Re: [dns-privacy] [TLS] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 29 April 2021 18:24 UTC

MIME-Version: 1.0
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com>
In-Reply-To: <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 29 Apr 2021 11:24:06 -0700
Message-ID: <CABcZeBMyf3pTXa2DfB3fPeEET+5AkLUzTzDNy+itmnxesdFGWw@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecdce705c1209b5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XIuelZ6HTqRMH41zf9Z5lW0QLxs>
Subject: Re: [dns-privacy] [TLS] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
Precedence: list

Probably not, but I agree with MT.

The general idea here is that any given protocol trace should only be
interpretable in one way. So, either you need the interior protocol to be
self-describing or you need to separate the domains with ALPN. I don't
believe that either the IP ACL or mTLS addresses this issue, and in fact
arguably mTLS makes the problem worse because it provides authenticated
protocol traces which might be usable for cross-protocol attacks.

-Ekr

On Thu, Apr 29, 2021 at 7:26 AM Salz, Rich <rsalz=
40akamai.com@dmarc.ietf.org> wrote:

> >    No new protocol should use TLS without ALPN.  It only opens space for
> cross-protocol attacks.  Did the working group consider this possibility in
> their discussions?
>
> I don't believe that message has been made as public as it should be.
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

[dns-privacy] Martin Duke's No Objection on draft… Martin Duke via Datatracker
Re: [dns-privacy] Martin Duke's No Objection on d… Sara Dickinson
Re: [dns-privacy] Martin Duke's No Objection on d… Martin Thomson
Re: [dns-privacy] Martin Duke's No Objection on d… Sara Dickinson
Re: [dns-privacy] Martin Duke's No Objection on d… Eric Vyncke (evyncke)
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Salz, Rich
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Eric Rescorla
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Salz, Rich
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Stephen Farrell
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Allison Mankin
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Eric Rescorla
Re: [dns-privacy] [TLS] Martin Duke's No Objectio… Eric Rescorla
Re: [dns-privacy] Martin Duke's No Objection on d… Martin Duke
[dns-privacy] Recommending ALPN (was Re: [TLS] Ma… Martin Thomson
Re: [dns-privacy] Martin Duke's No Objection on d… Mark Andrews
Re: [dns-privacy] Martin Duke's No Objection on d… Martin Duke