IETF Logo Mail Archive

[dns-privacy] ODoH RFC SetupBaseS clarification

Ravi sankar MANTHA <r.mantha@f5.com> Wed, 10 August 2022 08:40 UTC

Return-Path: <prvs=2148de39d=r.mantha@f5.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3140C14F749 for <dns-privacy@ietfa.amsl.com>; Wed, 10 Aug 2022 01:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.685
X-Spam-Level:
X-Spam-Status: No, score=-2.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=f5.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id skWxydVALtJT for <dns-privacy@ietfa.amsl.com>; Wed, 10 Aug 2022 01:40:27 -0700 (PDT)
Received: from mail15.f5.com (mail15.f5.com [104.219.106.14]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C29C14F734 for <dns-privacy@ietf.org>; Wed, 10 Aug 2022 01:40:27 -0700 (PDT)
Authentication-Results: eopmail15.f5.com; dkim=pass (signature verified) header.i=@f5.com
IronPort-SDR: /WK90gUcZV71mLZr2e3Z2UbHNgCjUrJG5wXS2ZVTJH7HyJriPYT9bbKlvlVmrqoAcvLiiAFzSs tqO88UNmy48AiB6cAofvGrlIn5d62asbvZzlcvk6+0v+3478lvhE6OvPocCn16h0zpjwU4XyCJ aiDFOi1t4roBbtNosCVBRisM1hTWpRM4Fv3cymVWb9r0DuTKq9epTTxfjmqRCaBaR1wNN9XRIR NdtAKuojuyt3CQfqrWIBAnrotdbPHyZSQxGTG+YedNybd0rwviq6uX0w9TJ2+fv+/fFYI+cEGb ccc=
IronPort-Data: A9a23:jQPxmqMh5/GEZbfvrR32lsFynXyQoLVcMsEvi/4bfWQNrUog0jxWz 2YcUW3UbK2JY2ujf94jbdzgo0kO6MWDxtdgQFdlrnsFo1CmCybmLY/AchqvZXP6wunrFh8PA +M2NIWYdKjYaVeF/kv2btANlZTwvE2xbuKU5NTsY0idfic5DnZ64f5fs7Rh2NQw0YHhW1rlV e7a+KUzBnf0glaYDUpEs8pvmDs31BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOatINQrPlH barIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbrGve0UPPqgH2Po0MS+7ih2vtvUok pBhkML1Tg0keKrRhO4aTh9UVTlkOrFL86PGJn75ttGPy0rBcD3nxPAG4EMeZNVEvLooRzwfs 6VGeVjhbTja7w6y6Kj9T+BqmsQqBMe2eogYvxmMyBmDVa1/GMiTE/6iCdhwh25r3ZgXR54yf fExZTx0KQzaYgNGMUY/CZ8ikqGvnHaXTtHygEbN8PFxv3yKmVQ3iKy3ZYKTIYHSGdEOyx7e+ 3aZqk3nJjofEveD7RaF1lOloNXPuRngfrgMMIGg0MJwpmOS43hKUEhOEQOvyRWioku3WtYaJ 0lK/CMr9PI27BbyEIi7WACkqnmZuBJaQ8BXD+Ax9ACKzOzT/hqdAW8HCDVGbbQbWAYNbWVC/ neHwpXiAjkHjVFfYSj1Gmu8xd9qBRUoEA==
IronPort-HdrOrdr: A9a23:qx0TrKzeoO+ega1nIKgJKrPxlOskLtp133Aq2lEZdPULSKalfp GV98jziyWdtN9IYgBGpTnyAtjnfZq8z+8C3WB1B9qftWbdyQ6Vxe1Zg7cKoAeQUhEWlNQtsZ uIGpIWZLLN5DNB7foSlTPIcerIt+P3k5xA692+815dCSVRL41w5QZwDQiWVmdsQhNdOJY/HJ 2AouJaujuJYx0sH4+GL0hAe9KGi8zAlZrgbxJDLQUg8hOygTSh76O/OwSE3y0ZTyhEzd4ZgC L4ek3Cl+ieWsOAu1DhPlzontprcRzau5p+7fm3+4Qow/PX+0aVjcpaKv6/VXsO0ZiSAR4R4a HxSlEbToxOAjrqDxqIiAqo1A/63Dk07Xj+jVeenHv4uMT8ACk3EsxbmOtiA27kAmcbzaJBOZ hwrhCknosSCQmFkDX25tDOWR0vnk2ooWA6mepWi3BES4MRZLJYsIRapSpuYeA9NTO/7JpiHP hlDcna6voTeVSGb2rBtm0qxNC3RHw8EhqPX0BHsM2I1Dpdmmx/0iIjtbgit2ZF8Ih4R4hP5u zCPKgtnLZSTtUOZaY4H+sFSdvfMB28ffsNChPiHb3KLtB7B5uWke+M3Fwc3pDXRLUYiJ0vhZ /GTFRU8WYvZkOGM7zx4LRbtg3AR227QF3Wu75j26Q=
X-IronPort-AV: E=McAfee;i="6400,9594,10434"; a="203110883"
X-IronPort-AV: E=Sophos;i="5.93,226,1654585200"; d="scan'";a="203110883"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G8//0BR2opP+2TrkRgB30oPDV3Mb3qsf5SQ0xHDnSU9lTuaFw531d8yVXC40nQ0JGNGYTbXE2PTRnE8sQKGgskRvlioq2LTMK2IJQ8ksm4fKqYQE/D6hnaLyFvz23vtmoRmBgTPYWrRA8Gr62mjPpoV/Lq8FgVj081wIIYZswubmRG3oqcmqlTwHX7g7002hTLYaRM1Y1xIQyl+QdVkhGnUKCyWTLX1oseZir8JjzA/RhgVclTiT+cHCSyTj2pFVx2ziP9lskamVk8uXD/lH+TDnV/7xsj6kd988vedF+m4/8BvSEo0TC7rSbzV6WDL7vX3qBW36rWdgnmIyEMi/7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qATjShAcpgY60fa+Qu8EHi/ripWX3wXqztzrUEGfq3Y=; b=YeinmqlaVJWfCLhq+lCT+H9v2+CVpF4lwPsw8GIK3bCageQNGWormKr9GJOBAtE5gd8Eb/UsjSGTXLE0SxABdflBvAc/Y8FIp3dA8dBfuJE1mZY0mecVCvvHSDnluqRJvBPXYbaS+cxR4h34QxvYDoG3Zv4mGwXz1SEPWCcPSnk0EwLXYeQS4frRRGwAPmBVJpFRHVIJ8ndgk//8QMFexHb6LXMntl8e13/6OnyeTXbH05azhIVNfAvfHmJ/klSMKy4o9YHpO8Gc20ggpoWQ2X6voSHcfetQzjFXC7hD0EVJfET5w/NrJMh3150VtnI0bLl1fvWX3uvTZ8X3KJY2Tw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=f5.com; dmarc=pass action=none header.from=f5.com; dkim=pass header.d=f5.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f5.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qATjShAcpgY60fa+Qu8EHi/ripWX3wXqztzrUEGfq3Y=; b=Obj2EvbzyU6NJp4RKNrVD0yI1ED4xSi5g2rlHBuVc3XsCLLKjllGkSyLIEqiM+tq3ru3V5MIqv8APeDVQcAZH56dG3n8Gy6dGVgiwuGGEMDFcOaDrUCN4R4E5lwctuUHT5Nsg3B6S7kZ6M2aL/A+upb0mKNq7zutRXxcJ3Iabr0=
Received: from BL0PR01MB4387.prod.exchangelabs.com (2603:10b6:208:8b::16) by DM6PR01MB4908.prod.exchangelabs.com (2603:10b6:5:e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.17; Wed, 10 Aug 2022 08:40:22 +0000
Received: from BL0PR01MB4387.prod.exchangelabs.com ([fe80::3180:e5a2:772f:fc1a]) by BL0PR01MB4387.prod.exchangelabs.com ([fe80::3180:e5a2:772f:fc1a%2]) with mapi id 15.20.5525.010; Wed, 10 Aug 2022 08:40:22 +0000
From: Ravi sankar MANTHA <r.mantha@f5.com>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: ODoH RFC SetupBaseS clarification
Thread-Index: AQHYrJKf3wHdYhbZzkq4IsF2+xArWg==
Date: Wed, 10 Aug 2022 08:40:21 +0000
Message-ID: <BL0PR01MB438718D20FCC518DFEDA5BF1A5659@BL0PR01MB4387.prod.exchangelabs.com>
Accept-Language: en-GB, en-US
Content-Language: en-IN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6a70076-eff5-41a2-d4d6-08da7aabf680
x-ms-traffictypediagnostic: DM6PR01MB4908:EE_
x-outbound-auth: 1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LB9YlLNbPUcA/RUcIHCwvj5IjGYsKVVKVUpRu3IIdlRnDQ8Tuj8YNg2P/vBTtRwgscDtp/d6qaZr7vyouvX8pN0yaNa2L0ZOIef2Q6ibbY+j+dXVaPRg6yPsDpzeUVQpKvJg27hY1FEuJITcAKBJhjs7hnNuobYBOAdFLLA58ktQoL7+d+6RLyBKWKaiK40eKs4lMJU5UMPc84hhhPSKNTH2GY5mq11qwPuQtQHyqU+M3K+l/535edeLk4FJlQWQObaLNl29MZBcR1GjAGXYfpBitK7G9lvR2sU0pRAP8VoCi9FD0llQ5fNkcd//Wh6kztNUR4yp9mI1w7QaSToVB/p+C8XxJicPJ9SgQ23zJdKI9j+s99y19JWpU09A9KcQtt8NMOnlNqxaBV1WyuJQRNl+kX4z1CgC969bjsSh7iDZbMIJKoUH1EW9B7g++Az8HH2k6Kv1ZsCYd8YGrR49hE9tr5engpuLAuQriUSw0fGaNfpKDRXfKNDn73cOFq5JXJuNeFfaZrW3clrv7VEWH2ktEfYtz/oav0FGYZZ+xTQtrEMdXyHhitjQaB+9fX3b4cHIpR68w51wcTeLDhhrTX8vxjfI/LFjOLZrclCo/AZIgfe1AVYRjDt/PV0q65IeQ83BrH/752FFZAvUUI/hU+0N3Cx/obLeSxPi7Lbn9gtP3ffVQE2LaRVCUQd3+Zk79AcCPTXa/hpRHv7HeSKMRVfywOcSJIpq0gpzjV2rg540QUz0ExPxop1Eae+INjiDE/t4Fn2EW7mTwQwnwpxKztsFCEnwORedrjD/P4HnWQJwSrJpPtmgt7GepLwyBmfGnMRCdZCSLpCvg/gWHstK5g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR01MB4387.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(136003)(396003)(376002)(366004)(39860400002)(186003)(3480700007)(122000001)(41300700001)(71200400001)(5660300002)(52536014)(9326002)(33656002)(8936002)(83380400001)(86362001)(91956017)(38070700005)(38100700002)(64756008)(66446008)(66556008)(2906002)(66476007)(66946007)(76116006)(8676002)(478600001)(26005)(6916009)(316002)(55016003)(7696005)(166002)(55236004)(6506007)(9686003)(4743002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: o0W5sEVLDRsbte0qwG7L3rnh3rJidZyF4nHEIBuI8iSaZG72NEgYyGovbidg58kK/Q1frvLSdH6myftnGa3SZ02nM6cyBmgJ5NX4JFulDDL3UXLjP8aM0N3duwW7mr9QvKdILaDTeB1r6+xaNRnlb9VoKCgB27ZL1I2jor7GRLcO6cifKnjOlNrmIiyMbaplW1R0yeDY1xrYLDDJFBVh6TFF7QrM7ynCgSfxhd1KpZ17rfA9mP2+DAuNdMTckURz09ewlOKpjzI+FyEv7ND7xbuvYT+0lUAON8jM9UMyjF9WHokjVnGKV5q80fbIMzd/I9TfwRWTpDk07R60ZROGUR/EHVkySpH8KC+cyp7Fi7sHjHAjJBKRlB9a8mRWO7VaUstcVdOro7M0GnZ6cmchtJDXyOR07MIjESfBa2TXfRq8Bgav5Vjs+bWxB391+nJ0ChYnrF/ulP0SYavX8ciHsM4KFLG9jto6c/zA0mk6Tg0/vXJMwdsrqzwciwCG4lBOcxX5ftOGD3sHPAo5AcMe70QfXmcaCMpq601GQRioUs9Pfq9IWzN5Dm2nyF5N8Gns+gYvPnsyLeXJNwK5N8NMvvsrD6LxkcLHF9L+ep1zbwTIE/d7CbmU/oKKWc6UMuVWSiL49Sh930E5UmcdAkzUkyu02EWsTmTaeJyPq6GqWAfB1CV+H6+Bej0jVzLX0Tfnk3AXZTIJN4gE21v+o+s3a25SugdyE9x4yZLIhsfX35/uFlOAMD3gdeNFoimeFJ0Cbz3O4Oh7iMNQ6yRB3S8qG97GCHj90JfZ62Aa1R4T9Zs8TfcjQlYBQFngETGzceEaj/cYlbdU43ySNUSJsdmt5mAh3Y+kpfvln7jSBSjY+UbO01TfCOJzupagcJ7HHKgWq1gbqSBzbFin/qKXHp3IBqjgHOqihDqgtVXFeRfdf3iHWUlenFh4rSR27oxipkUtYU8H/AfKImgknqhXDp9tDQthvDm7QUNiQW4PqamKkEiJMpVI7AjkjK+Qpp3/gk6P3KrdKswKd5vhotZwvNkas5fJ/F+886WLUrwnpp/T9gpGBLTNs04frMUEnSGz0rnyloEy0nOhIzjokVarP5UIxhLZeV0RywbT8NIEjoF8u29i28cBgq8P/jRW8MBCjUh9sosizPI+Kg8nv5ddqT7TraHeoacflgULB4rOwD+S9L5HMlbP1/3UqWZs9bw6do6dc2h/gox6R8C9uUJ07XDkIqRW8g2vYK5MAgaW1tLodl5tJJM6WwP8cvbQK2/JHelPppxxV/kS9rT4N6ASggBeAW4jQ96RBlGjV4FcOFVWlPKHBJhOabQydW8C76C7deRAX4UhT6fxb2DYqMTWOZLPWOqOpl4McGT6q6yAjZxdMiOEKAmpfCcCwvcivD3rZ4klEDru8HTcqwxA6GClqltPtQDqi3PSyuCHhp4XolqKQLD5oDm8jfG7foXLe21x7kx9CYiZFeDhF52ST+P7t2C8HksBpsLp4WtCjtdfm0/Hp1TawBW1bv3VS1tJajwKz2NyFI8yMCepzkAEFptO0DJdN9cofIgu3RQFzIlh+xhN10EkyoYypfiH5SKFPLCYPEGD
Content-Type: multipart/alternative; boundary="_000_BL0PR01MB438718D20FCC518DFEDA5BF1A5659BL0PR01MB4387prod_"
MIME-Version: 1.0
X-OriginatorOrg: f5.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR01MB4387.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6a70076-eff5-41a2-d4d6-08da7aabf680
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2022 08:40:21.9356 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v/66BvySf08B2OJVGr/4M2Jb5+KNwQjOt+4CPiWhWbiUkOkQIdv8kAm7z4FO3PIp
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB4908
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/bHGHY_pTuuWyo4DYFnKsJQfznWc>
X-Mailman-Approved-At: Fri, 12 Aug 2022 08:04:14 -0700
Subject: [dns-privacy] ODoH RFC SetupBaseS clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 08:45:14 -0000

Hi,


In Section 6.2 of RFC 9230, its mentioned that SetupBaseS takes only 2 parameters  (pkR, "odoh query")

However, reference implementations are indeed using a randomiser from client side.
enc, ctxI, err := hpke.SetupBaseS(suite, rand.Reader, pkR, []byte(ODOH_LABEL_QUERY))

(https://github.com/cloudflare/odoh-go/blob/7c6d9ff448c53e0e546f2afe915ad9608e11f7bd/odoh.go#L471)

This has an implication on target implementations,

If Targets assume the randomizer is not present in shared secret derivation, then Context is unique for Target Public Key and they may choose not to store/derive it per message per Public Key.

If random seed is present, then contexts are unique only per message (DSN Query).

So, this has an interoperability impact as Encrypt/Decrypt fails for Query Responses if wrong shared key/Context is used on Target side.

 IMHO, we might need to clarify this in RFC either by updating pseudocode for SetupBaseS or add a note that Target should derive shared secret/Context with every oblivious DNS query. Or its implicit somewhere in the RFC ?

Regards,

Ravi Mantha

v2.23.0 | Report a Bug | By Email