IETF Logo Mail Archive

Re: [dns-privacy] Use of 0-RTT in DNS over QUIC

Christian Huitema <huitema@huitema.net> Sat, 31 July 2021 00:53 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 730743A1B0F for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 17:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.112
X-Spam-Level: ***
X-Spam-Status: No, score=3.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeT_H2-0bsXj for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 17:53:17 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0E923A1B0E for <dprive@ietf.org>; Fri, 30 Jul 2021 17:53:17 -0700 (PDT)
Received: from xse19.mail2web.com ([66.113.196.19] helo=xse.mail2web.com) by mx135.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m9dFb-00193V-KT for dprive@ietf.org; Sat, 31 Jul 2021 02:53:16 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4Gc5NT64stz2TFP for <dprive@ietf.org>; Fri, 30 Jul 2021 17:53:13 -0700 (PDT)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m9dFZ-0008E7-MG for dprive@ietf.org; Fri, 30 Jul 2021 17:53:13 -0700
Received: (qmail 21742 invoked from network); 31 Jul 2021 00:53:13 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dprive@ietf.org>; 31 Jul 2021 00:53:13 -0000
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Robert Evans <evansr@google.com>, Ben Schwartz <bemasc@google.com>, "dprive@ietf.org" <dprive@ietf.org>
References: <35e1a3d6-1654-4903-7f1b-77685f59a890@huitema.net> <CAHbrMsB5LEFjfO7o+oLm-i8nccDg9DwnAvFa+pnAUKQvkGfbRA@mail.gmail.com> <CAPp9mxJDKSJ+iQiB0RSd71CjRGeKHU=C4TyRnJKCeBNZiurdHQ@mail.gmail.com> <f534eedc-3db7-b770-ba22-1d325ad11658@huitema.net> <CAPp9mxLm2cOxrOX6rCaNLnSbLJ_XqE+G-ZW6Kh9W9u-i+A9VZQ@mail.gmail.com> <a208305f-be69-68b3-898f-b008d1123d12@huitema.net> <20210731003301.GW19992@akamai.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <ae2f017c-4039-4cbc-0c30-fee7efe98ef7@huitema.net>
Date: Fri, 30 Jul 2021 17:53:11 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <20210731003301.GW19992@akamai.com>
Content-Type: multipart/alternative; boundary="------------61E16E46A8E118C2F3F3061C"
Content-Language: en-US
X-Originating-IP: 66.113.196.19
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.01)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT8+azzBoTYto+dRTWJtk2kVPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5wwIbsUgx3VwKj5vUcMDcmx42UuDhyzVYcwl2RB+0AaeuVy mXVcYbGvqfD12m/JeeQh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699UuS9Bt/28NzUpT//Ljs5DIPAgTtUp75uqlx0KezvZHXmt4KZ 8uof/cFjSibVtemvWQaaSSaRcFTFxaRvADgOuME95bF8tPKjnaWlQ6fjTEeg4CZvTGBeutAohO1y UnDCBSl7YrgCdzbaCwJPCCSougyg4uMaxHP8xQTpohmgJxQ1dHhpUbi1UdTVmV3LL7N9ueszlpij Q8vuNSxljixs9l2PHznFCr1UPjZRtNG50GjfX8TdqEXkwxwMjsp2mNAp23iZ8TJTdK5H0dgUOB1h 85nckpWaLvahyBjmQxBKOzuhP7r/qeCcLfNPkwm2lNnsvr3LBR8rUYXJ4jh62pfHaKqsknzQ1WVE SSlbgJ6e928BIkUL/j1Y48GvmeURQjjEUQSKZxezeBn5RwWu6r/w4zTSzqgNg5/g0xNxToYOItir knqeYMRbPMBU8xBCcHMKHF29j8cA+VxmrdV21v79MGf6J5LiDZAgJQy4WAGaMLIqM56VVlcswDb0 N8Su4voNiwQzKw+6v3CaIMG6s7LqJG5APOk1287nhLB6fAjf/k5G67RoML5sF3N3cOrBcrK4B5EZ NIZurpjKwyWrzpzVmXGor2rCRHNjXOw+F4BOFIuuOb9Em891MoFojkzNkX7wDBzAXU+BUdfH/tED 1m1T+fUf9oDBqtClgM5jH/om1Q5UomG0v+rwIiID/kwKc8V5Tj9+FRkaOS/DNjANmb8tO61SbYdY AwdpaVzHW7wHO7YhEWyJzIkwSFAW0Pw8uiKeubcolFl/rX+2ReQklqJDASQX2Id+W5hjJNcdGs0+ iHjXODmj5PX/tZQU3bYnWKpb
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/PFXj7AVnkIk2w97wQZ8p2sH3m3c>
Subject: Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 00:53:23 -0000

On 7/30/2021 5:33 PM, Benjamin Kaduk wrote:
> On Fri, Jul 30, 2021 at 05:21:25PM -0700, Christian Huitema wrote:
>> On 7/30/2021 1:38 PM, Robert Evans wrote:
>>> On Fri, Jul 30, 2021 at 4:02 PM Christian Huitema<huitema@huitema.net>
>>> wrote:
>>>
>>>> I think we have a reasonable guideline here. 0-RTT for QUIC is so
>>>> compelling that clients and servers will still do it, even if we tell them
>>>> not to. So it is better to try provide usage guidelines on how to do that
>>>> safely.
>>>>
>>>> Robert's proposal fall in two categories: some are about embracing 0-RTT
>>>> in order to ensure good performance, like accepting early data and
>>>> ensuring a minimum lifetime of tickets. (With some nits -- you cannot set
>>>> the max_early_data_size to 512 bytes in QUIC, you have to use a QUIC
>>>> transport parameter instead.) Then, some of the recommendations are about
>>>> "try to keep it safe":
>>>>
>>>> 1) Do not accept a client hello that is older than 30 seconds. This would
>>>> limit the efficacy of the replay attacks, because it probably takes at
>>>> least 30 seconds to ensure that the cache is empty. But I am not too sure
>>>> how one tests the lifetime of a client Hello.
>>>>
>>> Seehttps://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc8446*section-8.3__;Iw!!GjvTz_vk!FuZeymeFKUmTSm947f29K29rPi_MMwIRxbdCaDFCCXrRX-J4CThQ7Yx3aAvg4g$  .
>> I see. The proposed mechanism uses the obfuscated_ticket_age, from which the
>> server can deduce the time at which the client sent the ClientHello. That's
>> a good check for cooperating clients, but I do not think that it was
>> designed to control replay attacks. The value is encoded by the client as
>> the sum of the age of the ticket in milliseconds and the ticket_age_add
>> parameter of the ticket. Attackers do not have access to the ticket_age_add
>> value, but they do not need to. They merely need to increment the
>> obfuscated_ticket_age by the delay in milliseconds between capture and
>> replay. I would not recommend relying on that mechanism as a defense against
>> cache probing attacks.
> Wouldn't that break the PSK binder?

Yes it would, of course. And that would indeed prevent replaying the 
0-RTT data. I was wrong.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email