Re: [dns-privacy] Two issues on draft-ietf-dprive-dnsodtls-04.txt
🔓Dan Wing <dwing@cisco.com> Mon, 14 March 2016 20:48 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEC9012D4FF for <dns-privacy@ietfa.amsl.com>; Mon, 14 Mar 2016 13:48:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_RY1O-HrSdY for <dns-privacy@ietfa.amsl.com>; Mon, 14 Mar 2016 13:48:51 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A8FA12D717 for <dns-privacy@ietf.org>; Mon, 14 Mar 2016 13:48:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3236; q=dns/txt; s=iport; t=1457988529; x=1459198129; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=g8s+xRDZVpKg4q1AX597Qu5saiAht4tnnf1nSLIWuro=; b=F0ANntDUGLJujQkeToOCTX9eGg8u2Joq0uUxzsc9/+lVk0DRx5Jjkq0n 1xf9pvPjAPaThur+DyySJaDW76ClA4Ho3+LVUDL72kebwguurgZHRHjl6 tV4mvvXWFY7QYwt7E+2AFoCvTjRvroZhtOTVFOnYobkuy4OLC1sVQQAgF E=;
X-IronPort-AV: E=Sophos;i="5.24,337,1454976000"; d="scan'208";a="80655687"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Mar 2016 20:48:48 +0000
Received: from dhcp-10-155-208-210.cisco.com (dhcp-10-155-208-210.cisco.com [10.155.208.210]) (authenticated bits=0) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u2EKmlLg016684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Mar 2016 20:48:48 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: 🔓Dan Wing <dwing@cisco.com>
In-Reply-To: <20160314150632.GA12485@nic.fr>
Date: Mon, 14 Mar 2016 13:48:47 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A119581F-6396-4DF9-BC14-F190DD0165EA@cisco.com>
References: <20160122054754.30732.9177.idtracker@ietfa.amsl.com> <2fc81367a8d0480eab5f2c886ef20a6b@XCH-RCD-017.cisco.com> <20160314150632.GA12485@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.3112)
X-Authenticated-User: dwing
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/sY-dyd3V760NwC1esQHzu6PSlDo>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Tirumaleswar Reddy <tireddy@cisco.com>
Subject: Re: [dns-privacy] Two issues on draft-ietf-dprive-dnsodtls-04.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2016 20:48:53 -0000
On 14-Mar-2016 08:06 am, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > On Fri, Jan 22, 2016 at 05:51:22AM +0000, > Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote > a message of 62 lines which said: > >> This revision addresses comments from Christian and refers to draft-dgr-dprive-dtls-and-tls-profiles. >> Title : DNS over DTLS (DNSoD) >> Filename : draft-ietf-dprive-dnsodtls-04.txt > >> If the DNS client receives a hard ICMP error [RFC1122], it MUST >> immediately cease attempts to re-transmit its ClientHello. > > Isn't there a risk of downgrade attack here? ICMP errors are not > authentified so an active attacker, even if off-path, could convince a > client to disable DNS over DTLS. > May be add a reference RFC 5927 to > emphasize that the credibility of ICMP errors should be challenged? > (RFC 5927 is for TCP, I do not find an equivalent for UDP, where the > problem is more complicated, we cannot use the sequence numbers to > check the ICMP message.) Yeah, so we can adopt same position as DNS-over-TLS, which says in its security considerations: " 1. There are known attacks on TLS, such as person-in-the-middle and protocol downgrade. These are general attacks on TLS and not specific to DNS-over-TLS; please refer to the TLS RFCs for discussion of these security issues. Clients and servers MUST adhere to the TLS implementation recommendations and security considerations of [RFC7525] or its successor. DNS clients keeping track of servers known to support TLS enables clients to detect downgrade attacks. For servers with no connection history and no apparent support for TLS, depending on their Privacy Profile and privacy requirements, clients may choose to (a) try another server when available, (b) continue without TLS, or (c) refuse to forward the query." -d > >> The existing Query ID allows multiple requests and responses to be >> interleaved in whatever order they can be fulfilled by the DNS >> server. > > Only the Query ID? RFC 7766 (a DTLS session, in one way, is a bit like > a TCP connection) says "Since pipelined responses can arrive out of > order, clients MUST match responses to outstanding queries on the same > TCP connection using the Message ID. If the response contains a > question section, the client MUST match the QNAME, QCLASS, and QTYPE > fields." For DNS over ordinary UDP, I do not find a RFC with clear > rules but RFC 3833 section 2.2 and RFC 5452 section 4 both use more > than the Query ID. Since we are protected by DTLS, we may be more lax > but draft-ietf-dprive-dns-over-tls-04 is not "Since pipelined > responses can arrive out-of-order, clients MUST match responses to > outstanding queries using the ID field, query name, type, and class." > >> Implementing DNSoD on root servers is outside the scope of this >> document. > > Should be deleted (why only the root servers?) > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] I-D Action: draft-ietf-dprive-dnsod… internet-drafts
- [dns-privacy] FW: I-D Action: draft-ietf-dprive-d… Tirumaleswar Reddy (tireddy)
- [dns-privacy] Two issues on draft-ietf-dprive-dns… Stephane Bortzmeyer
- Re: [dns-privacy] Two issues on draft-ietf-dprive… 🔓Dan Wing