IETF Logo Mail Archive

Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding

Sara Dickinson <sara@sinodun.com> Wed, 05 August 2015 16:50 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C231A6F15 for <dns-privacy@ietfa.amsl.com>; Wed, 5 Aug 2015 09:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDW2ka0B-EDe for <dns-privacy@ietfa.amsl.com>; Wed, 5 Aug 2015 09:50:48 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C649E1A6FE7 for <dns-privacy@ietf.org>; Wed, 5 Aug 2015 09:50:47 -0700 (PDT)
Received: from [62.232.251.194] (port=21317 helo=virgo.sinodun.com) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85) (envelope-from <sara@sinodun.com>) id 1ZN1tq-0006Po-U1 for dns-privacy@ietf.org; Wed, 05 Aug 2015 17:50:44 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <55B91616.9050502@cs.tcd.ie>
Date: Wed, 05 Aug 2015 17:50:44 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <CEC37867-D160-475E-AF32-B1C0B089964F@sinodun.com>
References: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at> <4B26F2B2-AA67-492B-9855-30F8ABF38AF9@vpnc.org> <877fpjgcfo.fsf@alice.fifthhorseman.net> <C1BD472D-318A-49D6-A30C-AF7C788B8CCF@vpnc.org> <55B911FD.8000407@cs.tcd.ie> <42B98315-47C1-4560-A192-F575729E1F25@vpnc.org> <55B91616.9050502@cs.tcd.ie>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
X-Mailer: Apple Mail (2.2102)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: sara+sinodun.com/only user confirmed/virtual account not confirmed
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/VBNAF_KxShvLZjuTXY9pRiBiqJU>
Subject: Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 16:50:53 -0000

> On 29 Jul 2015, at 13:28, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
> 
> Hi,
> 
> I'm working through my notes from the DPRIVE session regarding the EDNS0 Padding option. My takeaway was as follows:
> 
> - Generally, this seems to be a reasonable idea

I support this draft and would like to see it move forward.

> On 29 Jul 2015, at 17:23, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
>>> - Besides the use to evade size-based message correlation, this could 
>>> also be useful in other cases, eg. "proof of work" for clients when 
>>> requesting larger packets (Peter K.)
>> 
>> This is possibly a bad idea. In the IPsecME WG, we have had an active 
>> work item on proof-of-work for clients to prevent DDoS, with lots of 
>> good discussion on how to do it, and we're probably going to only leave 
>> it as an Experimental document. In summary, adding proof-of-work hurts 
>> the group you care most about, namely clients on small machines.
> 
> I agree with Paul here that conflating padding with proof-of-work seems
> like a bad idea.  

+1

> On 29 Jul 2015, at 19:06, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> On 29/07/15 19:00, Paul Hoffman wrote:
>> On 29 Jul 2015, at 10:48, Stephen Farrell wrote:
>> 
>> We are not defining an API, so there is no way for the application layer
>> to know what it is running under.
> 
> Eh? There may be some implementations like that but I'd be very
> surprised if, when dprive is done, most implementations don't have
> an is_doing_dprive() call they can make use of in application
> layer code.

I don’t see this as a problem either. There is already coupling between the transport and the content of the DNS message (TC=1) and other EDNS0 options are transport dependent (STARTTLS, edns-tcp-keepalive). 

> On 29 Jul 2015, at 15:12, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
>> But we don't actually have a centre of expertise about effective
>> padding so I can see why you suggest CFRG. Ideas as to how to try
>> foster/create such a thing would be welcome. Mostly I think the
>> hard part there will be to attract the few folks who know about
>> this topic and are willing to work on it openly.
> 
> Agree. However, we are not in a rush on this (we haven't even agreed on TLS / DTLS), so having the discussion about where to pad before we blindly start padding in DNS.

But…  we do have running DNS-over-TLS code that we could improve today with padding. We do have operators interested in deploying DNS-over-TLS services. I think a good way to gather data on padding is to implement this option, but possibly with the ‘use with caution’ caveat suggested. 

Sara.

v2.23.0 | Report a Bug | By Email