Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 10 May 2017 02:56 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4928912EBDA; Tue, 9 May 2017 19:56:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azBA0KdTpCkw; Tue, 9 May 2017 19:56:55 -0700 (PDT)
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 755A912EBB6; Tue, 9 May 2017 19:56:55 -0700 (PDT)
Received: by mail-pg0-x22a.google.com with SMTP id 64so9177607pgb.3; Tue, 09 May 2017 19:56:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gu5FcN+1UycLuse5JYHbLdwQNC7rwztpi2rzMib3Le0=; b=AxNWFqKbgjd7KDC95F0d/JbWgL8k3X9joafIA84QvalscOIM/vQv8hhogZmTVv0p42 zjZm88CtoMEA4uXmDWVN8dl4tsNZciYuQN/Jrz5aj2Z7Wmm+vgPTIaasSjZkV/IZONJH gFtPPzhVTAjAuWinQlPeu2kM5z6fYSihcU4o1Am2wbJSxaaebCGmH5VpDSirpxgwdQlt NoHuaPdx/PFRyypoB4wJivdBa1/ZZCSBeO1+ZyPWaGU3StTNuTYFOd5vuHx+K/W82Vz3 l8f/9alS7hPwZsdjI0zLOrJGt3V5qVrhmKw7whtVfybDTRjFqfT7TumnCVNTJsD6CWlK vMaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gu5FcN+1UycLuse5JYHbLdwQNC7rwztpi2rzMib3Le0=; b=mK4pF45B6bDaZOnVgUTWmQGzfFiDpg4Q952ANW4jrSWEtI7IoKR0RfPatEgLaSL3e+ Jyh6kSZwipY6I+dBiG3xzpV7LFvz/g66nHLSr4oXozKw1hPMSMcseS9f58jjyEF1/FFj xWWsPDxttcJ+9QWEYIE5u60tqlYALcJHUwj9Re4oOc/z3SwyTlKuoFp8SDJv+IPM3tXn txnStS/XTdkz7LsHC/WINQ8VX/m9WwuRQIYYULICVeH3K6S4rg6lzncb0H4ockAinOu3 dgn/AYtrq4Grz8URh2IVzWKMJjY1m5i2Q5buv7mYyYWNl4MCTtsItKwStCRjt6Sih1s5 lakQ==
X-Gm-Message-State: AODbwcDwJlL3KYIG79NlwmzWz2UvSxWUmClo+LpQLPPAD1/8Y7UW7F6c sS7Io97uEYg48pq+f8Y9iAEmpxRryQ==
X-Received: by 10.99.62.67 with SMTP id l64mr3755940pga.172.1494385014961; Tue, 09 May 2017 19:56:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.161.226 with HTTP; Tue, 9 May 2017 19:56:14 -0700 (PDT)
In-Reply-To: <CABcZeBPcVqUNor-9NOSBQ+XcqD9N28d90qYpQsPzE3L4nrPvYQ@mail.gmail.com>
References: <149410267259.23107.8936430130975036477.idtracker@ietfa.amsl.com> <79402B6C-B8FB-4115-AB12-9943FF585D21@sinodun.com> <CABcZeBPcVqUNor-9NOSBQ+XcqD9N28d90qYpQsPzE3L4nrPvYQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 09 May 2017 22:56:14 -0400
Message-ID: <CAHbuEH6UuYTBFRScrZmjVEu1W_nkiRKsXo=qKqSVv9eGFybAOA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Sara Dickinson <sara@sinodun.com>, Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, dns-privacy@ietf.org, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/c8V62zL9bMhnuE0zp0g0G0CAhvM>
Subject: Re: [dns-privacy] Eric Rescorla's Discuss on draft-ietf-dprive-dtls-and-tls-profiles-09: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 02:56:58 -0000
Hi, Just a couple of comments inline. On Mon, May 8, 2017 at 8:01 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Mon, May 8, 2017 at 1:21 AM, Sara Dickinson <sara@sinodun.com> wrote: >> >> >> On 6 May 2017, at 21:31, Eric Rescorla <ekr@rtfm.com> wrote: >> >> Eric Rescorla has entered the following ballot position for >> draft-ietf-dprive-dtls-and-tls-profiles-09: Discuss >> >> >> Many thanks for the review. >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> S 9 mandates RFC 7250: >> o Raw public keys [RFC7250] which reduce the size of the >> ServerHello, and can be used by servers that cannot obtain >> certificates (e.g., DNS servers on private networks). >> >> This needs to be updated to indicate that the client MUST NOT >> offer 7250 unless it has a preconfigured SPKI, otherwise >> you're going to have interop problems. >> >> >> Agreed. >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> TECHNICAL >> S 5. >> subsequently connect. The rationale for this is that requiring >> Strict Privacy for such meta queries would introduce significant >> deployment obstacles. This profile provides strong privacy >> guarantees to the client. This Profile is discussed in detail in >> Section 6.6. >> >> This point seems unclear. If you do these queries unprotected, then >> you don't have strong privacy guarantees. I think you mean that >> you get them via some trusted mechanism such as DHCP. >> >> >> No, we mean they could be done either via Opportunistic lookups or DHCP >> (see table 2.) >> The meta queries contain no information about what DNS lookups the client >> is doing other than what DNS Privacy server they are going to use to do >> their queries. But you are correct that the ‘strong privacy guarentees’ >> apply only to the subsequent queries to the Privacy server and the text >> should be updated to clarify that. > > > Well, per my previous comment, I think you need to focus on the entire > strategy. > > I.e., if you determine whether to adopt a Strict policy based on > Opportunistic queries, then you are back to the active attack setting. I > don't have a problem with your design here, which seems to be about as good > as one can do; I'm just trying to make sure the description is accurate... > > >> Table 1 seems to have N and D paired, so maybe you can coalesce them? >> >> >> That specific question was asked on the WG mailing list and the answer was >> ‘no, please keep both’: >> https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01541.html > > > OK. Perhaps add some text that theya re paired > > > >> S 6.4. >> A DNS client that is configured with both an authentication domain >> name and a SPKI pinset for a DNS server SHOULD match on both a valid >> credential for the authentication domain name and a valid SPKI >> pinset >> (if both are available) when connecting to that DNS server. The >> overall authentication result should only be considered successful >> if >> both authentication mechanisms are successful. >> >> You should cover the topic of user-defined trust anchors. Here's the >> relevant text from 7469: >> >> For example, a UA may disable Pin Validation for Pinned Hosts whose >> validated certificate chain terminates at a user-defined trust >> anchor, rather than a trust anchor built-in to the UA (or underlying >> platform). >> >> >> We purposely avoided adding any details on the SPKI mechanisms in this >> document because this document simply refers to RFC7585 which then directly >> references RFC7469. But if you think this is needed here also then I’ll add >> it. > > > The concern I have is that this guidance seems to implicitly contradict the > guidance from 7469. So I think you should either just say that if you have > both you treat it like a 7469 pin, or say something like "successful, with > the possible exception of certificates which chain to local trust anchors, > as described in..." Or, alternately really prohibit this. Also, should -> > SHOULD. > >> >> >> >> EDITORIAL >> Do you want to cite TLS 1.3 at this point? >> >> >> Early on we chose not to include a normative reference to the TLS 1.3 >> draft to avoid the dependancy on that becoming an RFC but are you suggesting >> we do that now or just include an informative reference? > > > I would think at least an informative reference would be useful. > > >> Do you think Section 9 the right place to talk about TLS 1.3 in general or >> do you feel there are specific points to made elsewhere in the text? > > > 1.3 has pretty much the same properties here, so I think you might just cite > 1.3 and make it informative. I'm not sure what the right actual mechanics > are here, but surely such a thing is possible. > The draft already says TLS 1.2 or higher, so you do already allow for TLS 1.3. You could put an informative reference as TLS 1.3 being an option. TLS 1.2 hasn't been deprecated and the guidance with 7525 is there already to prevent known problems. An informative reference shouldn't hold up this draft, but it's up to the WG if they want to include it explicitly IMO. > >> >> S 3. >> o Any server identifier other than domain names, including IP >> address, organizational name, country of origin, etc. >> >> addresses, names, for parallel structure with domain names >> >> >> Ack. >> >> >> >> S 9. >> There are known attacks on (D)TLS, such as machine-in-the-middle and >> protocol downgrade. These are general attacks on (D)TLS and not >> specific to DNS-over-TLS; please refer to the (D)TLS RFCs for >> discussion of these security issues. >> >> This text seems pretty unhelpful. Given that you are specifying 1.2, >> if you also require the relevant strong algorithms, then there should >> not be downgrade or MITM attacks. >> >> >> How about moving the justification later in the section: >> >> “ Clients and servers MUST adhere to the (D)TLS implementation >> recommendations and security considerations of [RFC7525] except with >> respect to (D)TLS version. >> >> Since encryption of DNS using (D)TLS is a green-field deployment DNS >> clients and servers MUST implement only (D)TLS 1.2 or later. >> >> These requirements ensure mitigation against known attacks on >> (D)TLS, such as machine-in-the-middle and >> protocol downgrade. These are general attacks on (D)TLS and not >> specific to DNS-over-TLS.” > > > My complaint is that this seems kinda FUDdy. If there are things that you > think people > ought to do other than those in 7525, you ought to say them. I agree with EKR. The recommendation to follow 7525 is enough. > > -Ekr > -- Best regards, Kathleen
- [dns-privacy] Eric Rescorla's Discuss on draft-ie… Eric Rescorla
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Sara Dickinson
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Eric Rescorla
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Kathleen Moriarty
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Sara Dickinson
- Re: [dns-privacy] Eric Rescorla's Discuss on draf… Eric Rescorla