Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
Robert Evans <evansr@google.com> Fri, 30 July 2021 15:57 UTC
Return-Path: <evansr@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2C93A2E38 for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 08:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.097
X-Spam-Level:
X-Spam-Status: No, score=-18.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jv0UVex8RWpn for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 08:56:54 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DB173A2E3B for <dprive@ietf.org>; Fri, 30 Jul 2021 08:56:53 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id l126so11979130ioa.12 for <dprive@ietf.org>; Fri, 30 Jul 2021 08:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=om0CKYe23+W59Cjtl8uCS96uIfsIqKuSXENw/a/BxcU=; b=PT1tMoHY9a7mWMpyeiLQOAZSeObLi2prJ4eN81z24Sjc8eu1If0c6nVJ9fV0eYxZtJ kyUbKN8LFSLVk2rMbNwHnMkwA+ysFNraYpSi59Uz3w6aU44f+stlscQr5CPPKZY/MNIM 5sfBkyIlQTMJSt0lK7putFylW8UFA3ImRPtC//cita/5PFA984WaiCHc6l5bW88f5jgn qwD5MXqd6bToPC/vRDVSyuN8PlSqfUcFbwqlnvbQA7/1THtFBG5a5uimc6LPMQhRdlqm mnoo9pZbPgRivI4FO0xoCyIuYbQ49rGG+VRxLeftwQ+fQqEKK73lJD9EBxksjFSt4saV 2Mqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=om0CKYe23+W59Cjtl8uCS96uIfsIqKuSXENw/a/BxcU=; b=SNgfKCsL3CdfN+d9xRYnyARb934bioWYTktQBcqoUINqdSS7ToUOpvMN/H3kWaMdlM 1Sl/npTjqHGHuchybvth6TH3jX+sLJaJK10hUQTq/fgivlUFsq32HPRsQbgQkv8Xp5KF mwTaivQKjay4yIfLNP3QCgdlgzFTF9STRU30NRnQeVCYSW2mO8jffMAecxg8LDpLFi3D nVTSFnxxFJzyJUTmJvfHqhtstztp+pGJHPMfs2qaknmeiw7fymHKbpxKbCsMWJoMjvYT 93upUODFIkkZSSpc8WANdDDOkhzm2m7J4hgc3mZkr02eL8WEnbmmBj149zvY/WMsldBW EZOA==
X-Gm-Message-State: AOAM531drdp0c+ZDeAaRaCCA8FyJeAgQdQZiKMLOdsShbiGQdWSnsqmO YlC3Y/5wgq7h2ltPaSrbD597vTrNSONfF3x4+aTKjA==
X-Google-Smtp-Source: ABdhPJw/GMywcgEfbZbhchsgk8ClDvR90TPuk1xmZCWHTMCED9mZ51/CEWQYetGZsi/YSqOfKL0IhXIVjuWBEQdwO6k=
X-Received: by 2002:a6b:b795:: with SMTP id h143mr1787480iof.74.1627660612265; Fri, 30 Jul 2021 08:56:52 -0700 (PDT)
MIME-Version: 1.0
References: <35e1a3d6-1654-4903-7f1b-77685f59a890@huitema.net> <CAHbrMsB5LEFjfO7o+oLm-i8nccDg9DwnAvFa+pnAUKQvkGfbRA@mail.gmail.com>
In-Reply-To: <CAHbrMsB5LEFjfO7o+oLm-i8nccDg9DwnAvFa+pnAUKQvkGfbRA@mail.gmail.com>
From: Robert Evans <evansr@google.com>
Date: Fri, 30 Jul 2021 11:56:41 -0400
Message-ID: <CAPp9mxJDKSJ+iQiB0RSd71CjRGeKHU=C4TyRnJKCeBNZiurdHQ@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Christian Huitema <huitema@huitema.net>, "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009c684c05c85944ce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/p9MpJqsTc4FXP2KPsIfEGOVXGXs>
Subject: Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 15:57:01 -0000
DoQ plus 0-RTT seems very compelling for achieving 1-RTT query/response parity with Do53. As such I think the spec should discuss 0-RTT and encourage both clients and servers to support it. I also think a recommended 0-RTT profile suitable for DoQ/T should be developed and specified. For example (but I'm not a TLS expert, corrections welcome): - self-contained, non-single-use tickets - ticket_lifetime at least 6 hours - early_data allowed - max_early_data_size of 512 bytes - implement replay protection by freshness check - reject ClientHello with age over 30 seconds - offer tickets only on full handshakes or if ticket is old - send tickets as early as possible in the session - allow resumption for any SNI offered in the server certificate - no early data for mutating queries No opinion as to which draft should contain those recommendations. On Fri, Jul 30, 2021 at 10:53 AM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > I think this should be decided as part of > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-early-data, and > DoQ should just reference it. (I don't necessarily agree with the present > contents of that draft.) > > As for what draft-ietf-dprive-early-data should say, I don't have a strong > opinion. However, I do think it's notable that most recursive resolvers > allow "cache probing" by setting RD=0 in the query, which enables a > relatively straightforward plaintext recovery attack on 0-RTT queries on > multi-instance recursive resolvers. An attacker can probe a cache instance > until some records of interest fall out, then replay the 0-RTT query and > repeat the probes to see if any of them reappear. As such, I think it > might be appropriate to strengthen the replay defense requirement for > encrypted DNS beyond the "SHOULD" in RFC 8446. > > (See also https://github.com/tlswg/tls13-spec/issues/1225) > > On Thu, Jul 29, 2021 at 8:31 PM Christian Huitema <huitema@huitema.net> > wrote: > >> The DNS over QUIC draft lets client and server negotiate 0-RTT, with >> minimal guidance. The privacy section develops the risks of replay >> attacks, and then effectively lets clients decide whether to use 0-RTT >> or not. Martin Thomson pointed out the contrast with RFC 8470 which >> provides great details on the use of 0-RTT data in HTTP, and also >> introduces a new error code to let server refuse some transactions if >> received over 0-RTT. There are indeed advantages in letting the server >> control usage of 0-RTT, but I wonder about the proper trade-off between >> control and complexity for DoQ. There are multiple ways to do this: >> >> - Allow servers to not advertise support for 0-RTT if they are concerned >> with 0-RTT side effects -- very simple to implement at servers and >> clients. >> >> - Let servers advertise support for 0-RTT, but have them check the >> queries received on 0-RTT and return an error code after inspecting >> incoming requests. This requires implementing some kind of filter at the >> server side, plus some logic on the client to resubmit the failed >> requests after completion of the handshake. I am a bit concerned with >> that kind of complexity. >> >> - Let servers advertise support for 0-RTT, but close the transaction >> with a Protocol Error if the server receives an unexpected request -- >> e.g., an Update. That also requires some filtering of 0-RTT packets at >> the server side, but is simpler than the full inspection considered >> above. It is also reasonably easy to implement on the client, which >> simply abstains to send some classes of requests over 0-RTT. >> >> - Or, of course, allow servers to support 0-RTT without any kind of >> filtering. >> >> Any particular opinion in the working group? >> >> -- Christian Huitema >> >> >> >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >> > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Ben Schwartz
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Robert Evans
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Robert Evans
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Benjamin Kaduk
- Re: [dns-privacy] Use of 0-RTT in DNS over QUIC Christian Huitema