Re: [dns-privacy] changing protocol vs. using existing mechanism
Phillip Hallam-Baker <ietf@hallambaker.com> Sun, 16 November 2014 15:05 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBEC71A8791 for <dns-privacy@ietfa.amsl.com>; Sun, 16 Nov 2014 07:05:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4xWiMXb-L7m for <dns-privacy@ietfa.amsl.com>; Sun, 16 Nov 2014 07:05:58 -0800 (PST)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2CF91A89FA for <dns-privacy@ietf.org>; Sun, 16 Nov 2014 07:05:57 -0800 (PST)
Received: by mail-lb0-f174.google.com with SMTP id w7so6265202lbi.33 for <dns-privacy@ietf.org>; Sun, 16 Nov 2014 07:05:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=c5tTCxNTSs8qlRHKLTGM1P2YxrzOZ7dsY3w2kn2M5Zc=; b=KcAsqsF29R83UAMrO7AGNwNRcq4HRAAOvH4+K0S2XvjqgQWJeXHvhbhliRXYanYO6Q QxGhYA1I+vcjchZCEZXzxpxJYO4EU/TSoF7jne/EMh2NUWjx0fU8eCNpPPEGU2t9JImI 79MRD0rGpUPLliJGUqYLjjlPMiXI7EJo/jPIRRPS1rtBbeT5P/QkHNe0GUSdfKCsEjGn wqIJc289o74GJai/u0RktnV0ma7JGFhQUE8vr4ohEVu5neL8/4XQevF3h6Ix7TlModtr AMz9I9hIGDHgF4XnehsZKmHiwOIRcruYzBgNjzGoZgYNY6behY1HwYcWikydy7h+JRIV Sx7Q==
MIME-Version: 1.0
X-Received: by 10.112.199.40 with SMTP id jh8mr20788306lbc.5.1416150356099; Sun, 16 Nov 2014 07:05:56 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.34.212 with HTTP; Sun, 16 Nov 2014 07:05:55 -0800 (PST)
In-Reply-To: <814D0BFB77D95844A01CA29B44CBF8A7A5E5DF@lhreml513-mbb.china.huawei.com>
References: <814D0BFB77D95844A01CA29B44CBF8A7A5E5DF@lhreml513-mbb.china.huawei.com>
Date: Sun, 16 Nov 2014 10:05:55 -0500
X-Google-Sender-Auth: _yj7O0f6VV_wTrIqRSrlZLQmimw
Message-ID: <CAMm+LwjdnaEsELAXiwxdq6c9vYpq3mtT7hyqeqjivjJte6bMSg@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
To: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/yAn03bHjIA0UY_FAw-_cq4qpRAo
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] changing protocol vs. using existing mechanism
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Nov 2014 15:06:00 -0000
On Fri, Nov 14, 2014 at 10:42 AM, Hosnieh Rafiee <hosnieh.rafiee@huawei.com> wrote: > Hi, > > There is one question from folks. There are some existing approaches that does not change DNS protocol. There are also new proposal that needs change on DNS protocol. > > For example, my proposal, cga-tsig, does not change DNS protocol. So is there any decision for the scope of solution space? > I don't think anyone is actually proposing to change the DNS protocol. PRIVATE-DNS doesn't. Paul's might but I don't think that makes a difference. Looks to me as if you don't quite understand what my proposal does, I note the following statement in your draft: https://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig-10#section-1.1.4.1 " Private DNS [private-dns] is one of privacy approaches that uses TLS and consider using JSON. To establish a secure communications, many messages needs to back and forth because the assumption is that a node itself needs to verify the TLS certificate." No, that is not at all what is going on. PRIVATE-DNS consists of a one-time device binding operation and that is the only part that involves JSON or multiple round trips. DNS lookups are stateless, single request packet, multiple response packet interactions. " - Might not have good performance (number of messages exchanged to establish this secure communication)" No, the performance os Private-DNS is optimal, there is no improvement possible over one round trip with no public key operations (or other CPU intensive operations) in the transaction loop. " - IP spoofing and MITM might be possible only when there is no CA or predefined Trusted Anchors (TA) so that it makes it possible for an attacker intercepts this communication at the beginning of TLS establishment." Obviously there needs to be some means of authenticating the service or you could be permanently binding yourself to a MITM attacker. There are two main choices: 1) For a public service then a WebPKI TLS certificate is probably the best choice. 2) For an enterprise service in which the user is issued a one time use PIN, the SXS-Connect protocol provides mutual authentication. So the client is authenticated to the server and the server to the client. I have not fully considered the case in which the device does not have a trust root built in for (2). This is important for cases such as a constrained device that might have a ten year shelf life. I have a possible solution but I have to verify it. Since this is TLS we could use any server authentication mechanism supported by TLS. For example DANE. But using DNSSEC to secure the DNS client resolver binding gives us a circular dependency issue. It would probably be better to use a direct trust model.
- [dns-privacy] changing protocol vs. using existin… Hosnieh Rafiee
- Re: [dns-privacy] changing protocol vs. using exi… Phillip Hallam-Baker