Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Mon, 08 May 2017 12:02 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99A412944C for <dns-privacy@ietfa.amsl.com>; Mon, 8 May 2017 05:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZc5niTTZrzX for <dns-privacy@ietfa.amsl.com>; Mon, 8 May 2017 05:02:33 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E99F129449 for <dns-privacy@ietf.org>; Mon, 8 May 2017 05:02:30 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id l135so27924544ywb.2 for <dns-privacy@ietf.org>; Mon, 08 May 2017 05:02:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GVRbBLePxwsjxscTuUJzh/0cjuyVYDi3uCElKcb8jBg=; b=NW/3ShZCJ2/kytIqDVToMgx+FX198DVJ8vX2xXZ3iyMDAa22teQu1lMbvWSXigbpWV 7lNSSluChX24rFM3HcyJPl/CwrWQW5D5YH0jwgaRnTb7uJ8LoahKMLTD6tQrWMYFVoA2 CNxGDlGHyaNozOAacJ+5iEQohOm0ekwsV24sG8RvPRuCkMn3r/To8zGaQojeUPCfIlZ6 T40rB576UVDapvt091H3W+jXFfYU19+XhAGrbcDl0HK3mSTD8tDrFxjG/Zev80atjNQi eow2EDbLoQeESKBtvncwfJDstOunWYJxDcY3O9Is8Cn1tQJ5PeTHDD7ySoz3909/o8wG 2FUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GVRbBLePxwsjxscTuUJzh/0cjuyVYDi3uCElKcb8jBg=; b=CfebRowzym3f++e9Er0dFpdx01x7t080wUeSuVnkYSEjr/ZaEYk1boKA/LlBZkt/Sa TYVcyUkJ3RNUnoeJXyTDJQepjP1eBjh9/wyo4ZflLQwfPSoDjU0RphUfCTRUhnLFg5s5 aPIbcwBO7X1q5U/4bAiSZ5Q8nlnu96cb4HZ5Ql33Z+wRS4wVhEsJSB0sMHKrwFybKjz4 MvNKEjcdccTn5fiEcCUVU20Wr7pIdID2snXRnlbXoEjavIjOcyafcb+ZsbCv/Iz8qe/z 2FKZNNov9lIFbUkZH8GuNr/nje64BfJ+T1biG3kGXvi2nvAVAswOqN6ccYnIaemdanGM bevg==
X-Gm-Message-State: AODbwcBA6oFWUX0gyaN8qGg7FXuTOsp9SGTr48qnaPNZU6Hnzy2FxZN3 BDEbEq4wv0eddnaSpf3rb8fDgyY1+w==
X-Received: by 10.129.85.83 with SMTP id j80mr11859784ywb.283.1494244949850; Mon, 08 May 2017 05:02:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Mon, 8 May 2017 05:01:49 -0700 (PDT)
In-Reply-To: <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com>
References: <149410267259.23107.8936430130975036477.idtracker@ietfa.amsl.com> <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 08 May 2017 05:01:49 -0700
Message-ID: <CABcZeBPcVqUNor-9NOSBQ+XcqD9N28d90qYpQsPzE3L4nrPvYQ@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="001a113f3cbe719b18054f020379"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/NRD5Rliakprenhgsg114u-D3T0I>
Subject: Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 12:02:36 -0000
On Mon, May 8, 2017 at 1:21 AM, Sara Dickinson <sara@sinodun.com> wrote: > > On 6 May 2017, at 21:31, Eric Rescorla <ekr@rtfm.com> wrote: > > Eric Rescorla has entered the following ballot position for > draft-ietf-dprive-dtls-and-tls-profiles-09: Discuss > > > Many thanks for the review. > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > S 9 mandates RFC 7250: > o Raw public keys [RFC7250] which reduce the size of the > ServerHello, and can be used by servers that cannot obtain > certificates (e.g., DNS servers on private networks). > > This needs to be updated to indicate that the client MUST NOT > offer 7250 unless it has a preconfigured SPKI, otherwise > you're going to have interop problems. > > > Agreed. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > TECHNICAL > S 5. > subsequently connect. The rationale for this is that requiring > Strict Privacy for such meta queries would introduce significant > deployment obstacles. This profile provides strong privacy > guarantees to the client. This Profile is discussed in detail in > Section 6.6. > > This point seems unclear. If you do these queries unprotected, then > you don't have strong privacy guarantees. I think you mean that > you get them via some trusted mechanism such as DHCP. > > > No, we mean they could be done either via Opportunistic lookups or DHCP > (see table 2.) > The meta queries contain no information about what DNS lookups the client > is doing other than what DNS Privacy server they are going to use to do > their queries. But you are correct that the ‘strong privacy guarentees’ > apply only to the subsequent queries to the Privacy server and the text > should be updated to clarify that. > Well, per my previous comment, I think you need to focus on the entire strategy. I.e., if you determine whether to adopt a Strict policy based on Opportunistic queries, then you are back to the active attack setting. I don't have a problem with your design here, which seems to be about as good as one can do; I'm just trying to make sure the description is accurate... Table 1 seems to have N and D paired, so maybe you can coalesce them? > > > That specific question was asked on the WG mailing list and the answer was > ‘no, please keep both’: > https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01541.html > OK. Perhaps add some text that theya re paired S 6.4. > A DNS client that is configured with both an authentication domain > name and a SPKI pinset for a DNS server SHOULD match on both a valid > credential for the authentication domain name and a valid SPKI > pinset > (if both are available) when connecting to that DNS server. The > overall authentication result should only be considered successful > if > both authentication mechanisms are successful. > > You should cover the topic of user-defined trust anchors. Here's the > relevant text from 7469: > > For example, a UA may disable Pin Validation for Pinned Hosts whose > validated certificate chain terminates at a user-defined trust > anchor, rather than a trust anchor built-in to the UA (or underlying > platform). > > > We purposely avoided adding any details on the SPKI mechanisms in this > document because this document simply refers to RFC7585 which then directly > references RFC7469. But if you think this is needed here also then I’ll add > it. > The concern I have is that this guidance seems to implicitly contradict the guidance from 7469. So I think you should either just say that if you have both you treat it like a 7469 pin, or say something like "successful, with the possible exception of certificates which chain to local trust anchors, as described in..." Or, alternately really prohibit this. Also, should -> SHOULD. > > > EDITORIAL > Do you want to cite TLS 1.3 at this point? > > > Early on we chose not to include a normative reference to the TLS 1.3 > draft to avoid the dependancy on that becoming an RFC but are you > suggesting we do that now or just include an informative reference? > I would think at least an informative reference would be useful. Do you think Section 9 the right place to talk about TLS 1.3 in general or > do you feel there are specific points to made elsewhere in the text? > 1.3 has pretty much the same properties here, so I think you might just cite 1.3 and make it informative. I'm not sure what the right actual mechanics are here, but surely such a thing is possible. > S 3. > o Any server identifier other than domain names, including IP > address, organizational name, country of origin, etc. > > addresses, names, for parallel structure with domain names > > > Ack. > > > > S 9. > There are known attacks on (D)TLS, such as machine-in-the-middle and > protocol downgrade. These are general attacks on (D)TLS and not > specific to DNS-over-TLS; please refer to the (D)TLS RFCs for > discussion of these security issues. > > This text seems pretty unhelpful. Given that you are specifying 1.2, > if you also require the relevant strong algorithms, then there should > not be downgrade or MITM attacks. > > > How about moving the justification later in the section: > > “ Clients and servers MUST adhere to the (D)TLS implementation > recommendations and security considerations of [RFC7525] except with > respect to (D)TLS version. > > Since encryption of DNS using (D)TLS is a green-field deployment DNS > clients and servers MUST implement only (D)TLS 1.2 or later. > > These requirements ensure mitigation against known attacks on > (D)TLS, such as machine-in-the-middle and > protocol downgrade. These are general attacks on (D)TLS and not > specific to DNS-over-TLS.” > My complaint is that this seems kinda FUDdy. If there are things that you think people ought to do other than those in 7525, you ought to say them. -Ekr
- [dns-privacy] Eric Rescorla's Discuss on draft-ie… Eric Rescorla
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Sara Dickinson
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Eric Rescorla
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Kathleen Moriarty
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Sara Dickinson
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Eric Rescorla