Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
Ted Hardie <ted.ietf@gmail.com> Fri, 10 July 2015 17:11 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77AD61B2A65 for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jul 2015 10:11:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaLeFOyKWfl1 for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jul 2015 10:11:02 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D6F1B2A3E for <dns-privacy@ietf.org>; Fri, 10 Jul 2015 10:11:01 -0700 (PDT)
Received: by widjy10 with SMTP id jy10so20806090wid.1 for <dns-privacy@ietf.org>; Fri, 10 Jul 2015 10:11:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tyetFGbqxPFwkcVS4LB8pc/esGWl1EOKhVBmfKqxwPM=; b=TKu+wENs3Ge6EiT2wMsXg6Uaw/6MRCPmHHy3HAB2gvCl9+G/wvyU2EXnF85IzrK4n1 RmVciPwC1wZyQT3oL7ldyBO8Sdy7T+kqqMDG+2l0xwlZNI1ItwehHXNHGrcn+bViBMkG wFqxmd9WOH+xuX1kd3nZNI0lo3MwqGsPkhzG0kxbmctAAxaZ4NX3FClKai3bi0oKnP/I 50lzxm1cyTlr5lprlyH0xv+qB27UY05twmLvW4B3WUrdGL5IhUDUGmFDSRnZP32HddeQ sO/TbtIu/EHl8YMX53zmZ0VE0W2GbLZVp2IgbEBsFUN3Qy317naSP5NkGAVyEy7W3gFN zzdw==
MIME-Version: 1.0
X-Received: by 10.180.13.199 with SMTP id j7mr8033956wic.40.1436548260389; Fri, 10 Jul 2015 10:11:00 -0700 (PDT)
Received: by 10.194.17.68 with HTTP; Fri, 10 Jul 2015 10:11:00 -0700 (PDT)
In-Reply-To: <2015071016571191624810@cnnic.cn>
References: <2015070714161016259349@cnnic.cn> <CA+9kkMAoRAiiLf7uFKP_UFpfvKpT-d=i_KpNxaFQKXcPaxZkMA@mail.gmail.com> <2015070815195960707175@cnnic.cn> <CA+9kkMBN70mQ0ZE5NpPmNSsOpWrSsG8hf+ZysAcUoAyUkvndhQ@mail.gmail.com> <2015071016571191624810@cnnic.cn>
Date: Fri, 10 Jul 2015 10:11:00 -0700
Message-ID: <CA+9kkMBXVCB0TpnksXbnDJ4f__jGJahX7AFATq+FpP+P4yWhdA@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Content-Type: multipart/alternative; boundary="001a11c21a52c369f0051a887406"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/qhr-_SES2NachPWHIU5uuudv6zU>
Cc: yaojk <yaojk@cnnic.cn>, dns-privacy <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 17:11:03 -0000
Howdy, On Fri, Jul 10, 2015 at 1:57 AM, zuopeng@cnnic.cn <zuopeng@cnnic.cn> wrote: > > *From:* Ted Hardie <ted.ietf@gmail.com> > *Date:* 2015-07-10 02:04 > *To:* yaojk <yaojk@cnnic.cn> > *CC:* dns-privacy <dns-privacy@ietf.org> > *Subject:* Re: [dns-privacy] Fw: Fw: New Version Notification for > draft-zuo-dprive-encryption-over-udp-00.txt > On Wed, Jul 8, 2015 at 12:21 AM, Jiankang Yao <yaojk@cnnic.cn> wrote: > >> >> >> It's also not clear to me, given that the stub public key is sent in the >> query to the recursive resolver how you avoid an attacker standing up a >> back-to-back user agent which strips that option, substitutes its own >> public key, gets the data and then passes it on. (It may be, of course, >> that this attack is out of scope). >> *[Jiankang Yao]* >> Yes, the attacker standing up a back-to-back user agent can strip that >> option, substitute its own public key, get the data and then pass it on. >> but I think that it should be no use because the attacker can not know >> the contents of the DNS packet send by the stub. >> > I think I wasn't clear enough about the attack. If the attacker strips > the option and sends it with its own public key, it can decrypt the > response. It can send its version in advance of sending the original > packet along, so it can see the response and potentially drop packets that > match some policy. (If they are acceptable, it just sends the queued > packet along). It can also be done along side the original packet, to > enable tracking without applying policy. That's mildly detectable, since > the recursive resolver would see multiple queries, but it would be pretty > easy to obfuscate by generating new client public keys and varying the > query interval. > > Does that make sense? > > [Peng Zuo] > > since the whole DNS query packet(except the DNS header) is encrypted by > the stub using the public key of the recursive resolver, the dns packet > structure becomes invisable to attackers, attackers could not locate the > additional section of the DNS query, so i think it would be difficult for > the attacker to substitute it with its own key. > > You may want to update section 2.2, then. I read its description of the RDATA option as being a separable segment, and other readers may be similarly confused. Thanks for the clarification, regards, Ted > regards, > > > ------------------------------ > zuopeng@cnnic.cn > > > >
- [dns-privacy] Fw: Fw: New Version Notification fo… Jiankang Yao
- Re: [dns-privacy] New Version Notification for dr… Paul Hoffman
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] New Version Notification for dr… Jiankang Yao
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Jiankang Yao
- Re: [dns-privacy] New Version Notification for dr… 🔓Dan Wing
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… zuopeng@cnnic.cn
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… zuopeng@cnnic.cn
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee