Re: [dns-privacy] Spencer Dawkins' Yes on draft-ietf-dprive-edns0-padding-02: (with COMMENT)
Tim Wicinski <tjw.ietf@gmail.com> Tue, 01 March 2016 11:21 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE651A0406; Tue, 1 Mar 2016 03:21:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lhi6ioDdDWH4; Tue, 1 Mar 2016 03:21:47 -0800 (PST)
Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2A271A0049; Tue, 1 Mar 2016 03:21:40 -0800 (PST)
Received: by mail-ig0-x22f.google.com with SMTP id z8so15944027ige.0; Tue, 01 Mar 2016 03:21:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=0rudopfwyXNpMRGUbw07ftfgO7UbNtXbXVrc87uARPE=; b=RTaAx9ycUilQkfouPFAh8MjWPdcuTmpPp65ZZSxs5NRijC2V6MGuKjwL8IqEPGo6+y KsOnV4wpzxIBVyaLVc+PnElolesUEAg1GiC6xQUX4LO7f/SeEMCPbRNheIpxFLm5T0zx RD57MawzCDMThW40WS8JMdL0kA6rZj5IK5lYOsa9/68hFlwBFEfmJhkvch3CmddvUE3J DTIxIVcIN2+XNzD9gWlFmiJtWSVJdY2oX41f7HYbgFo+yl7Kv+ccdrR27zIFiqvClaQW G69Jrh3YMfC+NiHly8K0RInrDOvUxHWvbOcQkWTQP0Ab0707vaQf5q+1vYC1T7QRYsoc +FJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=0rudopfwyXNpMRGUbw07ftfgO7UbNtXbXVrc87uARPE=; b=Ies72EmeBloWorXA28+g6f6qYhfxt6WWwP9nX9ZgSjOOVrKRcqadi10td2WeLXSa7h /84u5YpdwId7/3KQyeANl3/yS7cqoF1Bk6hDcgrRoKKdSAsmsPlyFcs1fDSm5RKT5+4y MzZCyN7/kIdZoWi+MrATtA26XFF+Pkl6Q1K2BGz7QiExcmeJ4OZUNlvB8ybEFUVDEPGT 4WHpJO3VzzMcZOaNkZVkdqOQDrH3ofDMJNuyWCAFhLTkeEHl7fWV3Y5R4UXMtLfdMBjG 7lwl4ulwI6rwgoxuEvBpHDzcJ7xHYuVJHuqbn+ftiUVK9kXCraLfOh1RsyyPF/WmkRHD Oh9Q==
X-Gm-Message-State: AD7BkJIGq2Pkl2sErfrtftMQJ4pF59ajFckX/yxucX4QhyeLD+aamrug5EIjqFoodyheWg==
X-Received: by 10.50.57.11 with SMTP id e11mr2967301igq.13.1456831300138; Tue, 01 Mar 2016 03:21:40 -0800 (PST)
Received: from still.local (184-19-64-38.drr03.clbg.wv.frontiernet.net. [184.19.64.38]) by smtp.googlemail.com with ESMTPSA id w80sm557583iof.37.2016.03.01.03.21.38 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2016 03:21:39 -0800 (PST)
To: Shane Kerr <shane@time-travellers.org>, Spencer Dawkins <spencerdawkins.ietf@gmail.com>
References: <20160301043834.28800.4700.idtracker@ietfa.amsl.com> <20160301113940.518dc7f9@pallas.home.time-travellers.org>
From: Tim Wicinski <tjw.ietf@gmail.com>
Message-ID: <1682abe8-e5e2-b72a-b77b-d14d5a5c85db@gmail.com>
Date: Tue, 01 Mar 2016 06:21:37 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Thunderbird/46.0a2
MIME-Version: 1.0
In-Reply-To: <20160301113940.518dc7f9@pallas.home.time-travellers.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/n8PkgTM7YVw5f83HhiDhb9P1t7Q>
Cc: dns-privacy@ietf.org, draft-ietf-dprive-edns0-padding@ietf.org, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org
Subject: Re: [dns-privacy] Spencer Dawkins' Yes on draft-ietf-dprive-edns0-padding-02: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 11:21:48 -0000
Shane's explanation on padding is a great summary of the mailing list discussion during the document review. tim (as DocumentShepherd) On 3/1/16 5:39 AM, Shane Kerr wrote: > Spencer, > > At 2016-02-29 20:38:34 -0800 > "Spencer Dawkins" <spencerdawkins.ietf@gmail.com> wrote: >> Thanks for producing this draft. I do have one question about this text: >> >> The PADDING octets SHOULD be set to 0x00. Other values MAY be used; >> for example, in cases where there is a concern that the padded >> message could be subject to compression before encryption. PADDING >> octets of any value MUST be accepted in messages received. >> >> I'm not entirely sure I understand the point of "SHOULD be set to 0x00". >> I'm not questioning the SHOULD (you explain why choosing another value >> would be a good idea, thank you ), but I'm wondering why there's a >> normative requirement at all. >> >> I was trying to guess, and one hypothesis was that if the padding is >> consistently 0x00, it's less likely to provide a covert channel (or at >> least you'd be more likely to notice packets using different padding), >> but the security considerations section didn't mention that, so I'm still >> lost. >> >> If there's a reason to zero the padding bytes in the uncompressed case, a >> sentence of explanation might be useful. > > There was a lot of discussion on the list about this very topic, > actually. I'm not sure if it can be reduced to a sentence or two. > > IIRC, the idea is that we should recommend some value there to give > guidance for implementors to avoid common mistakes (such as using > uninitialized memory, which might contain left-over values). > > Someone did raise the possibility of having a covert channel, but it > was recognized that there are so many places for putting covert data > into DNS that this is not really a concern. For example, one could > simply use any unregistered EDNS(0) option and stick data in there, or > encode it into the QNAME, or put values in the query ID, or... > > Putting random data in the padding was considered, but it did not seem > to add any real value beyond zero-padding. > > Cheers, > > -- > Shane "not an editor on the draft" Kerr >
- [dns-privacy] Spencer Dawkins' Yes on draft-ietf-… Spencer Dawkins
- Re: [dns-privacy] Spencer Dawkins' Yes on draft-i… Shane Kerr
- Re: [dns-privacy] Spencer Dawkins' Yes on draft-i… Tim Wicinski
- Re: [dns-privacy] Spencer Dawkins' Yes on draft-i… Spencer Dawkins at IETF