Re: [dns-privacy] [TLS] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

"Salz, Rich" <rsalz@akamai.com> Thu, 29 April 2021 18:29 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 824383A120B; Thu, 29 Apr 2021 11:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbn_0NTuR9_i; Thu, 29 Apr 2021 11:29:37 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7A773A12F7; Thu, 29 Apr 2021 11:29:28 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13TIJvVt019514; Thu, 29 Apr 2021 19:29:27 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=XTZmU81ckZc6GeRxmk5t7RBIS8DbmbzijZknNLuhmBg=; b=cD7OPBbIScRN+N3awoTZORPn/g6FjPlzkfEqtChhrY/Fh4Vb5pFYQ4xehFFTsFOWbw/5 8yQTmMTyjXzYzU+1QZjA0jIk9t/2mTKibssbRYnO5olCZLkz2pY5AfuvxkqSDxOEk93k COEa+blV8wS0LvxOmoDdFWA9xfV8z515qCU3FjOj+9mCpQMDV+czKi9XIJxoai94t6TQ htIen/lykRKhMFetfuzINLjvgGp9TEPFKLu9hxy50v/5TXOSNxGK544XyQvplJc7MWME MuUCJ/8tT51ZHMFrDRlupZhayGynzjmW+E4P7We7JGdQfwoVHu49nu1HlcvosyGiwB8f CA==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 387nkdq05t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 29 Apr 2021 19:29:25 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 13TIMceo014152; Thu, 29 Apr 2021 14:28:46 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint1.akamai.com with ESMTP id 387cpqaqth-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 29 Apr 2021 14:28:46 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 29 Apr 2021 14:28:45 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.012; Thu, 29 Apr 2021 14:28:46 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Martin Thomson <mt@lowentropy.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [dns-privacy] [TLS] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
Thread-Index: AQHXPSTzGi3wV7bh0EGFGkbFd9JPGarL0K+A
Date: Thu, 29 Apr 2021 18:28:45 +0000
Message-ID: <630E784C-8F57-414E-AA9D-63DBC9F4507A@akamai.com>
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com> <CABcZeBMyf3pTXa2DfB3fPeEET+5AkLUzTzDNy+itmnxesdFGWw@mail.gmail.com>
In-Reply-To: <CABcZeBMyf3pTXa2DfB3fPeEET+5AkLUzTzDNy+itmnxesdFGWw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.118.139]
Content-Type: multipart/alternative; boundary="_000_630E784C8F57414EAA9D63DBC9F4507Aakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-29_08:2021-04-28, 2021-04-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 mlxscore=0 spamscore=0 malwarescore=0 adultscore=0 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104290117
X-Proofpoint-GUID: kD3akOaPLFfoPpwu2sBLI_MkhdmxvpYb
X-Proofpoint-ORIG-GUID: kD3akOaPLFfoPpwu2sBLI_MkhdmxvpYb
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-29_10:2021-04-28, 2021-04-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 lowpriorityscore=0 phishscore=0 impostorscore=0 suspectscore=0 spamscore=0 priorityscore=1501 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104290117
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.18) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/dQwQU6NJUr5Gs-wJTnTWT_IIqoA>
Subject: Re: [dns-privacy] [TLS] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 18:29:43 -0000

To make it obvious (I thought it was): I agree, and think we need to make that fact more widely known.

From: Eric Rescorla <ekr@rtfm.com>
Date: Thursday, April 29, 2021 at 2:24 PM
To: Rich Salz <rsalz@akamai.com>
Cc: Martin Thomson <mt@lowentropy.net>et>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>rg>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [dns-privacy] [TLS] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Probably not, but I agree with MT.

The general idea here is that any given protocol trace should only be interpretable in one way. So, either you need the interior protocol to be self-describing or you need to separate the domains with ALPN. I don't believe that either the IP ACL or mTLS addresses this issue, and in fact arguably mTLS makes the problem worse because it provides authenticated protocol traces which might be usable for cross-protocol attacks.

-Ekr


On Thu, Apr 29, 2021 at 7:26 AM Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>> wrote:
>    No new protocol should use TLS without ALPN.  It only opens space for cross-protocol attacks.  Did the working group consider this possibility in their discussions?

I don't believe that message has been made as public as it should be.

_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dns-privacy__;!!GjvTz_vk!EtJaCTiH36U_bsA5vP82lZpBELKgq8908Dnb9MmdFc9M0FfjBeJMg3QwgwSs$>