IETF Logo Mail Archive

Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Fri, 11 August 2017 13:26 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FE9E132574 for <dns-privacy@ietfa.amsl.com>; Fri, 11 Aug 2017 06:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlOgIvgqcbob for <dns-privacy@ietfa.amsl.com>; Fri, 11 Aug 2017 06:26:32 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29A9B132507 for <dns-privacy@ietf.org>; Fri, 11 Aug 2017 06:26:29 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id p68so22228686ywg.0 for <dns-privacy@ietf.org>; Fri, 11 Aug 2017 06:26:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OSjW1Zly4i0tbcYbzVoPhn1X+PmAUMD+zcCpqdluP7s=; b=byuyVBna68wNOcwtN+xAtPE9ny3vsOF4+fXpfZ3VvO0wS5E2loe26H7KSiAf4ef3DQ obHE8x4mxjdmn2e8RoNzH99VU4pgHTLPbKQkxGu2LV1pORJhC8k92JSRy9kt2Vf0Mxmi 1F6q/lg60uy3x3WJT3CnHErqqSIWQm0y73EUkVa6InNdpNxS2JYO3xA/v/jOz1NJKSqs uIWTgapWCsnAjns7yTwp30VxstaSXY9doFx35hvCR/E/5WpiYFbcDAyPpszMR0fUaYqL AdM+S8cjmiSrB5khPULZM/NkBbwycnnUFcojo+jVvgjLgFJ+/dF8+FpruYWGUznPbup4 rrLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OSjW1Zly4i0tbcYbzVoPhn1X+PmAUMD+zcCpqdluP7s=; b=BwmlxIDJ/z4+/4Cq0i2EQtSMjByAm/POJYDdfew6jBcZvBTLU1wz/7RYqdo46eN3Nd qOOD6TireTJFsrdHAzB5nQ+FxaGjwGO7uzSkNF9x31rOYRBjRcABA0uvVmq4gV6AJdo4 qh0e7eCVmaFpHATpkKG1UYjjXHqtYdbApK6IiABbvsZMkD+34MlLuXvvRa1NPGoFAKMF SmwpY7iztM2HandaSuoVTaIbXT1i68FB9FJGrfbqu33HMeOBN37TAvsK21kQ3e8FqXfe T3u9QqnTXnGfPCma5fEGVX9NdovjQ33Hab+Risb7dPmVPlvL56yhser5EPY3lROLtfCz qndg==
X-Gm-Message-State: AHYfb5gfgqnQV7QcgmdX8OoTVlpslGo+Dvvz3FiWAYT0Q1XILpHQQYtA RSE+QNiPl7DQt4j+dk9eo19E3DUwBF/S
X-Received: by 10.37.203.79 with SMTP id b76mr6434145ybg.256.1502457988386; Fri, 11 Aug 2017 06:26:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Fri, 11 Aug 2017 06:25:47 -0700 (PDT)
In-Reply-To: <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com>
References: <149410267259.23107.8936430130975036477.idtracker@ietfa.amsl.com> <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 11 Aug 2017 06:25:47 -0700
Message-ID: <CABcZeBP5S73tbbVWgRthsXsK4JGNFBhYv8ewhDaaFU3yVekYbg@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c05a962b0426d05567a4290"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/VROxsmFjCVxlF74LmOYnLne3UKc>
Subject: Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 13:26:34 -0000

On Mon, May 8, 2017 at 1:21 AM, Sara Dickinson <sara@sinodun.com>
wrote:----------------------------------------------------------------------
I've reviewed the diff:

1. The bit about meta queries still seems kind of muddled. If you do an
unauthenticated
meta query to get the IP and then use that to do strict queries for the
actual data, you suggest
that that offers a DoS attack (if the attacker gives a bogus response) but
couldn't they
just inject an unverifiable response if you did it in strict mode? Also,
doesn't it
introduce a possibility of amplification: the attacker sends the client the
IP of
some victim and now the client sends multiple packets to that victim (as it
retries)

2.  I don't think the "limited or no mitigation" text in S 1 is right for
opportunistic.
Rather, it provides defense against passive attacks but not active ones.
Note
that an HSTS-like mechanism would provide more here....


     widespread adoption of Strict Privacy.  It should be employed
> when
>      the DNS client might otherwise settle for cleartext; it provides
>      the maximum protection available.
>
> I don't think this statement is accurate. It provides the best
> protection
> that the attacker will allow.
>
>
> Agreed - will update.
>

I don't think the parenthetical quite does the job here. The point is that
it provides protection against passive attackers but not active ones.



> Table 1 seems to have N and D paired, so maybe you can coalesce them?
>
>
> That specific question was asked on the WG mailing list and the answer was
> ‘no, please keep both’:
> https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01541.html
>

OK.

-Ekr

v2.23.0 | Report a Bug | By Email