Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-dtls-and-tls-profiles-09: (with COMMENT)
Sara Dickinson <sara@sinodun.com> Thu, 11 May 2017 12:12 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1125012EC5B; Thu, 11 May 2017 05:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kf88lvw0spQT; Thu, 11 May 2017 05:12:41 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B368A12EC69; Thu, 11 May 2017 05:10:11 -0700 (PDT)
Received: from [2a02:8010:6126:0:bc7d:946c:833c:205e] (port=57071) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <sara@sinodun.com>) id 1d8mv1-0003f0-Ob; Thu, 11 May 2017 13:10:08 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <6C08BAA0-7801-4388-885D-9A3E6A6751D8@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_722CAE1B-A13D-4F49-BA9B-B7D425A635B6"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 11 May 2017 13:10:04 +0100
In-Reply-To: <149437248346.22508.847522278141179102.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
To: Adam Roach <adam@nostrum.com>
References: <149437248346.22508.847522278141179102.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: -28
X-Mythic-Debug: State = no_sa; Score =
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/f0kmj72_sXWwjvzLS6nZLt8sRH0>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-dtls-and-tls-profiles-09: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 12:12:44 -0000
> On 10 May 2017, at 00:28, Adam Roach <adam@nostrum.com> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The final paragraph of section 6.6 says "The system MUST alert by some > means that the DNS is not private during such bootstrap." -- presumably, > this means "client" where it says "system" (as opposed to any other part > of the infrastructure) -- but I'm having a hard time envisioning how this > gets practically implemented, given that the functionality described by > this section is going to be implemented in DNS stub resolver libraries, > which tend to be pretty far removed from any user interface. Given that > this is a MUST-strength requirement, I think it would be very useful to > describe what this alerting might look like for (a) interactive > applications like a web browser; (b) commandline utilities like curl; and > (c) background tasks like software update daemons. This would provide > some context for the library implementors to provide the proper hooks to > enable this "MUST" to be satisfied. This paragraph was actually lifted almost directly from section 4.2 of RFC7858, which says "The user MUST be alerted whenever possible that the DNS is not private during such bootstrap.” In the working group there was push back against attempting to specify any further level of detail with the feeling that that was out of scope for this draft to attempt UI design. However if there are now specific ideas on how to do this then we should consider including them. > > Section 11.1 mentions that it will describe techniques for thwarting DNS > traffic analysis, including "monitoring of resolver-to-authoritative > traffic". I see that there have been measures added to prevent > authoritative servers from determining the identity of the client; but > given the phrasing I cite above, I was expecting a description of how to > prevent eavesdroppers who can see both incoming and outgoing traffic from > the recursive resolver from correlating the encrypted packets I send to > that resolver with the plaintext queries it emits for non-cached results. > As far as I can tell, there are no described counter-measures against > such an attack (aside from hoping that volume of traffic to the resolver > is too great to perform such correlation with any real precision), right? The EDNS0 Padding option (RFC7830) described in the first bullet point here is the only counter measure available to defeat monitoring traffic either side of the recursive by hiding the encrypted message size. Actually there has been further work on padding recently in https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/ <https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/> and also research by dkg (https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/ <https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/>) which is planned to be incorporated into the padding policy draft. So it certainly seems correct to add a reference to the padding policy draft here. > > Nits: > draft-ietf-dprive-dnsodtls has been published as RFC 8094 Yup - will update. > The draft header indicates that this document updates RFC7858, but the > abstract doesn't seem to mention this, which it should. It should - I will add that. Sara.
- [dns-privacy] Adam Roach's No Objection on draft-… Adam Roach
- Re: [dns-privacy] Adam Roach's No Objection on dr… Sara Dickinson