IETF Logo Mail Archive

Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 29 July 2015 14:13 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9CC1A6EFB for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 07:13:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhqAVsR8x9L2 for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 07:13:07 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA6801A6EED for <dns-privacy@ietf.org>; Wed, 29 Jul 2015 07:13:03 -0700 (PDT)
Received: from [10.32.60.117] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t6TECtS0048471 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 07:12:55 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.32.60.117]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 29 Jul 2015 07:12:54 -0700
Message-ID: <603AC12E-DEC7-47A3-B3B6-093ECC140E94@vpnc.org>
In-Reply-To: <55B8DB35.1070906@cs.tcd.ie>
References: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at> <4B26F2B2-AA67-492B-9855-30F8ABF38AF9@vpnc.org> <55B8DB35.1070906@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/dUYRmbIuGDL8kumVQ_EaRYKFrkY>
Cc: Alexander Mayrhofer <alexander.mayrhofer@nic.at>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 14:13:08 -0000

On 29 Jul 2015, at 6:55, Stephen Farrell wrote:

> On 29/07/15 14:41, Paul Hoffman wrote:
>> On 29 Jul 2015, at 5:28, Alexander Mayrhofer wrote:
>>
>>> Hi,
>>>
>>> I'm working through my notes from the DPRIVE session regarding the
>>> EDNS0 Padding option. My takeaway was as follows:
>>>
>>> - Generally, this seems to be a reasonable idea
>>
>> That may be too strong of an assessment. There were questions about
>> whether the padding should be done in DNS or in TLS. My personal view 
>> is
>> that if the two types of padding give similar benefits, it absolutely
>> should be done in TLS for many reasons.
>
> With no hats, I disagree. Given that we don't yet know how
> to effectively pad at any layer, my belief is that we should
> define the basic mechanism at every layer so that when someone
> does figure it out, the protocol mechanics exist.

Interesting. I thought we had heard discussion of padding at both 
layers, and thus I thought people would by now have good ideas about 
which is better. Drat.

> The way I think about this is a) the most effective padding
> can be done in the application layer, but b) that may not be
> feasible so lower layer padding (esp in TLS) should also
> exist and on the 3rd hand - there may be a few cases where
> different protocols are multiplexed in such a way that one
> lower layer padding mechanism could help with both, but
> that'll be really rare.

The way I think about this is that the application layer doesn't know 
whether or not it is covered by TLS, so any padding done there when TLS 
is not used wastes bandwidth. TLS always knows that it is running, and 
what is running under it, and therefore padding is always appropriate 
there.

>> I think we need to get more
>> input (possibly from CFRG) about the benefits of padding at each 
>> layer.
>
> (With hat:-) CFRG is not the right group for a few reasons. First -
> effective use of padding like this isn't a crypto thing - we're not
> dealing with a block cipher here. CFRG are also busy enough right now
> on stuff they should be getting done.

Probably true.

> But we don't actually have a centre of expertise about effective
> padding so I can see why you suggest CFRG. Ideas as to how to try
> foster/create such a thing would be welcome. Mostly I think the
> hard part there will be to attract the few folks who know about
> this topic and are willing to work on it openly.

Agree. However, we are not in a rush on this (we haven't even agreed on 
TLS / DTLS), so having the discussion about where to pad before we 
blindly start padding in DNS.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email