Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 29 July 2015 18:00 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770461A879E for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 11:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0sw2shKeUhk for <dns-privacy@ietfa.amsl.com>; Wed, 29 Jul 2015 11:00:15 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3F6B1B2C59 for <dns-privacy@ietf.org>; Wed, 29 Jul 2015 11:00:15 -0700 (PDT)
Received: from [10.32.60.117] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t6TI08Tc061949 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 11:00:08 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.32.60.117]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 29 Jul 2015 11:00:07 -0700
Message-ID: <42B98315-47C1-4560-A192-F575729E1F25@vpnc.org>
In-Reply-To: <55B911FD.8000407@cs.tcd.ie>
References: <19F54F2956911544A32543B8A9BDE075468A9354@NICS-EXCH2.sbg.nic.at> <4B26F2B2-AA67-492B-9855-30F8ABF38AF9@vpnc.org> <877fpjgcfo.fsf@alice.fifthhorseman.net> <C1BD472D-318A-49D6-A30C-AF7C788B8CCF@vpnc.org> <55B911FD.8000407@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/y5r8c880fAmDljmR_tePlnyDxZA>
Cc: Alexander Mayrhofer <alexander.mayrhofer@nic.at>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 18:00:16 -0000
On 29 Jul 2015, at 10:48, Stephen Farrell wrote: >> Basically, the DNS stack will not know whether or not it is running >> under TLS/DTLS when the query and reply are formed; TLS/DTLS will be >> opportunistic. So, to be safe, the DNS client or server will be >> forced >> to add padding even when it is not needed, and thus make every >> message >> longer. > > I don't get that. Surely at most 1 query or response will be sent > when in such a state of ignorance, after which the application layer > can easily know if a TLS session exists. We are after all still > talking about stub<->recursive still, right? We are not defining an API, so there is no way for the application layer to know what it is running under. > >> We don't know how much padding is required to prevent analysis for >> particular query/response pairs, and thus need to add lots of >> random-length padding to each message to prevent the analysis. > > I also don't get that. I agree we're not sure how to best use > padding. But we can define the simple bit of protocol needed now > and then after folks figure out how best to use it we could have > some more recommendations to make. And those might end up being > context dependent. So I see no need to mandate something wasteful > now. That would be fine. What I worry about is that people will say "we can pad; people tell us to pad liberally; we will pad liberally". It would be great for the spec to say "probably don't do this much until more research has been done". --Paul Hoffman
- [dns-privacy] Direction of draft-mayrhofer-edns0-… Alexander Mayrhofer
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Stephen Farrell
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Daniel Kahn Gillmor
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Stephen Farrell
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Paul Hoffman
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Stephen Farrell
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Sara Dickinson
- Re: [dns-privacy] Direction of draft-mayrhofer-ed… Christian Huitema