IETF Logo Mail Archive

Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 06 February 2020 20:44 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D07B120112; Thu, 6 Feb 2020 12:44:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJMN5IaAmfHy; Thu, 6 Feb 2020 12:44:50 -0800 (PST)
Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39CBD120128; Thu, 6 Feb 2020 12:44:50 -0800 (PST)
Received: by mail-vs1-xe29.google.com with SMTP id p14so4706077vsq.6; Thu, 06 Feb 2020 12:44:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2z9hdI4jULO9HVrIFp8J4RyAxwQ/7IetBONLn5y7U7w=; b=aDPyuyTonMCH4pU+DsNOZeZT2WQDVjh35FuPlsTjquWe++Gh/LfX/APWOwbD9InpyM knGvWWXpGlnfYEsk8NgOKxRzTXuYJNLgPz+auM45DEizOpzQIegPcgTWAVUAmDWmo4y7 L179bc+bPVLftgtsTG1DCrKCV2+Y/7qVc3cu29y+8yVnqpnNrMffmabqcdHYP6Nql1C7 Dgi3sDXSL6dUXG0GbzkBZDoxZjNf6N/llIjDUA/t2JVqYc3FY5mq4ZIBdacnjjUYB0HN dvIszbRBiVAFjthH8XK0SaQRoAurr3Q39wuGC44eqz9KJft2y7wh3GVIkBycDGQK2WcG NkWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2z9hdI4jULO9HVrIFp8J4RyAxwQ/7IetBONLn5y7U7w=; b=o2hrBf6Hdnj1DiKlL/lNI2+xjnkr/ZLS0QULAqz8keIKC5mz2cdOpFSdiZZLHdw7Uh rZT9qGLtDdlIpUpolyHzVBHZXl01ibbFiY0/zjlPcvsQFo8OulNyqCjauyGGAE5xJqBn nxGix/lkN3QoOvbqGunAgKyfjJfy1hKW/7XMahDw17I4LdOtY/QRorW62168+v3Mmwgq XJaCtBZYwWecjJSpypIHBN721yvwg59g5pwo9tdduGVIU3Gsn6Fi9Aq22sOimkKYtiDM 24QZYe1+hNYejR7Uts6d79P+VhxvalBmDm9o1VjnUbgBz9MDPtV4V0pBeyfcMS+Gu+/M jmqg==
X-Gm-Message-State: APjAAAXtf9joASdfnOFYtovr6hyit5+CxK2tjqZiHVN8cFnIJViRYFpv mbZRlVppPdOOAyLrbKtCQ5LL9zY50Wo+vkGEGFw=
X-Google-Smtp-Source: APXvYqzkw4gDeeJJYu3GYMMmattjUL659iMn70n8jVcVhlT+qx7xRBmdNrkWfQJb0wznk6VRaz1HnkNo26I8tapsVVU=
X-Received: by 2002:a67:fc09:: with SMTP id o9mr2937221vsq.75.1581021889125; Thu, 06 Feb 2020 12:44:49 -0800 (PST)
MIME-Version: 1.0
References: <158096547226.30514.2103023305468871108.idtracker@ietfa.amsl.com> <CAH1iCiqLwP8UOJe_vWQAr7iu8j7LF2Y4+386XNimM+3wJ-2RzQ@mail.gmail.com> <9fe99917-347b-ab79-7a9c-3e8da67a5246@nostrum.com> <364cf548-9114-fcb3-52b6-a73be08b55c4@nostrum.com> <CAH1iCirzvzQUAcbctzC4Bete_mDicT7MYJL5vnaSFZnVNAUbPg@mail.gmail.com> <9104d41b-2c78-0216-3262-4ed50f389ea7@nostrum.com> <CABcZeBMF2CT--gdKNuVWw+e8CvLYjL3yX0YtMj54CQBvdZ0o0A@mail.gmail.com> <CAH1iCirLPsLX-OebLxKTfR4FDXaejcNy+TONw5FuLP2_r6GBOw@mail.gmail.com> <CABcZeBPkLaFB5fv6WigJmY9QhOJnJf3YwrmooN0BRbm8fKxLog@mail.gmail.com>
In-Reply-To: <CABcZeBPkLaFB5fv6WigJmY9QhOJnJf3YwrmooN0BRbm8fKxLog@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 06 Feb 2020 12:44:37 -0800
Message-ID: <CAH1iCiq555QF=we5moHBStmCRsJ_kZ=hzYacJ=GYSKvcqEBcvA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Adam Roach <adam@nostrum.com>, Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dprive-bcp-op@ietf.org, dprive-chairs@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000156070059dee5846"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/weJsRbdxF9TL8NvDxOARHup5DBE>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 20:44:53 -0000

On Thu, Feb 6, 2020 at 12:08 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Thu, Feb 6, 2020 at 12:04 PM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>> Top-top-top reply:
>> The Internet Threat Model you are using for web client-server is fine.
>> However, for DNS, that is the wrong threat model, for several reasons.
>>
>>    - The threat for DNS cache poisoning is recursive-to-authoritative,
>>    not client-recursive(resolver)
>>    - The DNS path will not generally be related to the data path, and
>>    for any parent zone, almost certainly will be totally unrelated
>>    - DNS recursive-to-authoritative is UDP
>>    - UDP DNS does not require that the attacker be on-path
>>    - Compromise of DNS caches via poisoning (by potentially off-path
>>    attackers) leading to compromise of user data is not exaggerated.
>>    - The compromise risk is per-cache, as well as per-authority-server
>>    and/or per-DNS record.
>>
>>
> First, all of these are just consequences of the 3552 "attacker completely
> controls the network" threat model.
>

Sorry, I'm not clear on what this statement means in this context, or what
the implication of this should be inferred as being.

Are you saying:

   - It should be assumed (per the threat model) that any/every attacker
   completely controls every network segment everywhere?
   - or, that only attackers who DO control some specific network segment
   are a threat?

These have vastly different implications, clearly.
If the first one is the case, are you conceding the precondition, that
attackers can poison DNS caches arbitrarily, by manipulating all DNS
traffic? If so, that argues in favor of DNSSEC validation by the resolver
in all cases, as that is the only way the attack can be blocked.

If the second one is the case, the bullet points you quote, contradict that
assertion. Specifically, that off-path attackers do not need to control any
network segment (let alone all network segments), to successfully poison a
DNS cache. This also argues in favor of DNSSEC validation.

If you mean something else, could you explain what you mean?



>
> Second, the text in question is about the effect of attacks on DNS on the
> Web "Users may be directed to bogus IP addresses for e.g. websites where
> they might reveal personal information to attackers."
>
>
Correct, and I don't see anything you say here refuting the concern over
DNS cache poisoning attacks, which result in bogus IP addresses directing
users to malicious servers, etc.

If users are sent to the wrong IP address, this substantially weakens the
argument that WebPKI is sufficient protection.

Why are CLR and/or OCSP needed, if not to respond to compromised
certificates (meaning leaked private keys)?

Am I missing something about WebPKI, beyond the private key proof of
possession model?
(Everything else about WebPKI is about validating the requestor's authority
and identity, but that is all orthogonal to key control.)

A web server using a compromised key is only ever going to be visible to a
(potential) victim, and never to third parties including the legitimate
certificate holder, except incidentally to operation of the rogue server.

Brian


> -Ekr
>
>
> I haven't written up the details of the more effective cache poisoning
>> attacks, but have been sharing summary information for several years now.
>> (The underlying issue is IP fragmentation of UDP packets. This is one of
>> the contributing factors that the DNS Flag Day for 2020 will include
>> recommendations/requirements to not fragment.)
>>
>> I'd be willing to write up those more effective attacks, including a PoC,
>> but that won't likely happen for a few months.
>>
>> Brian
>>
>> On Thu, Feb 6, 2020 at 11:22 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>> Thanks. I am just looking at this text, and I think it's inappropriate.
>>> To recap something I seem to be saying a lot lately, the Internet Threat
>>> Model assumes a Dolev-Yao-style attacker who controls the network between
>>> the client and the server. TLS is designed to be secure in this
>>> environment, and while the WebPKi is imperfect, suggesting that compromise
>>> of local DNS lookups leads to compromise of user data seems exaggerated, at
>>> least in the case of Web traffic.
>>>
>>> -Ekr
>>>
>>>
>>> On Thu, Feb 6, 2020 at 10:22 AM Adam Roach <adam@nostrum.com> wrote:
>>>
>>>> Top-posting because I agree with the facts as you present them. I just
>>>> reach a different conclusion based on these facts. To be clear, I think a
>>>> belt-and-suspenders approach is generally preferable. I am merely
>>>> suggesting that the "must" statement I cite may be stronger than is
>>>> actually advisable given that such an approach is merely a small increment
>>>> of security for protocols that are otherwise secured (e.g., HTTP, which is
>>>> the example the document chooses), rather than the sole defense, as may be
>>>> the case with other protocols.
>>>>
>>>> My top-line suggestion here is to choose a different example than HTTP.
>>>>
>>>> Secondary to that is a suggestion that the "must" statement really only
>>>> makes sense when it is a sole counter-measure, and that a softer
>>>> recommendation ("should") makes more sense otherwise.
>>>>
>>>> These are non-blocking comments, so I'm going to reiterate that the WG
>>>> can ignore them -- I just wanted to make sure they were considered. It
>>>> would be nice to hear from other folks on the topic as well.
>>>>
>>>> /a
>>>>
>>>> On 2/6/20 11:57, Brian Dickson wrote:
>>>>
>>>>
>>>>
>>>> On Thu, Feb 6, 2020 at 9:31 AM Adam Roach <adam@nostrum.com> wrote:
>>>>
>>>>> On 2/6/20 09:08, Adam Roach wrote:
>>>>> >
>>>>> > For the specific example chosen, it's been made pretty clear over
>>>>> the
>>>>> > years that at least the clients for the specific service you cite
>>>>> have
>>>>> > no interest in incurring this additional cost. If that's the working
>>>>> > group consensus, then I have no interest in over-riding it. But
>>>>> > ignoring operational realities seems kind of ivory tower-ish, which
>>>>> > feels like the kind of thing that undermines the general credibility
>>>>> > of the rest of the document.
>>>>> >
>>>>>
>>>>
>>>> Could you please be more specific?
>>>>
>>>> When you say "for the specific service", do you mean DNSSEC?
>>>>
>>>> And do you mean the signing of DNS zones using DNSSEC, when you refer
>>>> to clients of that service?
>>>>
>>>> Perhaps you missed my microphone comments at the last IETF?
>>>>
>>>> Specifically that GoDaddy will be turning on DNSSEC for the vast
>>>> majority of its DNS hosting customers?
>>>>
>>>> This represents about 40% of the DNS zones on the Internet.
>>>> (The exact time frame is not set in stone, but we expect this to be
>>>> done in the first half of 2020.)
>>>>
>>>> Given that this significantly alters the calculus, I don't think that
>>>> is a good enough reason to object in and of itself anymore.
>>>>
>>>> The other aspect of this is the asymmetry involved in the defenses
>>>> against impersonation:
>>>>
>>>>    - The choice to sign a DNS zone is under control of the zone owner
>>>>    - The choice to deploy RPKI on routes (to protect against BGP
>>>>    hijacking) is under control of the IP prefix holder
>>>>    - Both methods rely on third parties to cooperate to achieve the
>>>>    protections offered
>>>>    - RPKI routing filters are now widely deployed, and RPKI
>>>>    registrations are substantial
>>>>    - The remaining issue is DNSSEC validation; many (most?) of the
>>>>    public recursive operators do this already
>>>>
>>>> The logic should be, defend against all feasible attacks, rather than
>>>> justifying the non-defense in one area (DNSSEC for DNS) based on the
>>>> assertion that another area is not being defended (RPKI for BGP).
>>>>
>>>> Brian
>>>>
>>>>
>>>>>
>>>>> I realize that my editing made one of the pronoun antecedents here go
>>>>> away. The second sentence should have said something more like "If
>>>>> keeping the current text is the working group consensus..."
>>>>>
>>>>> /a
>>>>>
>>>>>
>>>> _______________________________________________
>>>> dns-privacy mailing list
>>>> dns-privacy@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dns-privacy
>>>>
>>>

v2.23.0 | Report a Bug | By Email