Re: [dns-privacy] Benjamin Kaduk's No Objection on draft-ietf-dprive-bcp-op-10: (with COMMENT)
Sara Dickinson <sara@sinodun.com> Wed, 01 July 2020 09:11 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62C6A3A0C96; Wed, 1 Jul 2020 02:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3Bz5fRLvBaC; Wed, 1 Jul 2020 02:11:28 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C6563A0C95; Wed, 1 Jul 2020 02:11:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=Y/qJky57BF5OZeKFsbFqjtRucEOwWREFHdkqZoQWR3M=; b=LLOCZnBhwvd2TySD70PXQ+bfuH T22YLLCRM0+iHBDurWQW+/9Db94xwsW5K6EG48xlx59Dpy/PDn0v4nhJ9gmVOOOXnz2rMO4XXnOaM gB0zFpi1pq+pwkH+o2L7jpKli0knFVTB6nZKcbiY02fdA7rJocmup6FMjdIXtpZF36ufhvTj3GXG7 hX5/nH1tZukefFTjkKQBGgSuUFu16PkjGDWBLP1TXf4mECWzIPyKE+m8CYlrOf2PGDsECxIhyak6m t2jS8O7Ng9r3FfWgzqGNKy0e5u1HLePeTpyV9paAT9TDwWIWlmdGMROkfXrAPrD/Ej96swD93KW0p LEdP6kTw==;
Received: from [2a02:8010:6126:0:e1d4:15cc:815f:b90d] (port=58845) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1jqYm2-0007Hu-Vj; Wed, 01 Jul 2020 10:11:27 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <0758B639-F64F-45AC-902E-7D54351F8CBD@sinodun.com>
Date: Wed, 01 Jul 2020 10:11:20 +0100
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-bcp-op@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ADD78014-33D1-440B-8AD1-CDED48300447@sinodun.com>
References: <159330300489.12320.18419359650411975029@ietfa.amsl.com> <0758B639-F64F-45AC-902E-7D54351F8CBD@sinodun.com>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.104.14)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/j2Ry0BlthcC3LCnPf2jCiOeKgEQ>
Subject: Re: [dns-privacy] Benjamin Kaduk's No Objection on draft-ietf-dprive-bcp-op-10: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 09:11:31 -0000
Hi Ben, Thanks for both your responses and for updating the DISCUSS! Best regards Sara. > On 29 Jun 2020, at 17:47, Sara Dickinson <sara@sinodun.com> wrote: > > > >> On 28 Jun 2020, at 01:10, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: >> >> Benjamin Kaduk has entered the following ballot position for >> draft-ietf-dprive-bcp-op-10: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thank you for the updates, including those that resolve my Discuss points. >> I do have several new comments on the -10. > > Many thanks for the detailed review of -10. > >> >> [note that I did not attempt to repeat comments made at >> https://mailarchive.ietf.org/arch/msg/dns-privacy/bOK3mcSn-79wrAsawRQONBOZGGI/ ] >> >> Section 1 >> >> Whilst protocols that encrypt DNS messages on the wire provide >> protection against certain attacks, the resolver operator still has >> (in principle) full visibility of the query data and transport >> identifiers for each user. Therefore, a trust relationship exists. >> >> I commented previously about the strained nature of this conclusion, and >> part of the response to that comment included a statement that "this >> text is from the original RFC 7626". However, I don't see any sign of >> this statement in RFC 7626 (and, per google, any other RFC), so perhaps >> the reluctance to update at this stage is misplaced. > > You are quite right - my apologies - this text was in the very first draft of the BCP and is not in RFC7626! > > You previously proposed > “Therefore, a trust relationship (whether explicit or implicit) is assumed to exist > between each user and the operator of the resolver(s) used by that user.” > > which seems reasonable. Will update. > >> >> Section 5.1.3.2 >> >> Is (HTTP/2, EDNS(0)) padding a privacy threat or a mitigation? > > Good catch - bullet added to the wrong list in -10! Fixed. > >> >> Section 5.2.1 >> >> The following are recommendations relating to common activities for >> DNS service operators and in all cases such activities should be >> minimized or completely avoided if possible for DNS privacy services. >> >> Are the "such activities" that should be avoided the "common activities" >> that we're giving recommendations for? > > Suggest: “and in all cases data retention should be minimized or completely avoided “ > >> >> Section 5.2.4 >> >> nit: comma before "e.g." (as well as after) >> >> Section 5.3.1 >> >> operator is happy with. However some operators consider allowlisting >> to incur significant operational overhead compared to dynamic >> detection of ECS on authoritative servers. >> >> nit(?): is this "detection of ECS support”? > > Both fixed. > >> >> Section 6.1.2 >> >> Should we mention the DoH URI template (if any) here, as well as the >> address+port combos, DoT authentication domain name/SPKI/etc.? >> >> 2. Client facing capabilities. With reference to Section 5 provide >> specific details of which capabilities are provided on which >> client facing addresses and ports: > >> Is perhaps Section 5.1 a better reference than all of Section 5 here? > > I see the ambiguity (and the outdated section reference after a renumber). I think this should read: > > "With reference to each subsection of Section 5.1 provide specific details of which capabilities (transport, DNSSEC, padding, etc.) are provided on which client facing address/port combination or DoH URI template. For Section 5.1.2, clearly state which specific authentication mechanisms are supported for each endpoint that offers DoT: > > * The authentication domain name to be used (if any). > * The SPKI pin sets to be used (if any) and policy for rolling keys.” > > > IIRC the bullets were added just for clarity as none, one or both mechanisms might be used by a particular end point. > >> >> Section 8 >> >> We should probably link to the security considerations sections of >> DoT+DoH as well as RFC 7766. Arguably, those for DNSSEC as well. > > Yes - I’ll add. > >> >> Section 12.1 >> >> It's not immediately clear that RFC 8404 needs to be a normative >> reference (it's cited for the DNS Privacy Threat that "increased use of >> encryption can impact [...] operator ability to monitor traffic" but >> that's just an informative notice and does not really give specific >> implementation advice to adhere to. >> >> Section 12.2 >> >> The way in which we cite RFC 7457 seems to be incorporating it by >> reference, which would arguably make it a normative reference. >> >> RFC 7706 should also be normative, since we have a recommended behavior >> for running root on loopback. >> >> Likewise we mandate/recommend behavior from RFCs 7871, 8020, 8198, and >> 8490, making them normative. > > Done. > > >> >> Appendix A.2 >> >> o Section 8 of [RFC8484] outlines the privacy considerations of DoH. >> Note that depending on the specifics of a DoH implementation there >> may be increased identification and tracking compared to other DNS >> transports. >> >> I would suggest noting that this document recommends against the use of >> these mechanisms that might lead to increased identification/tracking. > > Done. > >> >> Appendix B >> >> nit: s/Pseudoanonymization/Pseudonymization/ >> >> use of a format-preserving technique is essential. This, though, is >> not cost-free - several authors (e.g., [Brenker-and-Arnes] have >> observed that, as the entropy in an IPv4 address is limited, given a >> de-identified log from a target, if an attacker is capable of >> ensuring packets are captured by the target and the attacker can send >> forged traffic with arbitrary source and destination addresses to >> that target, any format-preserving pseudonymization is vulnerable to >> an attack along the lines of a cryptographic chosen plaintext attack. >> >> nit(?): the way this is written ("given a de-identified log from a >> target") makes it sound like the log is obtained first, and then >> afterward (new) traffic with known addresses is generated (i.e., not in >> the initial log), and somehow this allows for the deanonymization. My >> understanding was that the known traffic needed to be part of the log >> being deanonymized, i.e., the causality reversed from my above >> description. > > Suggest: > > "This, though, is not cost-free - several authors (e.g., [Brenker-and-Arnes] have > observed that, as the entropy in an IPv4 address is limited, if an attacker can > * ensure packets are captured by the target and > * send forged traffic with arbitrary source and destination addresses to that target and > * obtain a de-identified log of said traffic from that target > any format-preserving pseudonymization is vulnerable to an attack along the lines of a cryptographic chosen plaintext attack. > > >> >> Appendix B.1 >> >> o Filtering. Removing (and thus truncating) or replacing data in a >> field. Field data can be overwritten, often with zeros, either >> partially (grey marking) or completely (black marking). >> >> Is there a reference for grey/black marking? If they are not in common >> use, perhaps there is not additional value from mentioning these names. > > The term 'black-marker anonymization’ is used throughout RFC6235 (which is the basis of this categorisation) and in other sources but I don’t see grey-marker used there and I’m struggling to remember where it came from… Re-reading RFC6235 I think ’truncation’ is more correct: > > "* Filtering. Removing or replacing data in a field. Field > data can be overwritten, often with zeros, either partially (truncation or reverse truncation) or > completely (black-marker anonymization)." > > and later in the section s/grey marking/truncation/ > >> Section D.1 >> >> There may be some privacy relevance to the precision of timestamp used >> for the various (logging) operations, relating to (e.g.) recorrelation >> with external datasets. >> > > Suggest: > > OLD: > + Absolute arrival time > > NEW: > + Absolute arrival time using a precision of ms > > > > Thanks > > Sara. >
- [dns-privacy] Benjamin Kaduk's No Objection on dr… Benjamin Kaduk via Datatracker
- Re: [dns-privacy] Benjamin Kaduk's No Objection o… Sara Dickinson
- Re: [dns-privacy] Benjamin Kaduk's No Objection o… Benjamin Kaduk
- Re: [dns-privacy] Benjamin Kaduk's No Objection o… Sara Dickinson