IETF Logo Mail Archive

Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt

Ted Hardie <ted.ietf@gmail.com> Fri, 10 July 2015 17:11 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77AD61B2A65 for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jul 2015 10:11:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaLeFOyKWfl1 for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jul 2015 10:11:02 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D6F1B2A3E for <dns-privacy@ietf.org>; Fri, 10 Jul 2015 10:11:01 -0700 (PDT)
Received: by widjy10 with SMTP id jy10so20806090wid.1 for <dns-privacy@ietf.org>; Fri, 10 Jul 2015 10:11:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tyetFGbqxPFwkcVS4LB8pc/esGWl1EOKhVBmfKqxwPM=; b=TKu+wENs3Ge6EiT2wMsXg6Uaw/6MRCPmHHy3HAB2gvCl9+G/wvyU2EXnF85IzrK4n1 RmVciPwC1wZyQT3oL7ldyBO8Sdy7T+kqqMDG+2l0xwlZNI1ItwehHXNHGrcn+bViBMkG wFqxmd9WOH+xuX1kd3nZNI0lo3MwqGsPkhzG0kxbmctAAxaZ4NX3FClKai3bi0oKnP/I 50lzxm1cyTlr5lprlyH0xv+qB27UY05twmLvW4B3WUrdGL5IhUDUGmFDSRnZP32HddeQ sO/TbtIu/EHl8YMX53zmZ0VE0W2GbLZVp2IgbEBsFUN3Qy317naSP5NkGAVyEy7W3gFN zzdw==
MIME-Version: 1.0
X-Received: by 10.180.13.199 with SMTP id j7mr8033956wic.40.1436548260389; Fri, 10 Jul 2015 10:11:00 -0700 (PDT)
Received: by 10.194.17.68 with HTTP; Fri, 10 Jul 2015 10:11:00 -0700 (PDT)
In-Reply-To: <2015071016571191624810@cnnic.cn>
References: <2015070714161016259349@cnnic.cn> <CA+9kkMAoRAiiLf7uFKP_UFpfvKpT-d=i_KpNxaFQKXcPaxZkMA@mail.gmail.com> <2015070815195960707175@cnnic.cn> <CA+9kkMBN70mQ0ZE5NpPmNSsOpWrSsG8hf+ZysAcUoAyUkvndhQ@mail.gmail.com> <2015071016571191624810@cnnic.cn>
Date: Fri, 10 Jul 2015 10:11:00 -0700
Message-ID: <CA+9kkMBXVCB0TpnksXbnDJ4f__jGJahX7AFATq+FpP+P4yWhdA@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Content-Type: multipart/alternative; boundary="001a11c21a52c369f0051a887406"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/qhr-_SES2NachPWHIU5uuudv6zU>
Cc: yaojk <yaojk@cnnic.cn>, dns-privacy <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 17:11:03 -0000

Howdy,

On Fri, Jul 10, 2015 at 1:57 AM, zuopeng@cnnic.cn <zuopeng@cnnic.cn> wrote:

>
> *From:* Ted Hardie <ted.ietf@gmail.com>
> *Date:* 2015-07-10 02:04
> *To:* yaojk <yaojk@cnnic.cn>
> *CC:* dns-privacy <dns-privacy@ietf.org>
> *Subject:* Re: [dns-privacy] Fw: Fw: New Version Notification for
> draft-zuo-dprive-encryption-over-udp-00.txt
> On Wed, Jul 8, 2015 at 12:21 AM, Jiankang Yao <yaojk@cnnic.cn> wrote:
>
>>
>>
>> It's also not clear to me, given that the stub public key is sent in the
>> query to the recursive resolver how you avoid an attacker standing up a
>> back-to-back user agent which strips that option, substitutes its own
>> public key, gets the data and then passes it on.  (It may be, of course,
>> that this attack is out of scope).
>> *[Jiankang Yao]*
>>  Yes, the attacker standing up a back-to-back user agent can strip that
>> option, substitute its own public key, get the data and then pass it on.
>>  but I think that it should be no use because the attacker can not know
>> the contents of the DNS packet send by the stub.
>>
> ​I think I wasn't clear enough about the attack.  If the attacker strips
> the option and sends it with its own public key​, it can decrypt the
> response.  It can send its version in advance of sending the original
> packet along, so it can see the response and potentially drop packets that
> match some policy.  (If they are acceptable, it just sends the queued
> packet along).  It can also be done along side the original packet, to
> enable tracking without applying policy.  That's mildly detectable, since
> the recursive resolver would see multiple queries, but it would be pretty
> easy to obfuscate by generating new client public keys and varying the
> query interval.
>
> Does that make sense?
>
> [Peng Zuo]
>
> since the whole DNS query packet(except the DNS header) is encrypted by
> the stub using the public key of the recursive resolver, the dns packet
> structure becomes invisable to attackers, attackers could not locate the
> additional section of the DNS query, so i think it would be difficult for
> the attacker to substitute it with its own key.
>
>
​You may want to update section 2.2, then.  I read its description of the
RDATA option as being a separable segment, ​and other readers may be
similarly confused.

Thanks for the clarification,

regards,

Ted




> regards,
>
>
> ------------------------------
> zuopeng@cnnic.cn
>
>
>
>

v2.23.0 | Report a Bug | By Email