Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 29 July 2015 13:41 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58AD71A0451 for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 06:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iC9LI4FoHsyi for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 06:41:14 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBD501A1B43 for <dns-privacy@ietf.org>; Wed, 29 Jul 2015 06:41:11 -0700 (PDT)
Received: from [10.32.60.117] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t6TDfA1x046982 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 06:41:11 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.32.60.117]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Alexander Mayrhofer <alexander.mayrhofer@nic.at>
Date: Wed, 29 Jul 2015 06:41:10 -0700
Message-ID: <4B26F2B2-AA67-492B-9855-30F8ABF38AF9@vpnc.org>
In-Reply-To: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at>
References: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/bnQCL6MemqSMIA1DrGTzcrjLaRY>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 13:41:15 -0000
On 29 Jul 2015, at 5:28, Alexander Mayrhofer wrote: > Hi, > > I'm working through my notes from the DPRIVE session regarding the > EDNS0 Padding option. My takeaway was as follows: > > - Generally, this seems to be a reasonable idea That may be too strong of an assessment. There were questions about whether the padding should be done in DNS or in TLS. My personal view is that if the two types of padding give similar benefits, it absolutely should be done in TLS for many reasons. I think we need to get more input (possibly from CFRG) about the benefits of padding at each layer. > - Besides the use to evade size-based message correlation, this could > also be useful in other cases, eg. "proof of work" for clients when > requesting larger packets (Peter K.) This is possibly a bad idea. In the IPsecME WG, we have had an active work item on proof-of-work for clients to prevent DDoS, with lots of good discussion on how to do it, and we're probably going to only leave it as an Experimental document. In summary, adding proof-of-work hurts the group you care most about, namely clients on small machines. > - However, the draft should only specify the option itself, and not > indulge into the various usage scenarios That's exactly the place we are ending up in IPsecME, and it's not where we expected. > - The EDNS0 assignment policy is Speficiation Required / Expert > Review, hence does not necessarily require an RFC > - The preferred way forward is individual draft, AD-sponsored. > - Discussion can continue on the DPRIVE list > > Regarding the actual contents of the draft, my takeaway was: > > - Is "1" the right minimum length for the option? Why not "0"? > - Padding must obviously not exceed the announced EDNS0 packet size - > some words about that > - No consideration is required whether or not a server may pad, > because clients are required to ignore unknown options anyways. > - The Security considerations section needs more work. > > Is that in line with the perception of the WG members? Anything I > forgot to mention / consider? See above. I propose that we not do this at all if it turns out to be better done in TLS so that we don't create an attractive nuisance. If CFRG says that it is better to do it in the inner protocol, then we should proceed, but with the narrow focus of preventing analysis of TLS-protected traffic, not for proof-of-work. --Paul Hoffman
- [dns-privacy] Direction of draft-mayrhofer-edns0-… Alexander Mayrhofer
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Stephen Farrell
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Daniel Kahn Gillmor
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Stephen Farrell
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Stephen Farrell
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Sara Dickinson
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Christian Huitema