:57:53 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAH1iCiq555QF=we5moHBStmCRsJ_kZ=hzYacJ=GYSKvcqEBcvA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------A9EF4AA0F849961690D0B0C0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/KoaDUCkMPHRBuYdKsjA2MF2fTSI>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 20:58:05 -0000

This is really getting off into the weeds.

Brian -- a lot of your assertions seem to be predicated on some 
underlying assumption that WebPKI is worthless or nearly worthless. Can 
you clarify whether that's your stance?

/a

On 2/6/20 14:44, Brian Dickson wrote:
>
>
> On Thu, Feb 6, 2020 at 12:08 PM Eric Rescorla <ekr@rtfm.com 
> <mailto:ekr@rtfm.com>> wrote:
>
>
>
>     On Thu, Feb 6, 2020 at 12:04 PM Brian Dickson
>     <brian.peter.dickson@gmail.com
>     <mailto:brian.peter.dickson@gmail.com>> wrote:
>
>         Top-top-top reply:
>         The Internet Threat Model you are using for web client-server
>         is fine.
>         However, for DNS, that is the wrong threat model, for several
>         reasons.
>
>           * The threat for DNS cache poisoning is
>             recursive-to-authoritative, not client-recursive(resolver)
>           * The DNS path will not generally be related to the data
>             path, and for any parent zone, almost certainly will be
>             totally unrelated
>           * DNS recursive-to-authoritative is UDP
>           * UDP DNS does not require that the attacker be on-path
>           * Compromise of DNS caches via poisoning (by potentially
>             off-path attackers) leading to compromise of user data is
>             not exaggerated.
>           * The compromise risk is per-cache, as well as
>             per-authority-server and/or per-DNS record.
>
>
>     First, all of these are just consequences of the 3552 "attacker
>     completely controls the network" threat model.
>
>
> Sorry, I'm not clear on what this statement means in this context, or 
> what the implication of this should be inferred as being.
>
> Are you saying:
>
>   * It should be assumed (per the threat model) that any/every
>     attacker completely controls every network segment everywhere?
>   * or, that only attackers who DO control some specific network
>     segment are a threat?
>
> These have vastly different implications, clearly.
> If the first one is the case, are you conceding the precondition, that 
> attackers can poison DNS caches arbitrarily, by manipulating all DNS 
> traffic? If so, that argues in favor of DNSSEC validation by the 
> resolver in all cases, as that is the only way the attack can be blocked.
>
> If the second one is the case, the bullet points you quote, contradict 
> that assertion. Specifically, that off-path attackers do not need to 
> control any network segment (let alone all network segments), to 
> successfully poison a DNS cache. This also argues in favor of DNSSEC 
> validation.
>
> If you mean something else, could you explain what you mean?
>
>
>     Second, the text in question is about the effect of attacks on DNS
>     on the Web "Users may be directed to bogus IP addresses for e.g.
>     websites where they might reveal personal information to attackers."
>
>
> Correct, and I don't see anything you say here refuting the concern 
> over DNS cache poisoning attacks, which result in bogus IP addresses 
> directing users to malicious servers, etc.
>
> If users are sent to the wrong IP address, this substantially weakens 
> the argument that WebPKI is sufficient protection.
>
> Why are CLR and/or OCSP needed, if not to respond to compromised 
> certificates (meaning leaked private keys)?
>
> Am I missing something about WebPKI, beyond the private key proof of 
> possession model?
> (Everything else about WebPKI is about validating the requestor's 
> authority and identity, but that is all orthogonal to key control.)
>
> A web server using a compromised key is only ever going to be visible 
> to a (potential) victim, and never to third parties including the 
> legitimate certificate holder, except incidentally to operation of the 
> rogue server.
>
> Brian
>
>     -Ekr
>
>
>         I haven't written up the details of the more effective cache
>         poisoning attacks, but have been sharing summary information
>         for several years now.
>         (The underlying issue is IP fragmentation of UDP packets. This
>         is one of the contributing factors that the DNS Flag Day for
>         2020 will include recommendations/requirements to not fragment.)
>
>         I'd be willing to write up those more effective attacks,
>         including a PoC, but that won't likely happen for a few months.
>
>         Brian
>
>         On Thu, Feb 6, 2020 at 11:22 AM Eric Rescorla <ekr@rtfm.com
>         <mailto:ekr@rtfm.com>> wrote:
>
>             Thanks. I am just looking at this text, and I think it's
>             inappropriate. To recap something I seem to be saying a
>             lot lately, the Internet Threat Model assumes a
>             Dolev-Yao-style attacker who controls the network between
>             the client and the server. TLS is designed to be secure in
>             this environment, and while the WebPKi is imperfect,
>             suggesting that compromise of local DNS lookups leads to
>             compromise of user data seems exaggerated, at least in the
>             case of Web traffic.
>
>             -Ekr
>
>
>             On Thu, Feb 6, 2020 at 10:22 AM Adam Roach
>             <adam@nostrum.com <mailto:adam@nostrum.com>> wrote:
>
>                 Top-posting because I agree with the facts as you
>                 present them. I just reach a different conclusion
>                 based on these facts. To be clear, I think a
>                 belt-and-suspenders approach is generally preferable.
>                 I am merely suggesting that the "must" statement I
>                 cite may be stronger than is actually advisable given
>                 that such an approach is merely a small increment of
>                 security for protocols that are otherwise secured
>                 (e.g., HTTP, which is the example the document
>                 chooses), rather than the sole defense, as may be the
>                 case with other protocols.
>
>                 My top-line suggestion here is to choose a different
>                 example than HTTP.
>
>                 Secondary to that is a suggestion that the "must"
>                 statement really only makes sense when it is a sole
>                 counter-measure, and that a softer recommendation
>                 ("should") makes more sense otherwise.
>
>                 These are non-blocking comments, so I'm going to
>                 reiterate that the WG can ignore them -- I just wanted
>                 to make sure they were considered. It would be nice to
>                 hear from other folks on the topic as well.
>
>                 /a
>
>                 On 2/6/20 11:57, Brian Dickson wrote:
>>
>>
>>                 On Thu, Feb 6, 2020 at 9:31 AM Adam Roach
>>                 <adam@nostrum.com <mailto:adam@nostrum.com>> wrote:
>>
>>                     On 2/6/20 09:08, Adam Roach wrote:
>>                     >
>>                     > For the specific example chosen, it's been made
>>                     pretty clear over the
>>                     > years that at least the clients for the
>>                     specific service you cite have
>>                     > no interest in incurring this additional cost.
>>                     If that's the working
>>                     > group consensus, then I have no interest in
>>                     over-riding it. But
>>                     > ignoring operational realities seems kind of
>>                     ivory tower-ish, which
>>                     > feels like the kind of thing that undermines
>>                     the general credibility
>>                     > of the rest of the document.
>>                     >
>>
>>
>>                 Could you please be more specific?
>>
>>                 When you say "for the specific service", do you mean
>>                 DNSSEC?
>>
>>                 And do you mean the signing of DNS zones using
>>                 DNSSEC, when you refer to clients of that service?
>>
>>                 Perhaps you missed my microphone comments at the last
>>                 IETF?
>>
>>                 Specifically that GoDaddy will be turning on DNSSEC
>>                 for the vast majority of its DNS hosting customers?
>>
>>                 This represents about 40% of the DNS zones on the
>>                 Internet.
>>                 (The exact time frame is not set in stone, but we
>>                 expect this to be done in the first half of 2020.)
>>
>>                 Given that this significantly alters the calculus, I
>>                 don't think that is a good enough reason to object in
>>                 and of itself anymore.
>>
>>                 The other aspect of this is the asymmetry involved in
>>                 the defenses against impersonation:
>>
>>                   * The choice to sign a DNS zone is under control of
>>                     the zone owner
>>                   * The choice to deploy RPKI on routes (to protect
>>                     against BGP hijacking) is under control of the IP
>>                     prefix holder
>>                   * Both methods rely on third parties to cooperate
>>                     to achieve the protections offered
>>                   * RPKI routing filters are now widely deployed, and
>>                     RPKI registrations are substantial
>>                   * The remaining issue is DNSSEC validation; many
>>                     (most?) of the public recursive operators do this
>>                     already
>>
>>                 The logic should be, defend against all feasible
>>                 attacks, rather than justifying the non-defense in
>>                 one area (DNSSEC for DNS) based on the assertion that
>>                 another area is not being defended (RPKI for BGP).
>>
>>                 Brian
>>
>>
>>                     I realize that my editing made one of the pronoun
>>                     antecedents here go
>>                     away. The second sentence should have said
>>                     something more like "If
>>                     keeping the current text is the working group
>>                     consensus..."
>>
>>                     /a
>>
>
>                 _______________________________________________
>                 dns-privacy mailing list
>                 dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
>                 https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email