IETF Logo Mail Archive

Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification

Ben Schwartz <bemasc@google.com> Wed, 09 September 2020 16:54 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE713A0ADD for <dns-privacy@ietfa.amsl.com>; Wed, 9 Sep 2020 09:54:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPNQGBOshxbG for <dns-privacy@ietfa.amsl.com>; Wed, 9 Sep 2020 09:54:05 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A9523A0B2D for <dns-privacy@ietf.org>; Wed, 9 Sep 2020 09:54:05 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id w8so2981814ilj.8 for <dns-privacy@ietf.org>; Wed, 09 Sep 2020 09:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Wd4PADbxSFjXRJuCUt6sxnlmcxFT4Sos8wvMZwB6+7M=; b=eKYJUumdoqKrXaCie1xVSwCnKEmRx7qshQNj1f6HCw553UBnO2qEpbTDjVUnxi4m+u og7oZHqqTqsMrOZoJTvBp2ozWK0dp9KodVDYvap1F990DTQ1YSo5bhPa/C3vruIHyzH2 VJSw8t7y4fDygyEfynxJr68le8XPeo/iMAtFmbcwcMVMAreyRGYvZDKPhnMFGsIbfO85 TdvM0b9dfmaQK3M7ttspmmNNdCNihaaXNnkAI1AwdI3x8LKDsN/RNqo93h/twrqxEclq HcNqVcLLHDhHuv+oUucsaMVhT2q9HC94h9nPuD6EwIOS+KVstTNpMx2Ww2dwoEdPTbFz /few==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Wd4PADbxSFjXRJuCUt6sxnlmcxFT4Sos8wvMZwB6+7M=; b=D+VyDn0MN0zbUNSqmDVQ3qSxul3LgDzh4us/Ry2jaNUJYoU+ASsDiO+Z51nUAfv8kk +d7gP73NGCwhuJtkUeA/9qJNcQS1mGkCFW+rdlRKNw0DsOc5U652p633x4OcCEaz8NBL eH2hFdYANcptmqgwsKXVWlZspXa8TCEeAo/A2uIjuUF29FNbjGcPpfJOLAOIspaEDIW2 ZpqacRFqMXLEbey43Kl4YcOhA0KtpaES9xJd/4P/U9Yvd/YnLBj71ZpRaWpw+kvtPzFl QcczWe8lreqE1Jm6hLo7+ObIefepPSx4uPNf0R9wdsH28qO8iJ4CqRQ6UjCY3CBs4c4Z JaKQ==
X-Gm-Message-State: AOAM530cw3TheVPacWXp0d+TiWZcKwTiC2ifzIWvwAsPfssx8xc2d2jc 4Q0p3R7tfzaj5fnxr5CA+PaX12dKu5g2u97Rg+Gj2Q==
X-Google-Smtp-Source: ABdhPJxcdI2CvYZmCzhljfD47UCuHU96OXjKX0IavJY18n8MsOAppvO0AIVxFWugLA4S28PdNKEJtssJILwLzUvpZ9k=
X-Received: by 2002:a05:6e02:10d1:: with SMTP id s17mr3160816ilj.24.1599670444673; Wed, 09 Sep 2020 09:54:04 -0700 (PDT)
MIME-Version: 1.0
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk> <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com> <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk> <CAHbrMsC=kOYUL_Ei1uSnWJ3hGxu=7c10eRofXJ=w5sQzcbu6mA@mail.gmail.com> <3A9BCDDD-883D-470E-A547-79839149F8EE@sky.uk> <CAHbrMsDVZMNNhwqTUexRL3R=HoEfDTWsoXnr=bdTaWyTXV_=rw@mail.gmail.com> <C8137D01-5903-4CFA-A315-67D7012EC583@noware.co.uk>
In-Reply-To: <C8137D01-5903-4CFA-A315-67D7012EC583@noware.co.uk>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 09 Sep 2020 12:53:53 -0400
Message-ID: <CAHbrMsAbGci08qR+NL9Csdej_VFpfZxSdHXfwAM6azB-DryQQQ@mail.gmail.com>
To: Neil Cook <neil.cook=40noware.co.uk@dmarc.ietf.org>
Cc: "Winfield, Alister" <Alister.Winfield@sky.uk>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000a3494705aee44c40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/WpXgIJPtFRBQAYttEEoCy30YU8o>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 16:54:07 -0000

On Wed, Sep 9, 2020 at 11:31 AM Neil Cook <neil.cook=
40noware.co.uk@dmarc.ietf.org> wrote:

>
>
> On 9 Sep 2020, at 15:35, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
> wrote:
>
>>
>>
>>    1. Caching at the CPE reduces upstream resolver load by quite a lot
>>    more than you might imagine not actually a big problem but it’s nice to
>>    avoid adding compute if there is a cheaper solution trivially available.
>>
>> It sounds like the key goal here is caching at the CPE; the other goals
> could be served by client-specific logic at the central resolver.  Do
> ISP-provided CPEs normally operate a DNS cache?  My understanding was that
> they are usually mostly-stateless forwarders.
>
>
> Yes lots of ISP-provided CPEs do caching. There is a draft in the ADD WG
> that describes this for at least 3 large ISPs in Europe.
>
> There are other reasons for wanting to do DoH in the CPE, such as
> performing DNS filtering on the CPE.
>

This could equally be by client-specific logic on the central resolver, as
demonstrated by NextDNS.

BTW I’d interested in how “client-specific logic at the central resolver”
> solves the connection count issue?
>

It doesn't, but caching does, hence my conclusion that caching is the focus.

> * How does the server know which CPE to redirect the client to?
>>
>>
>>
>> I’m are assuming here that this is an ISP running both elements so
>> knowing how to map the incoming IP to the name its currently using / was
>> told to use is relatively trivial.
>>
>
> Trivial, perhaps, but not necessarily secure.  An adversary in the network
> could alter the IP headers to change the apparent client location, causing
> the client to be redirected to an attacker-controlled CPE, thus defeating
> the integrity assurances of DoH.
>
>
> Possible, but I’m not sure this is a practical attack. The attacker would
> need to be able to also change all the IP headers in the return packets to
> their original values (that’s hard enough to do for legit purposes).
>

Sure, but if you assume we don't have a sophisticated active adversary in
the network, then we don't need authenticated encryption, and we can solve
this without involving the client at all.

Also, the attacker has to have compromised an ISP-managed CPE, and that CPE
> still needs to be running on an ISP-managed network connection.
>

Maybe.  As Alister noted, in some models the subscriber can acquire a DV
cert for the name without reaching inside the CPE.


> Neil
>

v2.29.0 | Report a Bug | By Email | System Status