Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 07 February 2020 01:14 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EEAA12011D; Thu, 6 Feb 2020 17:14:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pcXYfE9Tqkug; Thu, 6 Feb 2020 17:14:18 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F09F612003F; Thu, 6 Feb 2020 17:14:17 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0171EBRY022379 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 6 Feb 2020 20:14:13 -0500
Date: Thu, 06 Feb 2020 17:14:11 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, Tim Wicinski <tjw.ietf@gmail.com>, Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org, draft-ietf-dprive-bcp-op@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>
Message-ID: <20200207011411.GJ14382@kduck.mit.edu>
References: <CAH1iCiqLwP8UOJe_vWQAr7iu8j7LF2Y4+386XNimM+3wJ-2RzQ@mail.gmail.com> <9fe99917-347b-ab79-7a9c-3e8da67a5246@nostrum.com> <364cf548-9114-fcb3-52b6-a73be08b55c4@nostrum.com> <CAH1iCirzvzQUAcbctzC4Bete_mDicT7MYJL5vnaSFZnVNAUbPg@mail.gmail.com> <9104d41b-2c78-0216-3262-4ed50f389ea7@nostrum.com> <CABcZeBMF2CT--gdKNuVWw+e8CvLYjL3yX0YtMj54CQBvdZ0o0A@mail.gmail.com> <CAH1iCirLPsLX-OebLxKTfR4FDXaejcNy+TONw5FuLP2_r6GBOw@mail.gmail.com> <CABcZeBPkLaFB5fv6WigJmY9QhOJnJf3YwrmooN0BRbm8fKxLog@mail.gmail.com> <CAH1iCiq555QF=we5moHBStmCRsJ_kZ=hzYacJ=GYSKvcqEBcvA@mail.gmail.com> <CABcZeBM+L_Qco3VkybhJp5_ijNiJd58yprCnHY2Yn4ODX-1UDA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBM+L_Qco3VkybhJp5_ijNiJd58yprCnHY2Yn4ODX-1UDA@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/vQHFCezp6CNWIZzUmlYIWijP7wA>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 01:14:20 -0000
On Thu, Feb 06, 2020 at 12:51:21PM -0800, Eric Rescorla wrote: > On Thu, Feb 6, 2020 at 12:44 PM Brian Dickson <brian.peter.dickson@gmail.com> > wrote: > > > > > > > On Thu, Feb 6, 2020 at 12:08 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > >> > >> > >> On Thu, Feb 6, 2020 at 12:04 PM Brian Dickson < > >> brian.peter.dickson@gmail.com> wrote: > >> > >>> Top-top-top reply: > >>> The Internet Threat Model you are using for web client-server is fine. > >>> However, for DNS, that is the wrong threat model, for several reasons. > >>> > >>> - The threat for DNS cache poisoning is recursive-to-authoritative, > >>> not client-recursive(resolver) > >>> - The DNS path will not generally be related to the data path, and > >>> for any parent zone, almost certainly will be totally unrelated > >>> - DNS recursive-to-authoritative is UDP > >>> - UDP DNS does not require that the attacker be on-path > >>> - Compromise of DNS caches via poisoning (by potentially off-path > >>> attackers) leading to compromise of user data is not exaggerated. > >>> - The compromise risk is per-cache, as well as per-authority-server > >>> and/or per-DNS record. > >>> > >>> > >> First, all of these are just consequences of the 3552 "attacker > >> completely controls the network" threat model. > >> > > > > Sorry, I'm not clear on what this statement means in this context, or what > > the implication of this should be inferred as being. > > > > Are you saying: > > > > - It should be assumed (per the threat model) that any/every attacker > > completely controls every network segment everywhere? > > - or, that only attackers who DO control some specific network segment > > are a threat? > > > > These have vastly different implications, clearly. > > If the first one is the case, are you conceding the precondition, that > > attackers can poison DNS caches arbitrarily, by manipulating all DNS > > traffic? If so, that argues in favor of DNSSEC validation by the resolver > > in all cases, as that is the only way the attack can be blocked. > > > > If the second one is the case, the bullet points you quote, contradict > > that assertion. Specifically, that off-path attackers do not need to > > control any network segment (let alone all network segments), to > > successfully poison a DNS cache. This also argues in favor of DNSSEC > > validation. > > > > If you mean something else, could you explain what you mean? > > > > I'm saying that TLS assumes a Dolev-Yao threat model in which the attacker > is on-path between the client and the server and therefore can manipulate > the traffic regardless of whether the client correctly knows the server's > IP. TLS also punts the key-management story to be out of scope. We have a lot of worked examples of the Web PKI failing (and also have lots of people working really hard to get it to improve, which I greatly appreciate), but given that the recursive has no way of knowing what the DNS client is planning to do (and that some ~20% of web traffic does not use TLS), it's hard for me to argue that this document is making the wrong recommendation about DNSSEC validation. -Ben
- [dns-privacy] Adam Roach's No Objection on draft-… Adam Roach via Datatracker
- Re: [dns-privacy] Adam Roach's No Objection on dr… Rob Sayre
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Adam Roach
- Re: [dns-privacy] Adam Roach's No Objection on dr… Adam Roach
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Adam Roach
- Re: [dns-privacy] Adam Roach's No Objection on dr… Eric Rescorla
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Eric Rescorla
- Re: [dns-privacy] Adam Roach's No Objection on dr… Rob Sayre
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Eric Rescorla
- Re: [dns-privacy] Adam Roach's No Objection on dr… Adam Roach
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Benjamin Kaduk
- Re: [dns-privacy] Adam Roach's No Objection on dr… Rob Sayre
- Re: [dns-privacy] Adam Roach's No Objection on dr… Eric Rescorla
- Re: [dns-privacy] Adam Roach's No Objection on dr… Rob Sayre
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Adam Roach's No Objection on dr… Eric Rescorla
- Re: [dns-privacy] Adam Roach's No Objection on dr… Brian Dickson
- Re: [dns-privacy] Adam Roach's No Objection on dr… Rob Sayre
- Re: [dns-privacy] Adam Roach's No Objection on dr… Sara Dickinson