Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
Christian Huitema <huitema@huitema.net> Fri, 30 July 2021 20:02 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 149013A0D8C for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 13:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_c_u6DTg6fY for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 13:02:40 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5373B3A0D85 for <dprive@ietf.org>; Fri, 30 Jul 2021 13:02:40 -0700 (PDT)
Received: from xse142.mail2web.com ([66.113.196.142] helo=xse.mail2web.com) by mx133.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m9YiH-000MX7-Qd for dprive@ietf.org; Fri, 30 Jul 2021 22:02:38 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Gbyx02cCLz5SP for <dprive@ietf.org>; Fri, 30 Jul 2021 13:02:28 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m9YiC-0001kA-6i for dprive@ietf.org; Fri, 30 Jul 2021 13:02:28 -0700
Received: (qmail 31017 invoked from network); 30 Jul 2021 20:02:27 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dprive@ietf.org>; 30 Jul 2021 20:02:27 -0000
To: Robert Evans <evansr=40google.com@dmarc.ietf.org>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: "dprive@ietf.org" <dprive@ietf.org>
References: <35e1a3d6-1654-4903-7f1b-77685f59a890@huitema.net> <CAHbrMsB5LEFjfO7o+oLm-i8nccDg9DwnAvFa+pnAUKQvkGfbRA@mail.gmail.com> <CAPp9mxJDKSJ+iQiB0RSd71CjRGeKHU=C4TyRnJKCeBNZiurdHQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <f534eedc-3db7-b770-ba22-1d325ad11658@huitema.net>
Date: Fri, 30 Jul 2021 13:02:26 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <CAPp9mxJDKSJ+iQiB0RSd71CjRGeKHU=C4TyRnJKCeBNZiurdHQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------978C429C654B3A14D1777657"
Content-Language: en-US
X-Originating-IP: 66.113.196.142
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.08)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9W5ZR328JMwLF4apeUzwQWPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5wwIbsUgx3VwKj5vUcMDcmx42UuDhyzVYcwl2RB+0AaeqlE yvMKUix/g73hDAX1jbsh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699UuS9Bt/28NzUpT//Ljs5DIPAgTtUp75uqlx0KezvZHX5Ml89 xsDhJdCwOAW22dHUWQaaSSaRcFTFxaRvADgOuME95bF8tPKjnaWlQ6fjTEeg4CZvTGBeutAohO1y UnDCBSl7YrgCdzbaCwJPCCSougyg4uMaxHP8xQTpohmgJxQ1dHhpUbi1UdTVmV3LL7N9ueszlpij Q8vuNSxljixs9l2PHznFCr1UPjZRtNG50GjfX8TdqEXkwxwMjsp2mNAp23iZ8TJTdK5H0dgUOB1h 85nckpWaLvahyBjmQxBKOzuhP7r/qeCcLfNPkwm2lNnsvr3LBR8rUYXJ4jh62pfHaKqsknzQ1WVE SSlbgJ6e928BIkUL/j1Y48GvmeURQjjEUQSKZxezeBn5RwWu6r/w41VJAzN7Xo/cmIxZMl6eaPyn pwoZoXWTrJhqLsqRJZsYHF29j8cA+VxmrdV21v79MGf6J5LiDZAgJQy4WAGaMLIqM56VVlcswDb0 N8Su4voNiwQzKw+6v3CaIMG6s7LqJNTEtRhD2AMQ32yGkU1g8Jyp0srCGhqQVLm3YuZYsovTzatH IzrINrCEwlyBFGEtpT0M06L7Kh6Ebf3y47aRvT35d9Mpny2MqlrXcMQyNtV/mJvoJkDT1QtvX7Yf osW0BMOpyKA69LF1Ge2GaGfxmfrJyhoTyYjBAsgJ9fPu1C1rkwISTdKXHHyl1YNiB/Uix7CYwtBS QxO5224/0gCm1v3y3deP8vNnmz84mDUvZqxnoc7bV0+nE+EwV843xuls19yArgxzoa+KPg4iBZtv Ir6fmwij1JB2C+QdO3OG/whb
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ZJ5GDf-nr9IwO2lhd4_t37PYy_I>
Subject: Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 20:02:45 -0000
I think we have a reasonable guideline here. 0-RTT for QUIC is so compelling that clients and servers will still do it, even if we tell them not to. So it is better to try provide usage guidelines on how to do that safely. Robert's proposal fall in two categories: some are about embracing 0-RTT in order to ensure good performance, like accepting early data and ensuring a minimum lifetime of tickets. (With some nits -- you cannot set the max_early_data_size to 512 bytes in QUIC, you have to use a QUIC transport parameter instead.) Then, some of the recommendations are about "try to keep it safe": 1) Do not accept a client hello that is older than 30 seconds. This would limit the efficacy of the replay attacks, because it probably takes at least 30 seconds to ensure that the cache is empty. But I am not too sure how one tests the lifetime of a client Hello. 2) Implement replay protection is a good idea. Some server deployments support that. But I understand that this kind of support ends up enforcing "only once" use of tickets. This contradicts the request for non-single-use tickets, or the request to "offer tickets only on full handshakes or if ticket is old". Some QUIC stack will disable 0-RTT if the ticket is older than 30 seconds, only allowing resumption. This is reasonably easy to implement. -- Christian Huitema On 7/30/2021 8:56 AM, Robert Evans wrote: > DoQ plus 0-RTT seems very compelling for achieving 1-RTT query/response > parity with Do53. > > As such I think the spec should discuss 0-RTT and encourage both clients > and servers to support it. > > I also think a recommended 0-RTT profile suitable for DoQ/T should be > developed and specified. > > For example (but I'm not a TLS expert, corrections welcome): > - self-contained, non-single-use tickets > - ticket_lifetime at least 6 hours > - early_data allowed > - max_early_data_size of 512 bytes > - implement replay protection by freshness check > - reject ClientHello with age over 30 seconds > - offer tickets only on full handshakes or if ticket is old > - send tickets as early as possible in the session > - allow resumption for any SNI offered in the server certificate > - no early data for mutating queries > > No opinion as to which draft should contain those recommendations. > > On Fri, Jul 30, 2021 at 10:53 AM Ben Schwartz <bemasc= > 40google.com@dmarc.ietf.org> wrote: > >> I think this should be decided as part of >> https://datatracker.ietf.org/doc/html/draft-ietf-dprive-early-data, and >> DoQ should just reference it. (I don't necessarily agree with the present >> contents of that draft.) >> >> As for what draft-ietf-dprive-early-data should say, I don't have a strong >> opinion. However, I do think it's notable that most recursive resolvers >> allow "cache probing" by setting RD=0 in the query, which enables a >> relatively straightforward plaintext recovery attack on 0-RTT queries on >> multi-instance recursive resolvers. An attacker can probe a cache instance >> until some records of interest fall out, then replay the 0-RTT query and >> repeat the probes to see if any of them reappear. As such, I think it >> might be appropriate to strengthen the replay defense requirement for >> encrypted DNS beyond the "SHOULD" in RFC 8446. >> >> (See also https://github.com/tlswg/tls13-spec/issues/1225) >> >> On Thu, Jul 29, 2021 at 8:31 PM Christian Huitema <huitema@huitema.net> >> wrote: >> >>> The DNS over QUIC draft lets client and server negotiate 0-RTT, with >>> minimal guidance. The privacy section develops the risks of replay >>> attacks, and then effectively lets clients decide whether to use 0-RTT >>> or not. Martin Thomson pointed out the contrast with RFC 8470 which >>> provides great details on the use of 0-RTT data in HTTP, and also >>> introduces a new error code to let server refuse some transactions if >>> received over 0-RTT. There are indeed advantages in letting the server >>> control usage of 0-RTT, but I wonder about the proper trade-off between >>> control and complexity for DoQ. There are multiple ways to do this: >>> >>> - Allow servers to not advertise support for 0-RTT if they are concerned >>> with 0-RTT side effects -- very simple to implement at servers and >>> clients. >>> >>> - Let servers advertise support for 0-RTT, but have them check the >>> queries received on 0-RTT and return an error code after inspecting >>> incoming requests. This requires implementing some kind of filter at the >>> server side, plus some logic on the client to resubmit the failed >>> requests after completion of the handshake. I am a bit concerned with >>> that kind of complexity. >>> >>> - Let servers advertise support for 0-RTT, but close the transaction >>> with a Protocol Error if the server receives an unexpected request -- >>> e.g., an Update. That also requires some filtering of 0-RTT packets at >>> the server side, but is simpler than the full inspection considered >>> above. It is also reasonably easy to implement on the client, which >>> simply abstains to send some classes of requests over 0-RTT. >>> >>> - Or, of course, allow servers to support 0-RTT without any kind of >>> filtering. >>> >>> Any particular opinion in the working group? >>> >>> -- Christian Huitema >>> >>> >>> >>> >>> _______________________________________________ >>> dns-privacy mailing list >>> dns-privacy@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-privacy >>> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >> > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Ben Schwartz
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Robert Evans
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Robert Evans
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Benjamin Kaduk
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema