IETF Logo Mail Archive

Re: [dns-privacy] Threat Model

Ted Hardie <ted.ietf@gmail.com> Fri, 01 November 2019 21:28 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417B6120271 for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 14:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsBE_XdQjc1L for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 14:28:04 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D948B12004D for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 14:27:41 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id w1so1003825ilq.11 for <dns-privacy@ietf.org>; Fri, 01 Nov 2019 14:27:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W/PPC2KioyWniP9baICxfFDBg8gFnzcUeyPstzcnyUs=; b=qMNeL93l2K95fdV8UgU6TfRyOD9VzsULBOx8xNUghGBKwaHFq9lebK4xviWrT+yb4P gyyPgnjrFbV2sv2R3oCuUzaAZuu71fdY5T+44teIcP5kYDGF46+KaZMlRy5FNY9H8+Fj cnOfSpwKCZKJhEmRoI0JqqaqIVItYiNr6OUzmIcLJfE+/WK5ax8CPFxbJPptw0ipHpn4 Dz4FsHV3nuLiY/oAyOw5WkXp/uJ+thYmi/38jEP9bKyuhki/9HJhmjMmzNWVam+e+43Z fBic5Vt7BUSkOM2Uafaz/vsDTQYxwacisGVTepEurRihEEJhzAxef9LyLenKIvBFhRe6 1e2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W/PPC2KioyWniP9baICxfFDBg8gFnzcUeyPstzcnyUs=; b=Y5L2YqIcVz+j8OD/lU+9BwD6sBlYF2TeYFkURyJiNYiNVG+aidrRreM9sv+oyA85C5 pB0zL7FOZJbo0/heHOaVTycDy0ymYG9rvZ3eE4J4sWM9h6q8mi8zsv4BHPpkGbriSnh9 mARon+aTDPDr5OS+11nQfEyZtYPyMucBGgEit7rSmUxCn5GZfGshrTXymR2M1qA69VSz pWlwZz3n7bh3b1ZCRCrAlIQltxTzaBGf9u76lVXNys4JCX2AyoA9qmnKNJ5RRkc0k9NK mZCeOkFzJY3fsMPdYtXFXLfQwsxwVZNdKhskWa8Os1qIH2LRuBwOvEK6Ik647US6OwpM XDJw==
X-Gm-Message-State: APjAAAUm8kzKvk7vctviDjQrBUb/50dlYbRPFwt3AbxF8p6JM7IrcVJb 2dzC/OdLjdRzmRsZQVdZI7OGJo/DwDoh43O1avI=
X-Google-Smtp-Source: APXvYqxwRJz+Dx/qenbX5YRZLxLqif1W5vfSc3Fe3lj3NLFPr+QJIOXwP5LSCu9PqN6xSzyb7EKsWgW76yTt6kRR1+c=
X-Received: by 2002:a92:9957:: with SMTP id p84mr15299906ili.290.1572643661000; Fri, 01 Nov 2019 14:27:41 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CAH1iCiphfkJKAAFTGw78ps-4O9BBRW2kKyWhXvnOJHx9VGHkuw@mail.gmail.com>
In-Reply-To: <CAH1iCiphfkJKAAFTGw78ps-4O9BBRW2kKyWhXvnOJHx9VGHkuw@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 01 Nov 2019 14:27:14 -0700
Message-ID: <CA+9kkMCoAduVAgoekUQiJVpW+WRBNcPaKcnBBEvZWu1DKF2LjQ@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c5b4cc05964fa2f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/diiLCxMK4rWZo2VsVnviT8e4STs>
Subject: Re: [dns-privacy] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 21:28:06 -0000

(cutting a good bit)

On Fri, Nov 1, 2019 at 12:54 PM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> If the attacker does not have access to the timing data, IMHO the R2A
> queries expose no PII, since the query data cannot be associated with an
> originating client.
>

In the cases where EDNS Client Subnet is used, it does seem to associate
the query with a pool of potential clients even when there is no timing
data; depending on the size of that pool, this could easily represent a
loss of privacy.


> In this case, an on-path active attacker isn't actually a threat (!!).
>
>
Even without EDNS Client subnet, the active attacker now has access to new
targeting data.  Let us say that the active attacker sits in front of
vlogsite.example.  If the attacker sees a query for
free-disputed-territory.vlogsite.example, the information that specific
recursives are seeing that traffic may be of interest to one or more of the
parties disputing the territory.


If this strategy is used, this creates an interesting side effect.  On a
> busy enough resolver, the regular cache refresh traffic may be significant
> enough to negatively impact timing attacks against encrypted C2R traffic in
> determing IP/QNAME matches, even if port 853 is blocked and all traffic is
> on port 53.
>

This is similar to the logic this working group used to conclude that doing
the client-to-recursive first was the right choice.  I don't think the fact
that it is still true when port 853 is blocked refutes the advantages of
encrypting recursive to authoritative traffic.


This risk needs to be given context, specifically where are the client, the
> recursive, and authoritative, and whether an attacker is able to block port
> 853 to cause the downgrade?
> The current passive attack does not require the attacker to expose her
> existence, while port blocking reveals the existence (if not the identity)
> of the attacker.
>

I think Eric's point is different from a standard downgrade by port
blocking.  If the attacker is on path and there is no authentication of the
authoritative server, then a back-to-back user agent can be used to
eavesdrop on the query traffic.  Your recursive makes a TLS connection to
the attacker and sends a query; the attacker reads it and retrieves the
answer from the authoritative server in order to provide you a reply.
You get the right answer (and can even use DNSSEC to check it), but the
query stream still leaked to the attacker.  This is an active attack
(because the attacker terminates the TLS connection and starts a new
outbound connection), but the result is equivalent to what a passive
attacker would get from port 53 data.

regards,

Ted

v2.23.0 | Report a Bug | By Email