Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
Ted Hardie <ted.ietf@gmail.com> Thu, 09 July 2015 18:04 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F31A91B2AED for <dns-privacy@ietfa.amsl.com>; Thu, 9 Jul 2015 11:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rm53xUITmWEl for <dns-privacy@ietfa.amsl.com>; Thu, 9 Jul 2015 11:04:05 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 477091B2B03 for <dns-privacy@ietf.org>; Thu, 9 Jul 2015 11:04:05 -0700 (PDT)
Received: by wiwl6 with SMTP id l6so25992808wiw.0 for <dns-privacy@ietf.org>; Thu, 09 Jul 2015 11:04:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+r0pezfuD5ntXBBaj5/RiyawWbx1MW919qnmhtMh1iU=; b=uzwNQoCiCksfqiQY+7WCin0GXwlYH9jzwf6Cw/nosLUu7UvbdAt6UFySmywu/MHmzV jtEkfXa/YtUGK6TeK61KJgxVjJoM+hrRKJT/ciO1HEl/3HL0DAVNdyKbYqaZd4S82aWv Vk6qz0XCWAyJytIT3WckrBv2wX2fYWcrwj2XARGCdBZiL/2l2M1O4h8tHrrYnug8EveS kYKpVtbjnJSiRVwSPv5ShM7zIsTVuWXsNxoGVd/neizsd7IOVEo2Zd4J1OWlX/79IDcT xPaIKZP7/LGvTj1KKPLBx0JKXZcZUuBq0Zw8IfnhbiGvM0KgMQnsEc2fOLGVHgU1Mw5n 69Dw==
MIME-Version: 1.0
X-Received: by 10.180.13.199 with SMTP id j7mr64874379wic.40.1436465044078; Thu, 09 Jul 2015 11:04:04 -0700 (PDT)
Received: by 10.194.25.74 with HTTP; Thu, 9 Jul 2015 11:04:04 -0700 (PDT)
In-Reply-To: <2015070815195960707175@cnnic.cn>
References: <2015070714161016259349@cnnic.cn> <CA+9kkMAoRAiiLf7uFKP_UFpfvKpT-d=i_KpNxaFQKXcPaxZkMA@mail.gmail.com> <2015070815195960707175@cnnic.cn>
Date: Thu, 09 Jul 2015 11:04:04 -0700
Message-ID: <CA+9kkMBN70mQ0ZE5NpPmNSsOpWrSsG8hf+ZysAcUoAyUkvndhQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: yaojk <yaojk@cnnic.cn>
Content-Type: multipart/alternative; boundary="001a11c21a52af4740051a75145f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/scn495oQzR8WoLhJQwgrg8ovvNk>
Cc: dns-privacy <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 18:04:07 -0000
On Wed, Jul 8, 2015 at 12:21 AM, Jiankang Yao <yaojk@cnnic.cn> wrote: > > > It's also not clear to me, given that the stub public key is sent in the > query to the recursive resolver how you avoid an attacker standing up a > back-to-back user agent which strips that option, substitutes its own > public key, gets the data and then passes it on. (It may be, of course, > that this attack is out of scope). > *[Jiankang Yao]* > Yes, the attacker standing up a back-to-back user agent can strip that > option, substitute its own public key, get the data and then pass it on. > but I think that it should be no use because the attacker can not know > the contents of the DNS packet send by the stub. > I think I wasn't clear enough about the attack. If the attacker strips the option and sends it with its own public key, it can decrypt the response. It can send its version in advance of sending the original packet along, so it can see the response and potentially drop packets that match some policy. (If they are acceptable, it just sends the queued packet along). It can also be done along side the original packet, to enable tracking without applying policy. That's mildly detectable, since the recursive resolver would see multiple queries, but it would be pretty easy to obfuscate by generating new client public keys and varying the query interval. Does that make sense? regards, Ted
- [dns-privacy] Fw: Fw: New Version Notification fo… Jiankang Yao
- Re: [dns-privacy] New Version Notification for dr… Paul Hoffman
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] New Version Notification for dr… Jiankang Yao
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Jiankang Yao
- Re: [dns-privacy] New Version Notification for dr… 🔓Dan Wing
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… zuopeng@cnnic.cn
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… zuopeng@cnnic.cn
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee