IETF Logo Mail Archive

Re: [dns-privacy] Use of separate caches for plain and secure transports

Warren Kumari <warren@kumari.net> Mon, 17 December 2018 21:33 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E269129AB8 for <dns-privacy@ietfa.amsl.com>; Mon, 17 Dec 2018 13:33:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXhcXmHaSSp7 for <dns-privacy@ietfa.amsl.com>; Mon, 17 Dec 2018 13:33:47 -0800 (PST)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 549A8126C01 for <dns-privacy@ietf.org>; Mon, 17 Dec 2018 13:33:47 -0800 (PST)
Received: by mail-wr1-x431.google.com with SMTP id j2so13841644wrw.1 for <dns-privacy@ietf.org>; Mon, 17 Dec 2018 13:33:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Fz3gH7r6Gl3BG/+HnxY/qbQzjk9JygiaNsOZnrEOLR4=; b=mZPPNa47tcMKhc3ILmnU9Dd8amSthisM84tjvfO3wLUUWBaCOFDlmHHXKWWDT7o7F8 keqkqH3kxNm9CdMWwDHuZ48wKnA0QdLrkO5GZB/IJJWskxXMHykVAjkPElwRoFcgsjA0 0GGUfi7FdspuG5+Svx3l6cLWNiAxjRpojW3foeq8M4h79BWfh70alZSYly5qzdpd3vpd oD+Q/KBTkPVXJ4rSdLYofYZkctcgsJy/TdNSa7PaS70QuAThLMuRKz0CayYeVtUGDQ8I eXTEnINqwqNBFk+ctWYT7snEbrewZIuumagP9O8+4rKECzIkzR6iLU/wGNPbFd83KXgk RZ0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Fz3gH7r6Gl3BG/+HnxY/qbQzjk9JygiaNsOZnrEOLR4=; b=ch9rCCa6wzducD4k29duSTii4Rm8KiIGChmWHQJDAt6PyIOUCs1p9V5sLZZzInP9x6 P0F/YkCQm2fGAIy+6Xzf28QOjXs7nDrMQ4rrwGqIkeqYH6Q+L3VINF/Iz0l8SXx8dLuD +JaOuPPX461/vYJhpgfBW6DDIZcswTKtigparsDRLYv1y8+jvkfC3QZHUhBbRx1ILmkI 8TWZ6CMu9X0GQpa4OhieKLIMeGZH2gv8bsHm8Bz9GmyGmZNpp5iPC8uC8mZSHLOjnREn ZkENnzW8461e407ZLtVJOcbVDaQF8RkTUSnVocPs4XAWDIB34LJkVcaV3eMo+xuRgV8+ TLCw==
X-Gm-Message-State: AA+aEWZbiOL3DQON7HJqMNpJD4bhyQUj4bRaZahcZKG9CGZlU4FNpWLD UhTdify60s9CIVYx++kV//aR0BV5F4MrIpq2wQHNgw==
X-Google-Smtp-Source: AFSGD/Vr+OWp8s/0CBZj3b9ZY+m5t+jDJ1VxPCeEtUFWuuZ9qxz8a7w19gppKXwJCV/HnxnGW3uLcwgXyGOmNxE6wHo=
X-Received: by 2002:adf:f101:: with SMTP id r1mr12441566wro.32.1545082425423; Mon, 17 Dec 2018 13:33:45 -0800 (PST)
MIME-Version: 1.0
References: <20181211054339.GC11647@jurassic.lan.banu.com> <871s6l43za.fsf@fifthhorseman.net> <20181213205828.GB24089@jurassic.lan.banu.com> <87sgz12jw6.fsf@fifthhorseman.net> <yblwoocosh7.fsf@w7.hardakers.net> <e7026ae4-afa2-4ebf-b885-ea085df62ff3@Spark> <87a7l73l9m.fsf@fifthhorseman.net> <fe8eda34-bab0-4edd-800f-f7e004d8ac4f@Spark>
In-Reply-To: <fe8eda34-bab0-4edd-800f-f7e004d8ac4f@Spark>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 17 Dec 2018 16:33:08 -0500
Message-ID: <CAHw9_i+xxgAqHgtSwBKE9XGfmyzbzKRftgmgCUZSn_cgedF3zQ@mail.gmail.com>
To: christopherwood07@gmail.com
Cc: Wes Hardaker <wes@hardakers.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, dns-privacy@ietf.org, muks@mukund.org
Content-Type: multipart/alternative; boundary="0000000000001dc2d4057d3e892c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Rym_q9-XCdTHPdAlaPl35qAlEvg>
Subject: Re: [dns-privacy] Use of separate caches for plain and secure transports
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 21:33:50 -0000

On Fri, Dec 14, 2018 at 4:05 PM Christopher Wood <
christopherwood07@gmail.com> wrote:

> On Dec 14, 2018, 12:29 PM -0800, Daniel Kahn Gillmor <
> dkg@fifthhorseman.net>, wrote:
>
> On Fri 2018-12-14 11:47:58 -0800, Christopher Wood wrote:
>
> On Dec 14, 2018, 10:47 AM -0800, Wes Hardaker <wes@hardakers.net>, wrote:
>
> [And, no, we shouldn't go down the road of "privacy requires you disable
> the cache"]
>
>
> Would you mind elaborating on this comment? As you observe, caches are
> harmful to privacy. Refusal to disable the cache in any (?)
> circumstance therefore seems dismissive of user privacy. Perhaps you
> mean turning it off for every query is not a viable path forward?
>
>
> I hope Wes will answer this question on his own, but i wanted to note
> that privacy is not only harmed by caches. it can also be helped by
> caches.
>
> A query for any name will typically radiate *less* information into the
> world if it's answered from a cache, simply because the resolver in
> question doesn't create additional traffic.
>
> In particular, if the cache is already well-populated, and queries are
> padded appropriately, and the name is relatively likely to be in-cache,
> then the only parties that know what was looked up are the client and
> the resolver itself. No authoritative servers or network observers have
> any additional information to distinguish the query from any other
> cache-resolved query handled by the resolver.
>
> So i don't think caching itself offers a clear benefit or harm for
> privacy. One advantage of a resolver is that it effectively acts as a
> mixing/semi-anonymizing agent on behalf of its users. Assuming that the
> resolver itself is not compromised, it can buffer its users from the
> authoritative servers.
>
>
> Yes, of course, thanks for clarifying the other piece of this puzzle! This
> is indeed a benefit. However, I am not convinced this yields a greater net
> benefit than disabling caching. (I am not aware of any such study or
> analysis on this problem.) That said, all of this depends entirely upon the
> threat model, which can vary greatly.
>

If you disable the cache, and can see that there is an (encrypted) input
query and then immediately an (encrypted) output query to 208.80.154.238 (
ns0.wikimedia.org) you know with very high likelihood what input query was
for.
If you have a shared cache, there is a much higher likelihood that the
input query gets answered from cache (especially for higher popularity
names) and so there is no output query to correlate with. Techniques which
refresh the cache before the TTL has expired (al la HAMMER) further thwart
correlation attacks.

W




>
> Best,
> Chris
>
>
> --dkg
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email