IETF Logo Mail Archive

Re: [dns-privacy] [Last-Call] Review of draft-ietf-dprive-rfc7626-bis-03

Eric Rescorla <ekr@rtfm.com> Fri, 10 January 2020 03:42 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 666FC120086 for <dns-privacy@ietfa.amsl.com>; Thu, 9 Jan 2020 19:42:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6_KGEHED-EOY for <dns-privacy@ietfa.amsl.com>; Thu, 9 Jan 2020 19:42:05 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08183120128 for <dns-privacy@ietf.org>; Thu, 9 Jan 2020 19:42:05 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id i23so374846lfo.7 for <dns-privacy@ietf.org>; Thu, 09 Jan 2020 19:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HnvuZcfGlTM+hOKgGTuHQfEAnUpQhwyGpniAHXImmqw=; b=aZVf2EoGhJyUnpi8oG3uNKSa03SoKTr8llHlxRdjlRGFkqB5wE4Ezfm3XoGthRY4Vi ccYUt/fWYW1oQyhJRladvi4wESPOzrcYCwAd70npy3Pgak0tzQVoSeqJvkbr1vEW0Dbd 5iYNB/Me0gSwnkM1lWjL5McKwtgfsFI+OlU+1JRZ+7K0MR4CV+6jLyHPie7B67sCl52y olBexNDmD6te3vyEdN0OXFEGp5NKKYsDR5LlwUQBo0cZi0CR5XpwxQqqGk/H7mo+sxo4 NppCEw1AXfb+4N03Z/SKgGwMmpzk9UUMD6UfyZieh4+ZwVCaUQppZz/0L7JwE0GQEln3 Rm3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HnvuZcfGlTM+hOKgGTuHQfEAnUpQhwyGpniAHXImmqw=; b=ZZ3/GXdS2fh9LYgpYXcTJMaRPrJSJbSFbdjSdt+UBXQGo0Nc7xnheHtynOt/LAUt93 VORWmLsRWUEV/FfIPHanSEoTYUqjIR5JhkELo8DVHsnYSKzVilcAsXNbQ2uwdsJ4pdBT W0GMHUfzCCbA+JtAMP/utwWOhbX3YaAS0jUiuuem0b4N1z+dP1jnS1osKY3zg5hoi8h5 B12CaV1A1yqaktkFD5ydbCYYxaXot1QRCAI7rlW+Fa3KvzGXG0O35HLjsjiV88cPTov1 2/6LD47R5grc4U1RrFZ7CKUzsxQjXoO/zH69jH4xd36tMK879gxo6tbBl9XplFDDdDr8 No4g==
X-Gm-Message-State: APjAAAUHayfjTnC5bBCgzornWyA1FQsLWdf65s9sVRdN15VXGtx/K2IF o1TRHVlBHBi9b2TUmtDhdgra1KTyrQ/9j0du4W7a+yxbdgE=
X-Google-Smtp-Source: APXvYqyWeehpWYmk+BfvuAWzuQ9Bhqta21r+N51Pw0amRC6wkiY4vLRzSiaReYT99MXrbB0pHiUsy3nAW0i+j0+YC/0=
X-Received: by 2002:a19:7401:: with SMTP id v1mr708138lfe.129.1578627723182; Thu, 09 Jan 2020 19:42:03 -0800 (PST)
MIME-Version: 1.0
References: <4639bd67-6fca-47d1-aaeb-85fcd0394f46@www.fastmail.com> <029D8BB9-CE93-486A-BDF2-6D0720E59109@sinodun.com> <CABcZeBO2eNo6d2PVd4DCiGCMgrZdmBrCkfKb9i7bx7ay4E0yAA@mail.gmail.com> <EE291DD5-D7B3-4FDA-A04F-9ADA7B2190FC@sinodun.com> <CABcZeBOW1XWX71ivh9t1tzogZntTsZHQQc4BXAjBra1a-HOUmA@mail.gmail.com> <8B36C1A0-B2D9-48E8-9C7D-BD0FED4E62FD@sinodun.com>
In-Reply-To: <8B36C1A0-B2D9-48E8-9C7D-BD0FED4E62FD@sinodun.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 09 Jan 2020 19:41:26 -0800
Message-ID: <CABcZeBMcM3NtYW+c9OnqnFw2QTAmwyyVdLuHeNMiLqh6dC1oag@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: Martin Thomson <mt@lowentropy.net>, last-call@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac59b8059bc0e827"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XNvHQxF_AAWccnZcw4G7vSDKmVw>
Subject: Re: [dns-privacy] [Last-Call] Review of draft-ietf-dprive-rfc7626-bis-03
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 03:42:09 -0000

On Thu, Jan 9, 2020 at 10:03 AM Sara Dickinson <sara@sinodun.com> wrote:

>
>
> On 7 Jan 2020, at 22:51, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Tue, Jan 7, 2020 at 10:38 AM Sara Dickinson <sara@sinodun.com> wrote:
>
>>
>>
>> On 31 Dec 2019, at 14:45, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>
>>
> <snip>
>
>
>>
>>> Also on linkability and identification:
>>>
>>> Certain configuration options for encrypted transports could also in
>>> principle fingerprint a user or client application.
>>>
>>>
>>> Though there are definitely ways in which the listed options contribute
>>> to fingerprinting, the paragraph talks about session resumption, where the
>>> concern is primarily linkability.  Mixing these concepts only serves to
>>> confuse rather than enlighten.
>>>
>>> When it comes to fingerprinting, it's important to distinguish between
>>> an ability to identify the software in use (Windows vs. Linux, Safari vs.
>>> Chrome) and the ability to distinguish different users.  The text here
>>> conflates these notions in an unhelpful fashion. The fingerprinting
>>> highlighted is a result of characteristics inherent to the software, not
>>> user-specific details.
>>>
>>>
>>> For the most part, we (as protocol designers) accept that distinguishing
>>> software is possible and we don't generally attempt to erase differences
>>> that only serve to reinforce those signals. Suppressing differences in wire
>>> image across implementations generally runs counter to the desire for
>>> diversity in implementation choices.  This text - perhaps unintentionally -
>>> takes the somewhat sensational position that distinguishing between FreeBSD
>>> and Solaris is as relevant as the sort of fingerprinting that might be used
>>> to isolate individuals.  It does that by concentrating on choices that are
>>> usually made by implementations not individuals.
>>>
>>> This is where a clear recognition of the distinction between
>>> implementation choices and how implementations represent (or maybe don't
>>> represent, if that is the way you feel) the choices of individuals requires
>>> a little more care.  I don't know how easy it is to engage on that topic
>>> without also engaging with the current debate though.
>>>
>>>
>>> Suggest:
>>>
>>> OLD:
>>> “Users of encrypted transports are also highly likely to re-use sessions
>>> for multiple DNS queries to optimize performance (e.g. via DNS pipelining
>>> or HTTPS multiplexing). Certain configuration options for encrypted
>>> transports could also in principle fingerprint a user or client
>>> application.  For example: …."
>>>
>>> NEW:
>>> “Implementations that support encrypted transports are also highly
>>> likely to re-use sessions for multiple DNS queries to optimize performance
>>> (e.g. via DNS pipelining or HTTPS multiplexing). Default configuration
>>> options for encrypted transports could in principle fingerprint a specific
>>> client application. For example:…
>>>
>>
>> I don't generally think that documents like this ought to predict how
>> implementers will behave, so I would remove this text entirely.
>>
>>
>> But one of the points of this document is to describe the actual use of
>> DNS so discussing implementation behaviour seems within scope. Given many
>> of the implementations of DoT are done by DNS developers who might be
>> implementing TLS for the first time highlighting potential privacy
>> considerations with such implementation choices also seems relevant.
>>
>
> There are two problems here:
>
> 1. That you are making predictions about what people will do and that
> those preductions are unsupported by evidence. That needs to go.
>
>
> If you are talking about the specific text above - are you saying you
> don’t believe any existing implementations of encrypted DNS transports
> re-use sessions? If so, I can add the list of ones that do to the document.
> Or you believe they all use the same default configuration options?  If not
> what is the specific prediction you mean?
>

Your text says "highly likely". I'm sure that *some* implementation does,
but that doesn't make it highly likely unless you intend to say "it is
highly likely that some implementation will", which seems silly.


> 2. That you are covering material that is already better covered in 8484,
> so why are you duplicating it?
>
>
> Because this is a general overview of all DNS protocols, RFC8484 is by its
> nature a DoH specific treatise.
>

In that case you ought to just point to the text in 8484 or copy it, not
rewrite it.



>>> Section 3.5.1.2
>>>
>>> I admit that I don't understand the purpose of this section.
>>> Concentrating on minutiae, like the details of DHCP or ARP/NDP spoofing, is
>>> far too low level. If we were to simply assume the usual threat model
>>> [RFC3552], then the conclusions here are obvious: if you fail to
>>> authenticate the server, then you get the server that an attacker chooses.
>>>
>>> I would remove this section in favour of improving Section 3.5.1.4,
>>> which addresses the most pertinent question.
>>>
>>>
>>> RFC7626 included Section 2..5.3
>>> https://tools.ietf.org/html/rfc7626#section-2.5.3 ‘Rogue Servers’. This
>>> section is just an update of that text to improve context and remove the
>>> phrase ’rogue server’.  Since the majority of OS implementations still use
>>> these mechanisms today it seems to still be relevant.
>>>
>>
>> Well, as MT says, this is just the 3552 threat model.  The basic fact is
>> that you need a reference to a server that is (1) securely obtained and (2)
>> verifiable against the server itself. Absent that, you are subject to
>> attack by the network.
>>
>>
>> Suggest adding a sentence at the start of the section “[RFC3552] provides
>> guidelines for describing Internet threat models. This section specialises
>> the discussion to the case of DNS resolver configuration.”
>>
>
> Well, that's a start, but the problem is still that it's too low level. If
> you insist on having this section, you should lay out the implications of
> the situation rather than (or at least in advance of) digging into the
> details.
>
>
> The level is detail is entirely comparible to that in the original RFC
> (much of the text is still the same).
>

That doesn't seem like a particularly strong argument. We're revising this
document and the question is what is good now.



As I said to Martin, the section focusses on the impact on the DNS
> resolution path that results from the attack: diversion of traffic and
> traffic capture. Are there other implications you think should be included?
> Please suggest text.
>

I would replace the entirety of this section with:

The Internet Threat model, as described in RFC 3552, assumes that the
attacker controls the network. Such an attacker can completely control any
insecure DNS resolution, both passively monitoring the queries and
responses and substituting their own responses. Even if encrypted DNS such
as DoH or DoT is used, unless the client has been configured in a secure
way with the server identity, an active attacker can impersonate the
server. This implies that opportunistic modes of DoH/DoT as well as modes
where the client learns of the DoH/DoT server via in-network mechanisms
such as DHCP are vulnerable to attack. In addition, if the client is
compromised, the attacker can replace the DNS configuration with one of its
own choosing.

-Ekr




> Sara.
>
>

v2.23.0 | Report a Bug | By Email