Re: [dns-privacy] Spencer Dawkins' Yes on draft-ietf-dprive-edns0-padding-02: (with COMMENT)
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Tue, 01 March 2016 14:42 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F8CD1A899C; Tue, 1 Mar 2016 06:42:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WbfkoYKoqT0p; Tue, 1 Mar 2016 06:42:48 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B98EA1A8999; Tue, 1 Mar 2016 06:42:48 -0800 (PST)
Received: by mail-yk0-x235.google.com with SMTP id r207so78146355ykd.2; Tue, 01 Mar 2016 06:42:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=l5Du8GWnfYdkjdZQxoLPf5GqOygs/j4RdDdAZhhcmCk=; b=orbaDx0zsPwmE4BDI9IluUfOJX+RfT4wsHdJw8vDXZoBT+zlIiz9th5X84Rw+w6d9U yXVENozzxdGj3HqfF6BUh1xa9m8Wefb/BQDiaNYwb0s+GqqPCwRyiPA9hnSvYrbrsJ+d iCxsI09QzMFCtN9SyEDXNmWjLdTBlt20mJKPKOt0le0INEwGnyGyRS7zyu1tDtHbbUb5 KVhdPW+lvLtNFBpBAaS8X54OuDYHfHMWHr03Ubsy0X/3iPNO6TVS/wszMpKa5r8+2KC9 Uf/tW32fX7tmXqZiHbfkjDMCcs+MIxtPUCUlFiD4I661QkDwuwGbhfaa1l5HYFW9w6dS Mwlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=l5Du8GWnfYdkjdZQxoLPf5GqOygs/j4RdDdAZhhcmCk=; b=X3C4TI4t7lyZiuyxrVrK7YrZcUJv0Zfi+nlA0b87kSIOoW5pWY9y0KsyQESak5z5hr KW51a+ArboyIDA994jKiCQjEeWDNSgy/AcKCs9iqsShNT1x3k/wJE0JrYDa/jltPDHPF jpn4zz9ytWe8pvveZ34lFOuFhCJyYO2UUh6/I5tgqgctvg2rafZjuHG/WS3hI1dpma8E dZ3KyiHFicq1jyGuw3RuYRFhbgLHIFT+RJ4t8u+LdIQMIFBixdVaLo4qHYz+8rClfT5j 2+1I2ji6phrBguDDUnSfXUvY88etAptmrUhLvKaWk4pVkCh9YXHb1iAw7+NozrbsmVJj ibhg==
X-Gm-Message-State: AD7BkJKDwPqogwKJimibWOAVUySnppEnt4k72+GylSkVKaTIyF2vVUFGn2gtfhg0DZG2tcylSP5rrS3gjxBhEQ==
MIME-Version: 1.0
X-Received: by 10.37.89.7 with SMTP id n7mr12363945ybb.90.1456843368023; Tue, 01 Mar 2016 06:42:48 -0800 (PST)
Received: by 10.37.115.2 with HTTP; Tue, 1 Mar 2016 06:42:47 -0800 (PST)
Received: by 10.37.115.2 with HTTP; Tue, 1 Mar 2016 06:42:47 -0800 (PST)
In-Reply-To: <1682abe8-e5e2-b72a-b77b-d14d5a5c85db@gmail.com>
References: <20160301043834.28800.4700.idtracker@ietfa.amsl.com> <20160301113940.518dc7f9@pallas.home.time-travellers.org> <1682abe8-e5e2-b72a-b77b-d14d5a5c85db@gmail.com>
Date: Tue, 01 Mar 2016 08:42:47 -0600
Message-ID: <CAKKJt-dJmc+mYF2aVGeovSBi8FU=py=AiStCpHfF2oFbx5otdQ@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a11423c3271cf65052cfdc727"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/Z8IZNUY6jgRl9_HhxxafscxOoVM>
Cc: Shane Kerr <shane@time-travellers.org>, dns-privacy@ietf.org, iesg@ietf.org, draft-ietf-dprive-edns0-padding@ietf.org, dprive-chairs@ietf.org
Subject: Re: [dns-privacy] Spencer Dawkins' Yes on draft-ietf-dprive-edns0-padding-02: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 14:42:50 -0000
Thanks for the quick and clear responses! So, and I emphasize "not a blocking comment", it sounds like this isn't an RFC 2119 requirement for interoperability, but just good advice? If so, this is more like "There is no specific requirement for the value of PADDING bytes, and receivers MUST accept any value. For example, implementers might set PADDING to 0x00 to prevent uninitialized memory leaks, or might choose a nonzero value to prevent predictable compression that would allow traffic analysis of padded packets." But your responsible AD will do the right thing. Spencer On Mar 1, 2016 05:21, "Tim Wicinski" <tjw.ietf@gmail.com> wrote: > > > Shane's explanation on padding is a great summary of the mailing list discussion during the document review. > > tim > (as DocumentShepherd) > > > On 3/1/16 5:39 AM, Shane Kerr wrote: >> >> Spencer, >> >> At 2016-02-29 20:38:34 -0800 >> "Spencer Dawkins" <spencerdawkins.ietf@gmail.com> wrote: >>> >>> Thanks for producing this draft. I do have one question about this text: >>> >>> The PADDING octets SHOULD be set to 0x00. Other values MAY be used; >>> for example, in cases where there is a concern that the padded >>> message could be subject to compression before encryption. PADDING >>> octets of any value MUST be accepted in messages received. >>> >>> I'm not entirely sure I understand the point of "SHOULD be set to 0x00". >>> I'm not questioning the SHOULD (you explain why choosing another value >>> would be a good idea, thank you ), but I'm wondering why there's a >>> normative requirement at all. >>> >>> I was trying to guess, and one hypothesis was that if the padding is >>> consistently 0x00, it's less likely to provide a covert channel (or at >>> least you'd be more likely to notice packets using different padding), >>> but the security considerations section didn't mention that, so I'm still >>> lost. >>> >>> If there's a reason to zero the padding bytes in the uncompressed case, a >>> sentence of explanation might be useful. >> >> >> There was a lot of discussion on the list about this very topic, >> actually. I'm not sure if it can be reduced to a sentence or two. >> >> IIRC, the idea is that we should recommend some value there to give >> guidance for implementors to avoid common mistakes (such as using >> uninitialized memory, which might contain left-over values). >> >> Someone did raise the possibility of having a covert channel, but it >> was recognized that there are so many places for putting covert data >> into DNS that this is not really a concern. For example, one could >> simply use any unregistered EDNS(0) option and stick data in there, or >> encode it into the QNAME, or put values in the query ID, or... >> >> Putting random data in the padding was considered, but it did not seem >> to add any real value beyond zero-padding. >> >> Cheers, >> >> -- >> Shane "not an editor on the draft" Kerr >>
- [dns-privacy] Spencer Dawkins' Yes on draft-ietf-… Spencer Dawkins
- Re: [dns-privacy] Spencer Dawkins' Yes on draft-i… Shane Kerr
- Re: [dns-privacy] Spencer Dawkins' Yes on draft-i… Tim Wicinski
- Re: [dns-privacy] Spencer Dawkins' Yes on draft-i… Spencer Dawkins at IETF