IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 May 2017 01:07 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB16F129479 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 18:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Im2ZLtkpHJSg for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 18:06:59 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 749371294BC for <dns-privacy@ietf.org>; Wed, 3 May 2017 18:06:58 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 64FD5F993; Wed, 3 May 2017 21:06:58 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 268D720CBD; Wed, 3 May 2017 20:43:44 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Martin Thomson <martin.thomson@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CABkgnnVLasxAfsezDp4H0cSOme5okHUY0ruG7EzgsNEW89SmDQ@mail.gmail.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <CAOdDvNruCCyB2rsF9VgaVEOjQGD82wA0AiLAghiGjDM0SpBFPQ@mail.gmail.com> <87lgqdr0fr.fsf@fifthhorseman.net> <BN6PR03MB27085632B5CBA7324894699487EA0@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVLasxAfsezDp4H0cSOme5okHUY0ruG7EzgsNEW89SmDQ@mail.gmail.com>
Date: Wed, 03 May 2017 20:43:40 -0400
Message-ID: <87bmr9qwn7.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Yl_7H_uvBokd9JzHemcM_lJu0EI>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 01:07:01 -0000

On Thu 2017-05-04 10:21:20 +1000, Martin Thomson wrote:
> On 4 May 2017 at 10:14, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
>> It's ALPN.  At first blush, I would pick a different ALPN token for
>> h2+DNS and define it as a new, derivative protocol.
>
> For DKG to realize his goal, every client would have to offer that
> label.  That's not impossible, nor does it make it a bad choice, but
> you have to realize that this isn't as good an outcome.

if you're going to define an ALPN label, you might as well just pick
"dns" and then do straight DNS-over-TLS with it (no need for in-stream
demuxing).  The problem with this approach is that the network monitor
can observe which clients are picking "dns" and which ones are picking
"http/1.1", which puts you back in the position where the network
adversary can trivially hobble DNS-over-TLS requests while permitting
HTTPS.

I address this in the draft section "Why not ALPN?" -- if anyone thinks
the text there could be improved, i'd be happy to hear suggestions for
how to change it.

All the best,

        --dkg

v2.23.0 | Report a Bug | By Email