IETF Logo Mail Archive

Re: [dns-privacy] Threat Model

"Livingood, Jason" <Jason_Livingood@comcast.com> Mon, 04 November 2019 17:12 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3AE3120BF9 for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 09:12:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=CdBEDOxt; dkim=pass (2048-bit key) header.d=comcast.com header.b=2dilGkbj; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=comcastcorp.onmicrosoft.com header.b=x0H4ndZz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S68hnaeuyEoX for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 09:12:43 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98C99120BA1 for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 09:12:43 -0800 (PST)
Received: from pps.filterd (m0184893.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA4HCW47011787 for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 12:12:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20190412; bh=cZUP+FH7FxNCG0LxM5KHCv5SHm66qRJ6g31WNF/jaPE=; b=CdBEDOxtroaDaIV1gLI+ivMA6lENTSIySw8DvVYXjXh9sqfKgxGnSnf100knDKcdVymX MZxvWMj6HUvg1j0ljrDTANn2Vna7xLZZz9MaN06V2EmTy2znITfCGBUpwewdOM9YoJTa cSTr52gQ84SsckNFyO+iJJC1XD4pkI4YMZFFIl61Tcv63YFYaEPyt/CXiDqphjUzG6PY Oumkca+VW9v+8HHnwWNqWc4fHYcB8n31v0GhWXmh6BnughHgHr04CrE9Uqe1Bw5WAj0q 7ymTZvoBuxT7jg8otlZc0MxNcUfw4RP6sx/EfcHNKdsYxHFx1dKXI/sWCZfzSr/a9KCT mw==
Received: from copdcmhout01.cable.comcast.com (copdcmhout01.cable.comcast.com [162.150.44.71]) by mx0a-00143702.pphosted.com with ESMTP id 2w14ykn4p3-35 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Mon, 04 Nov 2019 12:12:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1572887538; x=2436801138; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=cZUP+FH7FxNCG0LxM5KHCv5SHm66qRJ6g31WNF/jaPE=; b=2dilGkbjDON70piKZQP+KPc5KgjFOodDDBcdi4ipoxR0c3YSIJVH6LgwxtmEK2rP uDyWEd+td4dH1/6fj1fCZUiUp2/pOEnxT/7JnV18z0zR5nemibUb+TcBAiN3eD2B tzP61Y3CDTtuXY4Hzk4acrUcd0IdgDV+hCURMxIAOachyxA3RwlA5pUyOCSZyMoP WVw1p3+8Tj484PlWs3bJsXSgp52FIjboL74woQ4rMKD+RDfLlgG6I13DAJPBrIGl YbypAdcNypu1AKkfYRSABXb/6eZ/MH0rIbjbsPhMGvvybKjkBS9Deen5echZ6jZg 3Vl80PT5dUUWW40q7iNemw==;
X-AuditID: a2962c47-555ff700000112ce-d7-5dc05bf213c9
Received: from COPDCEX12.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by copdcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id 8F.EA.04814.2FB50CD5; Mon, 4 Nov 2019 10:12:18 -0700 (MST)
Received: from copdcexc47.cable.comcast.com (147.191.125.146) by COPDCEX12.cable.comcast.com (147.191.124.143) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 4 Nov 2019 10:12:42 -0700
Received: from COPDCEX51.cable.comcast.com (147.191.125.150) by copdcexc47.cable.comcast.com (147.191.125.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Mon, 4 Nov 2019 10:12:41 -0700
Received: from COPDCEXEDGE01.cable.comcast.com (96.114.158.213) by COPDCEX51.cable.comcast.com (147.191.125.150) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 4 Nov 2019 10:12:40 -0700
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (104.47.33.53) by webmail.comcast.com (96.114.158.213) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 4 Nov 2019 12:12:19 -0500
Received: from BY5PR11MB4403.namprd11.prod.outlook.com (52.132.252.96) by BY5PR11MB4465.namprd11.prod.outlook.com (52.132.253.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Mon, 4 Nov 2019 17:12:17 +0000
Received: from BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a]) by BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a%7]) with mapi id 15.20.2408.024; Mon, 4 Nov 2019 17:12:17 +0000
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Eric Rescorla <ekr@rtfm.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Threat Model
Thread-Index: AQHVkN/Z6+tnSSB21Uas9R1in0KHvqd68HOA
Date: Mon, 04 Nov 2019 17:12:17 +0000
Message-ID: <D6B96559-BF18-495A-B975-23ED6F5F464D@cable.comcast.com>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com>
In-Reply-To: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
x-originating-ip: [2001:558:1438:aa::6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a3651546-d3e3-4757-96b1-08d7614a2548
x-ms-traffictypediagnostic: BY5PR11MB4465:
x-microsoft-antispam-prvs: <BY5PR11MB44657C1BFDBC9468EE4B277FC77F0@BY5PR11MB4465.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0211965D06
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(396003)(346002)(39860400002)(366004)(376002)(189003)(199004)(6486002)(2501003)(2906002)(6306002)(76176011)(478600001)(6246003)(102836004)(80792005)(6436002)(53546011)(316002)(58126008)(110136005)(14454004)(71190400001)(229853002)(71200400001)(6512007)(256004)(486006)(5660300002)(7736002)(6506007)(186003)(25786009)(86362001)(46003)(11346002)(91956017)(2616005)(446003)(64756008)(476003)(76116006)(66476007)(66556008)(66446008)(66946007)(8936002)(33656002)(99286004)(54896002)(81166006)(81156014)(8676002)(6116002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY5PR11MB4465; H:BY5PR11MB4403.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cable.comcast.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5I3+9amiQkWpPx4Gdt1yQE8z+DSt/vZZOiWOulhzBO0LSlpziulCpzLEiREWHaXCGhQAIMoYtHeu6EwWPDAs6hheBMmgRbrt7XIHNtUqQR5UnCvCEF6clrTcmC2eflL3EPChzaHRslmKDLcS/8H7mhYkwuKHWFeaCPLUJJrSIWKIjbIao7N60q85toBQzGizfWEeynWJ62wBeXaA1y4+vMOb1PEFntSiue1zM6byOiB0gCvqLLMxI5Lqj3Tk9cYK8b9cSWfogSTKS3EGm+0u3j/g6qopfA1aZzxlPCD1EH0e3GpoLuCoBGqz21USGawa6Emx6wqQmfvnpMzl3M361lSZkTQLQ1PUNe4J+RvPGlg729keJ+eFHWGOIWR9+jvWjp1no//L7JRQ8d9Rt5j1gDeDXWATERzuA0DoFzEi66RWzbwfmY06joppaaOK05dK
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hJfDOvrDq8Fld43xey7sL/XjK07hUxeo341me/h4k7BACPT7ZOaEyteSuf8KHu6WRdUTyL5h4Om/ijym8UVw3Y5yP6M4pQm4bhSzjnelURaRGWfxz6Zy/r4Z9PA0E0kfWp46SK1fYoPGuQe9ZpVX/3yZzEqwUqCrCr0411Oe5+CKCTWKch21wOvmRmZZ1aehO5ezuhtu0BZn3iOWm+LPw2ZcBI43SOtMTaIDC6lajUXxralJyc1uIGiz8bD9ZvXzfIutS6FPR1q6d7t4m+kSHaMqUsGDn/z5CSx0qor53dWqJxj0PSc4OH1cyJvhFGJXW/rUop9BRzaCZ/e1MQWw8A==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UiWbqrpaxP0DvHORFl9fvOcj4//ftPYVarLOXKkzFN8=; b=RZ/0bhtcQBLL3CCAd0VZFWYuou6o6ar6906Jt3jqArtpxBvuHULDWTDSVQODArOcTLUAd6gogYMILI7mu98xDZTaytLbzG0xeLEwrlK03rivin4wA5RD8RsZOh48peK1c/kDSJZYCoJNF/gvJGTSzazHQbJ2vX8vmcXQw1jtmcI0ZlGs21BShObLSzyD9DHdIbssR4VtBtzO9JBbUPfFblySVTMZHbY/X+CRwBLyNUAyGOJ5LlCn1il59nKdJLQWkQjW2PVy/7r8Y2OOBOi6r0vPNYL5UrXRtqh8SCaAwgVoNE6yKdd74XdOoESdHbUBkj/jZKVtSaX4s5Tcta334w==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cable.comcast.com; dmarc=pass action=none header.from=cable.comcast.com; dkim=pass header.d=cable.comcast.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector2-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UiWbqrpaxP0DvHORFl9fvOcj4//ftPYVarLOXKkzFN8=; b=x0H4ndZzzUUH18YcxUWHEiQG2JEb1ZRR9n/quMH0wFECdQdCoKUe7sfvyTxbXZPM0liFg3BVOg/m3H9Z7NgoQ+qvSnIID2GMd6n2P1ndr7lRsj8pRpVM1InM34Wux/+i54VI5JVOosCPkj6ryFb28xud21YO+g6YzMNRXKGHTHg=
x-ms-exchange-crosstenant-network-message-id: a3651546-d3e3-4757-96b1-08d7614a2548
x-ms-exchange-crosstenant-originalarrivaltime: 04 Nov 2019 17:12:17.4954 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: hrWQpa1fzaiyeuI5odvBzCtK4gDqNHB1JkoxUPyIjX8IqIf+QQgml7rD6LcXSz0meJ9XZ5PgrZITWjLny1UpdAQHsv3UKVnKiat0xRgXF8Y=
x-ms-exchange-transport-crosstenantheadersstamped: BY5PR11MB4465
Content-Type: multipart/alternative; boundary="_000_D6B96559BF18495AB97523ED6F5F464Dcablecomcastcom_"
MIME-Version: 1.0
X-OriginatorOrg: cable.comcast.com
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprPJsWRmVeSWpSXmKPExsWSUDRnsu6n6AOxBr+6LC02tO5gtVjx+hy7 A5PHkiU/mTwmP25jDmCKamC0KckoSk0scUlNS80rTrXjUsAANkmpaflFqa6JRTmVQak5qYnY lYFUpqTmZJalFuljNUYfqzkJV5gy/m9+xlawJani0dR2lgbG2/FdjBwcEgImEpdn1nUxcnEI CRxmklhyajsbhHOIUeLu6wvMEE4Tk8TlFefZuxg5gZzbjBIrLgRCJI4zSqzvPskC4Uxmkmhb spUVwnnIKPFs9xtGkBY2ATOJuwuvMIMsFBEIlFg6hw0kLCygLnH2wjMmEFtEQEPi4LupbBC2 kcTnI5+YQWwWARWJK8uXgNXwCrhIXGtYD3VFgMTMu7PBajiBRn5d3scKYjMKiEl8P7UGrJ5Z QFzi1pP5YLaEgIDEkj3nmSFsUYmXj/+xgpwjKqAvcfCvL0RrisTirkVQ5eoSzU2v2SFsWYlL 87uBPmEHsn0lDkBVaEm8P7WDBcLOlug7PhWus+XjPFYIW0Zi+YbpTKAAkRA4xyrx78dudpCt QgJZEm+v2k1gNJmF5E4IO11i86vNrLPA/hWUODnzCcssoA5mAU2J9bv0IUoUJaZ0P2SHsDUk WufMhbI9JP5fecOCrGYBI8cqRl5DMyM9Q1MDPRMTPXPDTYzAZLtomo77DsYP52MPMQpwMCrx 8LYFHogVYk0sK67MBUY8B7OSCO/FGXtjhXhTEiurUovy44tKc1KLDzFKc7AoifPW358fKySQ nliSmp2aWpBaBJNl4uCUamCcx8HEv2wy/1nZ8/re96UPhbV47bVZMilbfiH3smJ3FRsvT7HA v3JCcvxnmm1P7b72x7f8pXL7Cz2Ru+KbO5av4v1QVVLmHbH9vHrA3ph1N0JNW6vjlrumTewN M5Xg/PCkllPqwD7v2zmT5rB9E8p33fOnJ2N6ZEH4AdMPHyw/pwRVJ1ic+afEUpyRaKjFXFSc CAAp4KbZsgMAAA==
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-11-04_10:2019-11-04,2019-11-04 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/KxBFHHrO9s2lY0raRFeeGb8d88I>
Subject: Re: [dns-privacy] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 17:12:47 -0000

In the -01 I added a parenthetical to address this suggestion and later WG discussion. Not sure if we’re there yet so open to specific wording suggestions.
//from GH repo//
# Threat Model and Problem Statement

Currently, potentially privacy-protective protocols such as DoT provide encryption between the user's stub resolver and a recursive resolver. This provides (1) protection from observation of end user DNS queries and responses as well as (2) protection from on-the-wire modification DNS queries or responses (including potentially forcing a downgrade to an unencrypted communication). Of course, observation and modification are still possible when performed by the recursive resolver, which decrypts queries, serves a response from cache or performs recursion to obtain a response (or synthesizes a response), and then encrypts the response and sends it back to the user's stub resolver.

But observation and modification threats still exist when a recursive resolver must perform DNS recursion, from the root to TLD to authoritative servers. This document specifies requirements for filling those gaps.

From: dns-privacy <dns-privacy-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com>
Date: Friday, November 1, 2019 at 2:11 PM
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: [dns-privacy] Threat Model

It seemed like it might be a good idea to take a step back and talk
about threat model to see if we're all on the same page.

The set of threats I am concerned with is primarily about an on-path
active attacker who learns the query stream (i.e., the domains being
queried) coming out of the recursive resolver. It's of course mostly
inevitable that the attacker learns which authoritative servers are
being queried, but I think we can all agree there's still plenty of
information to leak here [0].


In the current DNS, such an attacker can of course just perform a
passive attack by listening to the DNS query traffic. It's possible to
straightforwardly exclude this attack by opportunistically attempting
DoT [1] to the authoritative. However, an active attacker can mount a
downgrade attack on the negotiation, forcing you back to
cleartext. So, unless you have a secure way of:

(1) knowing the expected name of the authoritative for a given query
    and that it supports DoT
(2) verifying that the server you are connecting to actually has
    that name

Then the attacker can just mount a MITM attack on your connections and
collect this data by proxying the traffic to the true authoritative.

Do people agree with this assessment of the situation? Is this form
of attack something they agree should be in scope?

-Ekr

[0] There are of course also integrity issues here, but (1) those
are addressed by DNSSEC and (2) if you solved the active attack
problem, that would provide some measure of integrity for the data.

[1] Or any secure transport such as DoH, DoQ, tcpcrypt, etc.
but given the focus of this group, I'll just say DoT.

v2.23.0 | Report a Bug | By Email