Re: [dns-privacy] DNS + 0-RTT
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 06 April 2016 13:10 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87C8512D1CB for <dns-privacy@ietfa.amsl.com>; Wed, 6 Apr 2016 06:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwuKVf_XLJJA for <dns-privacy@ietfa.amsl.com>; Wed, 6 Apr 2016 06:10:44 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 08CA112D524 for <dns-privacy@ietf.org>; Wed, 6 Apr 2016 06:10:01 -0700 (PDT)
Received: from fifthhorseman.net (dhcp-a3ad.meeting.ietf.org [31.133.163.173]) by che.mayfirst.org (Postfix) with ESMTPSA id 9F70FF991; Wed, 6 Apr 2016 09:09:58 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id E923B200D4; Wed, 6 Apr 2016 10:03:33 -0300 (BRT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Tim Wicinski <tjw.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <5703F0CF.3050306@gmail.com>
References: <5703F0CF.3050306@gmail.com>
User-Agent: Notmuch/0.21+124~gbf604e9 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Wed, 06 Apr 2016 10:03:29 -0300
Message-ID: <87egaidh3y.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/p0SpGpLBAXZYJhgS3zXWwHBBlw0>
Subject: Re: [dns-privacy] DNS + 0-RTT
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 13:10:50 -0000
On Tue 2016-04-05 14:07:27 -0300, Tim Wicinski <tjw.ietf@gmail.com> wrote: > As many of you are aware, with the TLS1.3 spec, there is some security > concerns around DNS+TLS1.3 0-RTT. dkg put together some threat models > and instead of forwarding some long thread, I figure I would put this > out there and let Mr. Gilmor lay out his theories. Thanks for the nudge, Tim! There are several different subtle security considerations with 0-RTT: a) no client authentication b) limited forward secrecy c) no replay protection d) client linkability I assume we're not talking about DTLS here, so i'm going to omit any concerns about: e) UDP-style spoofing/flooding/reflection attacks Have i missed anything? Also, i might be confused below about the state of 0-RTT and how it relates to PSK and session-resumption, though i'm more confident in my understanding based on the TLS WG discussion yesterday. But please correct me if i'm confused! client auth ----------- For standard DNS traffic, i think we don't care about property (a). that's good! forward secrecy --------------- IIUC for (b), the failing forward secrecy window is constrained by the duration of the PSK/session resumption ticket. That's doesn't seem particularly worrisome to me for DNS. replay protection ----------------- For DNS we don't particularly care about replay attacks initially, but replayable traffic might have some privacy implications. For example, if Mallory can monitor the traffic to and from the DNS resolver, and a TLS-wrapped DNS request is made that is answered from the cache, then the attacker has no additional information about what the answer is. But if the request is replayable, Mallory can capture it, and replay it at different intervals (when parts of the cache might be expired) to try to coax the recursor to call out to the authoritative resolvers, which might provide more information about the original query. This is a minor leak, but probably not something to completely ignore. client linkability ------------------ (this is in some sense the inverse of "no client authentication": we're worried that the protocol might allow the server (or others) to identify clients with greater precision than the client wants) The TLS client doing 0-RTT can be linked by the server to their previous session. If the client constrains itself to using each resumption ticket exactly once, then it limits its linkability exposure to the DNS server. If the client reuses the resumption ticket, then its sessions are linkable by any network monitor. Note that persistent TLS sessions that carry multiple DNS queries of course have the same "linkability exposure" for queries within a single TLS session, so it's not *just* a problem for 0-RTT. and non-0-RTT session resumption has exactly the same linkability exposure as 0-RTT, aiui. So this concern isn't specific to 0-RTT, but if a client wants to limit its linkability exposure i think it will by definition limit its use of 0-RTT. What are the privacy risks of linkability? * The DNS server can establish a profile of a given user and their interests, even distinguishing between different users behind a LAN (or on a shared host with separate resolver sessions) * the DNS server (or network observer, in the case of reused session tickets) can track a given user as they move across the network, unless the client flushes its resumption cache upon network change. Sadly, this linkability exposure risk is a net loss compared to cleartext DNS, even compared with cleartext DNS with EDNS0 cookies :/ --------------- So, in conclusion, i think that DNS+TLS-1.3+0-RTT is not too scary. That said, i'm not convinced that the savings of one round trip time is particularly significant for the stub-to-resolver use case. If the connection is a long-standing connection that stays open (as we expect for stub-to-resolver), the extra 1-RTT is amortized across lots of queries; so it's not clear that connection setup speed is as important in this case. If we could have a story about how to mitigate the replay attack concerns (which are already pretty minor), then the linkability concerns are the only thing that remain, and those can be mitigated by client-side policy about session ticket reuse (which would basically extend to policy about when to use 0-RTT and when not to) I'd be curious to think through how this all relates to TCP Fast Open if anyone wants to brainstorm it with me. --dkg
- [dns-privacy] DNS + 0-RTT Tim Wicinski
- Re: [dns-privacy] DNS + 0-RTT Daniel Kahn Gillmor
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Daniel Kahn Gillmor
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Shane Kerr
- Re: [dns-privacy] DNS + 0-RTT Daniel Kahn Gillmor
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Robert Edmonds
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Shane Kerr