IETF Logo Mail Archive

Re: [dns-privacy] Use of 0-RTT in DNS over QUIC

Christian Huitema <huitema@huitema.net> Sat, 31 July 2021 00:21 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 591713A1944 for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 17:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.411
X-Spam-Level: **
X-Spam-Status: No, score=2.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5hpm3Mpmzpt for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 17:21:39 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 099BD3A1972 for <dprive@ietf.org>; Fri, 30 Jul 2021 17:21:38 -0700 (PDT)
Received: from xse390.mail2web.com ([66.113.197.136] helo=xse.mail2web.com) by mx136.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m9ckt-000UTc-EM for dprive@ietf.org; Sat, 31 Jul 2021 02:21:34 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Gc4gq61RBz1kmJ for <dprive@ietf.org>; Fri, 30 Jul 2021 17:21:27 -0700 (PDT)
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m9ckp-0007VH-Mk for dprive@ietf.org; Fri, 30 Jul 2021 17:21:27 -0700
Received: (qmail 25297 invoked from network); 31 Jul 2021 00:21:27 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dprive@ietf.org>; 31 Jul 2021 00:21:26 -0000
To: Robert Evans <evansr@google.com>
Cc: Ben Schwartz <bemasc@google.com>, "dprive@ietf.org" <dprive@ietf.org>
References: <35e1a3d6-1654-4903-7f1b-77685f59a890@huitema.net> <CAHbrMsB5LEFjfO7o+oLm-i8nccDg9DwnAvFa+pnAUKQvkGfbRA@mail.gmail.com> <CAPp9mxJDKSJ+iQiB0RSd71CjRGeKHU=C4TyRnJKCeBNZiurdHQ@mail.gmail.com> <f534eedc-3db7-b770-ba22-1d325ad11658@huitema.net> <CAPp9mxLm2cOxrOX6rCaNLnSbLJ_XqE+G-ZW6Kh9W9u-i+A9VZQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <a208305f-be69-68b3-898f-b008d1123d12@huitema.net>
Date: Fri, 30 Jul 2021 17:21:25 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <CAPp9mxLm2cOxrOX6rCaNLnSbLJ_XqE+G-ZW6Kh9W9u-i+A9VZQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.136
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.12)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/vqCWo+o9FyEF1acwECbYqPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5wwIbsUgx3VwKj5vUcMDcmx42UuDhyzVYcwl2RB+0Aaet68 InbsXGSpIBvSDWKj7HQh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699UuS9Bt/28NzUpT//Ljs5DIPAgTtUp75uqlx0KezvZHV8InZ+ 7lKRjU3tJ9MJeN7wWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0jUeJfX5HDIsTH89Prkv7CGV7lLXQUcNAszDsnoUOr0Bhm 35QrJNKbuq75El3lManFOI+gTB/pfSlbi1HgG7umZ25gpnihbI3Vv1c2tRvdVD2GbN7BITAZon7Z Iz1ONK9yUo4/+EUytKrR9Md9I2Rs1xWCu5wnjOPwDQapE38BDX1PCC/cRgvQKtcrMMueERx3uacZ L9i3XZ7XRnB24/DPoD+jy9Ev4aiU+mXTR0n7PcSIaIzNoZzswxuMaWjBAlpwDHKQauIlsJBez2pz US8dvvUf9oDBqtClgM5jH/om1Q5UomG0v+rwIiID/kwKc8V5Tj9+FRkaOS/DNjANmb8tO61SbYdY AwdpaVzHW7wHO7YhEWyJzIkwSFAW0Pw8uiKeubcolFl/rX+2ReQklqJDASQX2Id+W5hjJNcdGs0+ iHjXODmj5PX/tZQU3bYnWKpb
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hzZGGIdjq4iknMWHq1HIklmMw_w>
Subject: Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 00:21:43 -0000

On 7/30/2021 1:38 PM, Robert Evans wrote:
> On Fri, Jul 30, 2021 at 4:02 PM Christian Huitema <huitema@huitema.net>
> wrote:
>
>> I think we have a reasonable guideline here. 0-RTT for QUIC is so
>> compelling that clients and servers will still do it, even if we tell them
>> not to. So it is better to try provide usage guidelines on how to do that
>> safely.
>>
>> Robert's proposal fall in two categories: some are about embracing 0-RTT
>> in order to ensure good performance, like accepting early data and
>> ensuring a minimum lifetime of tickets. (With some nits -- you cannot set
>> the max_early_data_size to 512 bytes in QUIC, you have to use a QUIC
>> transport parameter instead.) Then, some of the recommendations are about
>> "try to keep it safe":
>>
>> 1) Do not accept a client hello that is older than 30 seconds. This would
>> limit the efficacy of the replay attacks, because it probably takes at
>> least 30 seconds to ensure that the cache is empty. But I am not too sure
>> how one tests the lifetime of a client Hello.
>>
> See https://datatracker.ietf.org/doc/html/rfc8446#section-8.3.

I see. The proposed mechanism uses the obfuscated_ticket_age, from which 
the server can deduce the time at which the client sent the ClientHello. 
That's a good check for cooperating clients, but I do not think that it 
was designed to control replay attacks. The value is encoded by the 
client as the sum of the age of the ticket in milliseconds and the 
ticket_age_add parameter of the ticket. Attackers do not have access to 
the ticket_age_add value, but they do not need to. They merely need to 
increment the obfuscated_ticket_age by the delay in milliseconds between 
capture and replay. I would not recommend relying on that mechanism as a 
defense against cache probing attacks.

>
> The idea is the ticket age from the client in conjunction with the ticket
> issuance time is used to estimate the age of the ClientHello. I have no
> idea if there's an equivalent in QUIC-TLS.
>
>> 2) Implement replay protection is a good idea. Some server deployments
>> support that. But I understand that this kind of support ends up enforcing
>> "only once" use of tickets. This contradicts the request for non-single-use
>> tickets, or the request to "offer tickets only on full handshakes or if
>> ticket is old".
>>
>> Some QUIC stack will disable 0-RTT if the ticket is older than 30 seconds,
>> only allowing resumption. This is reasonably easy to implement.
>>
> Single-use tickets, stateful replay protection, and limiting
> session tickets to 30 seconds all bias against 0-RTT, hence we should draft
> something which recommends avoiding all of those.

Single use tickets are not a problem if the ticket is renewed after use. 
We are concerned with replay attacks, but in the case of a replay attack 
the handshake does not conclude correctly. Renewing a ticket after the 
handshakes concludes correctly should work in most cases. Note that we 
are bound to recommend single use tickets anyhow, because the ticket is 
a unique identifier of the client and reusing it enables tracking.

I understand your concern about limiting 0-RTT capability to a short 
duration. I am just looking for alternatives that can easily be 
implemented in multiple stacks. If something like the 
obfuscated_ticket_age mechanism was robust against replays, it would 
work. But as it is, I don't think it does.

>
> In other words, I think we should try to design DoQ to allow and recommend
> deploying 0-RTT such that almost all queries can use 0-RTT after first
> contact except in the long-tail case where the resolver almost never sends
> queries.

I agree with that goal. But I would like a mechanism by which servers 
can reliably prevent replay attacks.

-- Christian Huitema


>
>> -- Christian Huitema
>>
>>
>> On 7/30/2021 8:56 AM, Robert Evans wrote:
>>
>> DoQ plus 0-RTT seems very compelling for achieving 1-RTT query/response
>> parity with Do53.
>>
>> As such I think the spec should discuss 0-RTT and encourage both clients
>> and servers to support it.
>>
>> I also think a recommended 0-RTT profile suitable for DoQ/T should be
>> developed and specified.
>>
>> For example (but I'm not a TLS expert, corrections welcome):
>> - self-contained, non-single-use tickets
>> - ticket_lifetime at least 6 hours
>> - early_data allowed
>> - max_early_data_size of 512 bytes
>> - implement replay protection by freshness check
>> - reject ClientHello with age over 30 seconds
>> - offer tickets only on full handshakes or if ticket is old
>> - send tickets as early as possible in the session
>> - allow resumption for any SNI offered in the server certificate
>> - no early data for mutating queries
>>
>> No opinion as to which draft should contain those recommendations.
>>
>> On Fri, Jul 30, 2021 at 10:53 AM Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
>>
>>
>> I think this should be decided as part ofhttps://datatracker.ietf.org/doc/html/draft-ietf-dprive-early-data, and
>> DoQ should just reference it.  (I don't necessarily agree with the present
>> contents of that draft.)
>>
>> As for what draft-ietf-dprive-early-data should say, I don't have a strong
>> opinion.  However, I do think it's notable that most recursive resolvers
>> allow "cache probing" by setting RD=0 in the query, which enables a
>> relatively straightforward plaintext recovery attack on 0-RTT queries on
>> multi-instance recursive resolvers.  An attacker can probe a cache instance
>> until some records of interest fall out, then replay the 0-RTT query and
>> repeat the probes to see if any of them reappear.  As such, I think it
>> might be appropriate to strengthen the replay defense requirement for
>> encrypted DNS beyond the "SHOULD" in RFC 8446.
>>
>> (See also https://github.com/tlswg/tls13-spec/issues/1225)
>>
>> On Thu, Jul 29, 2021 at 8:31 PM Christian Huitema <huitema@huitema.net> <huitema@huitema.net>
>> wrote:
>>
>>
>> The DNS over QUIC draft lets client and server negotiate 0-RTT, with
>> minimal guidance. The privacy section develops the risks of replay
>> attacks, and then effectively lets clients decide whether to use 0-RTT
>> or not. Martin Thomson pointed out the contrast with RFC 8470 which
>> provides great details on the use of 0-RTT data in HTTP, and also
>> introduces a new error code to let server refuse some transactions if
>> received over 0-RTT. There are indeed advantages in letting the server
>> control usage of 0-RTT, but I wonder about the proper trade-off between
>> control and complexity for DoQ. There are multiple ways to do this:
>>
>> - Allow servers to not advertise support for 0-RTT if they are concerned
>> with 0-RTT side effects -- very simple to implement at servers and
>> clients.
>>
>> - Let servers advertise support for 0-RTT, but have them check the
>> queries received on 0-RTT and return an error code after inspecting
>> incoming requests. This requires implementing some kind of filter at the
>> server side, plus some logic on the client to resubmit the failed
>> requests after completion of the handshake. I am a bit concerned with
>> that kind of complexity.
>>
>> - Let servers advertise support for 0-RTT, but close the transaction
>> with a Protocol Error if the server receives an unexpected request --
>> e.g., an Update. That also requires some filtering of 0-RTT packets at
>> the server side, but is simpler than the full inspection considered
>> above. It is also reasonably easy to implement on the client, which
>> simply abstains to send some classes of requests over 0-RTT.
>>
>> - Or, of course, allow servers to support 0-RTT without any kind of
>> filtering.
>>
>> Any particular opinion in the working group?
>>
>> -- Christian Huitema
>>
>>
>>
>>
>> _______________________________________________
>> dns-privacy mailing listdns-privacy@ietf.orghttps://www.ietf.org/mailman/listinfo/dns-privacy
>>
>> _______________________________________________
>> dns-privacy mailing listdns-privacy@ietf.orghttps://www.ietf.org/mailman/listinfo/dns-privacy
>>
>>
>> _______________________________________________
>> dns-privacy mailing listdns-privacy@ietf.orghttps://www.ietf.org/mailman/listinfo/dns-privacy
>>
>>

v2.23.0 | Report a Bug | By Email