Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 14 September 2020 05:59 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCC3A3A0B44 for <dns-privacy@ietfa.amsl.com>; Sun, 13 Sep 2020 22:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSu0eP5LyYrs for <dns-privacy@ietfa.amsl.com>; Sun, 13 Sep 2020 22:59:27 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5E13A0BDC for <dns-privacy@ietf.org>; Sun, 13 Sep 2020 22:59:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1600063166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=g/I8EvTa9V/rcnSOq7Br7zPlTRW3gTatnssKe6YAAY4=; b=BFUu1K1AWCYe1FiHZ82uv2ayq/pMLYEB8u+Jr8CuzC6XeeGKGDX7SeoOzsD67UXzOyOLf4 dx0zcPAFVkC8xmDj2ZEdR8tUJBjEfiv2lTYeRHwIV6koECsLBns+ikhiYt1wvxdYvw99ot BGjZQ27SOl5rlnAhwrE3HibRddczQDE=
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-575-XoCtDSmKPnKfdz26tEExHw-1; Mon, 14 Sep 2020 01:59:23 -0400
X-MC-Unique: XoCtDSmKPnKfdz26tEExHw-1
Received: from MWHPR16MB1535.namprd16.prod.outlook.com (2603:10b6:320:27::22) by MWHPR1601MB1213.namprd16.prod.outlook.com (2603:10b6:300:e5::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Mon, 14 Sep 2020 05:59:20 +0000
Received: from MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c78:9d07:93df:7231]) by MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c78:9d07:93df:7231%12]) with mapi id 15.20.3370.019; Mon, 14 Sep 2020 05:59:19 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Ben Schwartz <bemasc@google.com>
CC: Neil Cook <neil.cook@noware.co.uk>, "Winfield, Alister" <Alister.Winfield@sky.uk>, DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
Thread-Index: AQHWhiwscciY/xv4J0imEUovZmppualgYJqAgAAPkwCAABcTgIACZErwgACc2ICABB7zwA==
Date: Mon, 14 Sep 2020 05:59:19 +0000
Message-ID: <MWHPR16MB15352BEEDD980A29919DDFA9EA230@MWHPR16MB1535.namprd16.prod.outlook.com>
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk> <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com> <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk> <CAHbrMsC=kOYUL_Ei1uSnWJ3hGxu=7c10eRofXJ=w5sQzcbu6mA@mail.gmail.com> <3A9BCDDD-883D-470E-A547-79839149F8EE@sky.uk> <CAHbrMsDVZMNNhwqTUexRL3R=HoEfDTWsoXnr=bdTaWyTXV_=rw@mail.gmail.com> <C8137D01-5903-4CFA-A315-67D7012EC583@noware.co.uk> <CAHbrMsAbGci08qR+NL9Csdej_VFpfZxSdHXfwAM6azB-DryQQQ@mail.gmail.com> <MWHPR16MB153572F70A9CACA49FE01D76EA240@MWHPR16MB1535.namprd16.prod.outlook.com> <CAHbrMsDikJmDNzwmJvvPiZOpvTPkAGwj-Sj3TSzLRgAkr9rbYg@mail.gmail.com>
In-Reply-To: <CAHbrMsDikJmDNzwmJvvPiZOpvTPkAGwj-Sj3TSzLRgAkr9rbYg@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
x-originating-ip: [49.37.199.141]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2c357277-1a7a-4f81-e927-08d858735248
x-ms-traffictypediagnostic: MWHPR1601MB1213:
x-microsoft-antispam-prvs: <MWHPR1601MB12135E604DA7C4ED67629620EA230@MWHPR1601MB1213.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4Yt4heovdeJ2RqJ35SWciFymUCOZHo7YTjb/2tyuNlIcY87v1gsIkGZf1yAniZwWcGFaw8xLPqfhJ/rzUZQQOFObjf0W+SukBh8tiscLZX9Td+AZIH3Z1m9XhDS/BUGsP26IVjRDenLnbhW9VPqqkHBXJtbUNns0CGh3N3sE0ScH/hzYgXE/wcGnQUlnCEveiFpIjlDw18srzL/PUnePG11xs7zGcaXwyY8LFor13Z3xBPg26JQdmlBpY6mhHX31QvYyyI+MV0mYVYg0SlxV/tRDHuAGPp07450nuGYGBjcuEMPOtvNJPEyVF9bEPn9aNihuOlEiP1vrtQjPJMdXjVWvw7DBd4U7QtS52mCYGcv5PmJrhC0aSDD81kal84tcUwGBv0x+LOFuPsMJxE4c0w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR16MB1535.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(39860400002)(366004)(136003)(346002)(32952001)(316002)(76116006)(478600001)(66556008)(64756008)(5660300002)(52536014)(66476007)(9686003)(66446008)(2906002)(55016002)(66946007)(54906003)(86362001)(71200400001)(6506007)(53546011)(8676002)(26005)(8936002)(33656002)(186003)(83380400001)(9326002)(4326008)(7696005)(66574015)(6916009)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: CMS6M7OC3Z/ujrM9MLMEaDKhpl2t92BgAInzpkaT8zEJCUJ9T9Kq369E8dZBu7Pl5TkpatLBiejOfUWRaBEisWCIjGS8djYwZ2XsTdC1jnPigdcV2Nx0HKMvDz7V3liJhgYajbZvvuPBcrmR+YyXH4IfBTfWEJ+hnILt+5tFVlbmliWAAkQht7ycLq/hIM/H6LSk8Wv4uI0qVenIgdz9XM0D2gDAlOK4XbCA/bTMTgUshLlM1Zmkv/19lVpeIxi7/klboFym+M4TQNRMgMn58DUkdWwN7XX4rdO0h51C3CY8P6pvbJaohchoRDTLaevtBH031+miKxmJy7q2GekRHB2wFWPLbxQHGv0k2OoTUEuyzj8Ee9ie/cXX4MpZBaFVAGQtIRmt9UYI++Z2lIacMzQyB+CV0W15GYkv6b5AI6RvRpeg0PfNYmV6D0yaGeCvowK1wPqwnMLAPxktTP4pzzEmp8xpA9PfmQVDeMYrL1oE0t4GyEZNFX2kLAI4lqmFuGxIyD02EG12OjzYPf40y8A45IgICvAK8IGEr/lP7Ut2C5y3Wz2SrqroWFuKMtO2HadhD84bcrYFApsf9ERBw4zNxuwyMZ7D9VnrXPJlaNWqQ3kdhs3fJ6UMcyn0qfv10NUCEDPTA1M7FxbtEFOdTw==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR16MB1535.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c357277-1a7a-4f81-e927-08d858735248
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2020 05:59:19.5109 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nCqfbTwAac3cW+FSr+Y2kb+vbYSFf5ctZ85EFbDdcxGnaIwLLjk6kjwac4XGINKBiblU1luNqpQj5HMy8N+y7Dm+YWPIDfVuEhTeDrhm48AqJ9Sl12PQ124K7Z9NTLej
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1601MB1213
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: mcafee.com
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB15352BEEDD980A29919DDFA9EA230MWHPR16MB1535namp_"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_Z4yUcG_ILkki5zYgIg70cJ4OPU>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 05:59:30 -0000

Hi Ben,

Please see inline

From: Ben Schwartz <bemasc@google.com>
Sent: Friday, September 11, 2020 8:17 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Cc: Neil Cook <neil.cook@noware.co.uk>uk>; Winfield, Alister <Alister.Winfield@sky.uk>uk>; DNS Privacy Working Group <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification



On Fri, Sep 11, 2020 at 1:40 AM Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
...
* How does the server know which CPE to redirect the client to?

I’m are assuming here that this is an ISP running both elements so knowing how to map the incoming IP to the name its currently using / was told to use is relatively trivial.

Trivial, perhaps, but not necessarily secure.  An adversary in the network could alter the IP headers to change the apparent client location, causing the client to be redirected to an attacker-controlled CPE, thus defeating the integrity assurances of DoH.

Possible, but I’m not sure this is a practical attack. The attacker would need to be able to also change all the IP headers in the return packets to their original values (that’s hard enough to do for legit purposes).


Sure, but if you assume we don't have a sophisticated active adversary in the network, then we don't need authenticated encryption, and we can solve this without involving the client at all.

[TR] The DNS server hosted on the CPE will only be reachable by endpoints connected to the home network and not accessible to the outside world. If an attacker changes the rules to accept external connections to the DNS server hosted on the CPE managed by the ISP, it can take remediation measures like block internet access to the compromised router or revoke DNS server certificate or block unsolicited incoming traffic to the DNS server on the compromised CPE.

An on-path attacker can change the IP headers but will not succeed establishing encrypted DNS session to the DNS server on the attacker-controlled CPE.

An on-path attacker could be inside the victim's home network, rerouting the victim's connections into the attacker's network.

[TR2] I think you are referring to an internal attacker acting as an on-path attacker setting up a tunnel to the attacker's network to discover the DoH server on the attacker-controlled CPE (similar to VPN on from branch/virtual office to HQ). This attack looks expensive and possibility can be detected by TOFU (assuming attacker will not be always be on-path).

My broader point is that the proposed architecture requires a weaker threat model than the one used by HTTPS (and therefore DoH).  We should consider that threat model carefully before selecting a solution.  A weaker threat model can be a good thing: it may mean that there is a much easier solution.

[TR2] Agreed.

Cheers,
-Tiru


-Tiru

Also, the attacker has to have compromised an ISP-managed CPE, and that CPE still needs to be running on an ISP-managed network connection.

Maybe.  As Alister noted, in some models the subscriber can acquire a DV cert for the name without reaching inside the CPE.


Neil