IETF Logo Mail Archive

Re: [dns-privacy] Use of 0-RTT in DNS over QUIC

Benjamin Kaduk <bkaduk@akamai.com> Sat, 31 July 2021 00:33 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24BC03A19ED for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 17:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.452
X-Spam-Level: **
X-Spam-Status: No, score=2.452 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ui4nkIuLjfvr for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 17:33:21 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C76DE3A19E9 for <dprive@ietf.org>; Fri, 30 Jul 2021 17:33:21 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16V0Tjgb015488; Sat, 31 Jul 2021 01:33:18 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=jan2016.eng; bh=mvnyCnSsb59uZR7UGBXzVxpjx0ULB0fz5ftPztCzVA0=; b=OkBMASWdbIxCCFXWDoXFG/QvyLgn+MOLodaOEeu7Jn+xZviZpYZyuu7O1Z+vrmpy7D+R VEh5Cvmg/Ppf+SgLGIpcOmAulL/t7EtNbM2NwTtWJ3hn6JxXrvN3QGEHVJ9+F/DPQL1l IRqwfWWYo1aFge5ABgENYgDmX3hiHCapylXkPUUbL4xAyR/CPARLPFlXpYJn0oU9sI3n eGecqmRcf8F6Ya2IX+SkWyYGWQBBYB1UCbi60ZVaff2vtldtl/oJa1TfFxHnoZqt+wQQ rYG9sxhvYucv54tcZsNQQ5sCr74jDRhG41XrRAVrFOXPC+oAISqS4eRSEy0i600qCToF 0Q==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 3a43j7d1b4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 31 Jul 2021 01:33:17 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 16V0JgH0008152; Fri, 30 Jul 2021 20:33:03 -0400
Received: from prod-mail-relay18.dfw02.corp.akamai.com ([172.27.165.172]) by prod-mail-ppoint7.akamai.com with ESMTP id 3a36pyfg9a-1; Fri, 30 Jul 2021 20:33:03 -0400
Received: from akamai.com (unknown [172.19.16.134]) by prod-mail-relay18.dfw02.corp.akamai.com (Postfix) with ESMTP id 9884820D; Sat, 31 Jul 2021 00:33:02 +0000 (GMT)
Date: Fri, 30 Jul 2021 17:33:01 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Robert Evans <evansr@google.com>, Ben Schwartz <bemasc@google.com>, "dprive@ietf.org" <dprive@ietf.org>
Message-ID: <20210731003301.GW19992@akamai.com>
References: <35e1a3d6-1654-4903-7f1b-77685f59a890@huitema.net> <CAHbrMsB5LEFjfO7o+oLm-i8nccDg9DwnAvFa+pnAUKQvkGfbRA@mail.gmail.com> <CAPp9mxJDKSJ+iQiB0RSd71CjRGeKHU=C4TyRnJKCeBNZiurdHQ@mail.gmail.com> <f534eedc-3db7-b770-ba22-1d325ad11658@huitema.net> <CAPp9mxLm2cOxrOX6rCaNLnSbLJ_XqE+G-ZW6Kh9W9u-i+A9VZQ@mail.gmail.com> <a208305f-be69-68b3-898f-b008d1123d12@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <a208305f-be69-68b3-898f-b008d1123d12@huitema.net>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-30_11:2021-07-30, 2021-07-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 spamscore=0 mlxscore=0 bulkscore=0 malwarescore=0 suspectscore=0 mlxlogscore=702 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107300163
X-Proofpoint-GUID: Yn7q6duAXbuFHI8SghS0_1oBmGYdZpEC
X-Proofpoint-ORIG-GUID: Yn7q6duAXbuFHI8SghS0_1oBmGYdZpEC
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-30_11:2021-07-30, 2021-07-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=703 adultscore=0 suspectscore=0 clxscore=1011 impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 spamscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107310000
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 72.247.45.33) smtp.mailfrom=bkaduk@akamai.com smtp.helo=prod-mail-ppoint7
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/y8s1ccwz8nLLNNQMVpOKyHr5dFc>
Subject: Re: [dns-privacy] Use of 0-RTT in DNS over QUIC
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 00:33:26 -0000

On Fri, Jul 30, 2021 at 05:21:25PM -0700, Christian Huitema wrote:
> 
> On 7/30/2021 1:38 PM, Robert Evans wrote:
> > On Fri, Jul 30, 2021 at 4:02 PM Christian Huitema <huitema@huitema.net>
> > wrote:
> > 
> > > I think we have a reasonable guideline here. 0-RTT for QUIC is so
> > > compelling that clients and servers will still do it, even if we tell them
> > > not to. So it is better to try provide usage guidelines on how to do that
> > > safely.
> > > 
> > > Robert's proposal fall in two categories: some are about embracing 0-RTT
> > > in order to ensure good performance, like accepting early data and
> > > ensuring a minimum lifetime of tickets. (With some nits -- you cannot set
> > > the max_early_data_size to 512 bytes in QUIC, you have to use a QUIC
> > > transport parameter instead.) Then, some of the recommendations are about
> > > "try to keep it safe":
> > > 
> > > 1) Do not accept a client hello that is older than 30 seconds. This would
> > > limit the efficacy of the replay attacks, because it probably takes at
> > > least 30 seconds to ensure that the cache is empty. But I am not too sure
> > > how one tests the lifetime of a client Hello.
> > > 
> > See https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc8446*section-8.3__;Iw!!GjvTz_vk!FuZeymeFKUmTSm947f29K29rPi_MMwIRxbdCaDFCCXrRX-J4CThQ7Yx3aAvg4g$ .
> 
> I see. The proposed mechanism uses the obfuscated_ticket_age, from which the
> server can deduce the time at which the client sent the ClientHello. That's
> a good check for cooperating clients, but I do not think that it was
> designed to control replay attacks. The value is encoded by the client as
> the sum of the age of the ticket in milliseconds and the ticket_age_add
> parameter of the ticket. Attackers do not have access to the ticket_age_add
> value, but they do not need to. They merely need to increment the
> obfuscated_ticket_age by the delay in milliseconds between capture and
> replay. I would not recommend relying on that mechanism as a defense against
> cache probing attacks.

Wouldn't that break the PSK binder?

-Ben

v2.23.0 | Report a Bug | By Email