IETF Logo Mail Archive

Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 29 July 2015 13:41 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58AD71A0451 for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 06:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iC9LI4FoHsyi for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 06:41:14 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBD501A1B43 for <dns-privacy@ietf.org>; Wed, 29 Jul 2015 06:41:11 -0700 (PDT)
Received: from [10.32.60.117] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t6TDfA1x046982 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 06:41:11 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.32.60.117]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Alexander Mayrhofer <alexander.mayrhofer@nic.at>
Date: Wed, 29 Jul 2015 06:41:10 -0700
Message-ID: <4B26F2B2-AA67-492B-9855-30F8ABF38AF9@vpnc.org>
In-Reply-To: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at>
References: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/bnQCL6MemqSMIA1DrGTzcrjLaRY>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 13:41:15 -0000

On 29 Jul 2015, at 5:28, Alexander Mayrhofer wrote:

> Hi,
>
> I'm working through my notes from the DPRIVE session regarding the 
> EDNS0 Padding option. My takeaway was as follows:
>
> - Generally, this seems to be a reasonable idea

That may be too strong of an assessment. There were questions about 
whether the padding should be done in DNS or in TLS. My personal view is 
that if the two types of padding give similar benefits, it absolutely 
should be done in TLS for many reasons. I think we need to get more 
input (possibly from CFRG) about the benefits of padding at each layer.

> - Besides the use to evade size-based message correlation, this could 
> also be useful in other cases, eg. "proof of work" for clients when 
> requesting larger packets (Peter K.)

This is possibly a bad idea. In the IPsecME WG, we have had an active 
work item on proof-of-work for clients to prevent DDoS, with lots of 
good discussion on how to do it, and we're probably going to only leave 
it as an Experimental document. In summary, adding proof-of-work hurts 
the group you care most about, namely clients on small machines.

> - However, the draft should only specify the option itself, and not 
> indulge into the various usage scenarios

That's exactly the place we are ending up in IPsecME, and it's not where 
we expected.

> - The EDNS0 assignment policy is Speficiation Required / Expert 
> Review, hence does not necessarily require an RFC
> - The preferred way forward is individual draft, AD-sponsored.
> - Discussion can continue on the DPRIVE list
>
> Regarding the actual contents of the draft, my takeaway was:
>
> - Is "1" the right minimum length for the option? Why not "0"?
> - Padding must obviously not exceed the announced EDNS0 packet size - 
> some words about that
> - No consideration is required whether or not a server may pad, 
> because clients are required to ignore unknown options anyways.
> - The Security considerations section needs more work.
>
> Is that in line with the perception of the WG members? Anything I 
> forgot to mention / consider?

See above. I propose that we not do this at all if it turns out to be 
better done in TLS so that we don't create an attractive nuisance. If 
CFRG says that it is better to do it in the inner protocol, then we 
should proceed, but with the narrow focus of preventing analysis of 
TLS-protected traffic, not for proof-of-work.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email