IETF Logo Mail Archive

Re: [dnsdir] [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01

Tim Wicinski <tjw.ietf@gmail.com> Sat, 30 March 2024 18:07 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D563C14F61E; Sat, 30 Mar 2024 11:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxxf07xq0HqG; Sat, 30 Mar 2024 11:07:30 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04202C14F5F8; Sat, 30 Mar 2024 11:07:29 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-56c5d05128dso1435543a12.0; Sat, 30 Mar 2024 11:07:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711822047; x=1712426847; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ktiulw4fVMZIWVhgy/hy4o9V6Ys3laysOoQPiabGwxc=; b=SUG8EStSpma92eXuZ33rVyJfE/gfk0lTG2mLWg7+LA9b/ymuplWyGhzqj1ctcLdNc6 8oOlgimrjM1XT1pBIt71nV3XZX09sppeoY4O6KbWvy1s1Rkp8vYte4Fa/SQi2ROehU3s pXadUAyxcz2Z7RabM2EQ6+2+iBvgz/QoCf3J43sbQkiBsEsMDPKj4XDGfz6sN0Bt7PgL 1IdQbuHKDRsPBAhPVHIcMv7esBSZS0itB6iZt4sX2253BkNprUIQWf0LoQr8mV25SsED 4QlZr0qlwErR5onggvGgxyqIDE+ddDDnXEZDVm/DHs/6M7v94JcmnV8BXKA75GbDQrYt vgNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711822047; x=1712426847; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ktiulw4fVMZIWVhgy/hy4o9V6Ys3laysOoQPiabGwxc=; b=XeBie0MBSHXGnS3uU/qdzdY29XN7bsE1D246sYy9xPvahaTYj8mfnpzf+GXc9YB4/T QYZozCyp0//IGSyKEtLqWvAAvzwVtv2IRdA9BAKo8uOx/o4kbF5yhu4v1DCQkxgPJZDm 5MOPhSMN/4h347f8pqH9kiuUh49sMsAinJaCoLeNkYN/SD/03LhTh/cOvpiZdzojoNzO iFHVYjHpJkwUTPCmAeFWykeBiLzg2Ui0Hdf7GDunIHW8Y0O/aHhB1Hi3dfAB3+RMsLwh 2q3MDpCG5b6Jle96POMwO8lR1/3ZcpQpgsvWaZuE+TzOP/rsf4GDL5T2GyhVDS8jBXy+ LE8Q==
X-Forwarded-Encrypted: i=1; AJvYcCWr0WjmTFGpe17R29JwnAR7v1/QrA44IvW05u+gQzAiJJH6woBighuUYRf7uSP9O0q7Ecys3cnV5vbeCcRdcaA4R9wZ1aDi5ndATp9rADwtHBjBFZgZHv4CXMOk5+4qGDUfk19PCpJhVBYUN0Aeu40Bmh2f
X-Gm-Message-State: AOJu0YxcAvnEMKSeY3ozvhLM8AEC+7oUchcxpplu3LYIrvCKs+PP7VgT CGOyM8YDCWRhJYMrOxP/G3ItChBdnD5WgiiE/M7kc+qiUZALYLMvoX3zyTydt5OsSZoZjVCXnaU HDv3S5U6rXnVEvqKL22vpukcbhLE=
X-Google-Smtp-Source: AGHT+IHj6xwmy8ghQQ61/pAmGXggNonrzBcvORXJWyJel5x9GsUnpNc5dSWktkGQB2fXMMnPIDuEh8s+gXbBfYCCTAE=
X-Received: by 2002:a50:d4cb:0:b0:56b:d158:c5de with SMTP id e11-20020a50d4cb000000b0056bd158c5demr2985063edj.16.1711822046748; Sat, 30 Mar 2024 11:07:26 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com> <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com> <CAChr6SxKA7YidnYWW=6DOWeQo+_CKNaWNOQL9JQnJUB3thgBhw@mail.gmail.com> <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com> <CAChr6Sx0WX-X3dWjkwMJAa4Rz3BhnUdYMFwWgLkorm6d-16g1w@mail.gmail.com> <CAPt1N1=LzjPMfADvdTdt_kCZ3XTznKs4p4_FYAH_RDb6WVcv7w@mail.gmail.com> <CABcZeBMVbi2_0yaTTe+-U2cBWqscXAdhcrwPufKNg0a-8U292A@mail.gmail.com> <CAPt1N1kEVk6MEHqnXAPenRp057eTDhptxsstcxyEkXqWBdyHQA@mail.gmail.com> <CAKC-DJiEWYDmz3EdPq2hjpR6kGPAnRPTA9H1HAwo4BR-1XG=mQ@mail.gmail.com> <CAPt1N1kNCr+khExy8ajksPakgsQtnPWC4ckmwB9kZDhQk4Cywg@mail.gmail.com> <CAChr6SwMVuCT7trjZVdG-zhGX21vMK9iu_th+Pc7_94s9hZ8bg@mail.gmail.com> <CAKC-DJi2NqpRfxb3cHbvdK+cSLBkSP7XkH4oqEQ3CxkSvRq8Kg@mail.gmail.com>
In-Reply-To: <CAKC-DJi2NqpRfxb3cHbvdK+cSLBkSP7XkH4oqEQ3CxkSvRq8Kg@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Sat, 30 Mar 2024 14:07:15 -0400
Message-ID: <CADyWQ+F=zAie8egt8uu-XC_Mg=ZsLJTr=+yzzANz8uvOGY5bpQ@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Rob Sayre <sayrer@gmail.com>, Ted Lemon <mellon@fugue.com>, Eric Rescorla <ekr@rtfm.com>, dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000003ec620614e4a1c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/OhkqxEFBAsx2PBsIS1kWma3nfH8>
Subject: Re: [dnsdir] [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 18:07:34 -0000

As one of those who yammered constantly about splitting the ECH portions
out of the SVCB document to move it forward, I feel some responsibility.
But I think Erik's text pulled from 9460 does a good job discussing this.
Is it enough text to reference the section in 9460?

tim
just a DNS guy

On Sat, Mar 30, 2024 at 1:47 PM Erik Nygren via dnsdir <dnsdir@ietf.org>
wrote:

> I pulled some text directly over from the 9460 security considerations
> with some minor tweaks:
>      https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/1/files
>
> An attacker who can prevent SVCB resolution can deny clients any
> associated security benefits. A hostile recursive resolver can always deny
> service to SVCB queries, but network intermediaries can often prevent
> resolution as well, even when the client and recursive resolver validate
> DNSSEC and use a secure transport. These downgrade attacks can prevent a
> client from being aware that "ech" is configured which would result in the
> client sending the ClientHello in cleartext. To prevent downgrades,
> {{Section 3.1 of !SVCB}} recommends that clients abandon the connection
> attempt when such an attack is detected.
>
>
> On Sat, Mar 30, 2024 at 1:43 PM Rob Sayre <sayrer@gmail.com> wrote:
>
>> Yeah, that sounds fine. I think 9460 is pretty good in that it covers
>> both DNSSEC and encrypted transports for DNS.
>>
>> thanks,
>> Rob
>>
>>
>> On Sat, Mar 30, 2024 at 10:27 AM Ted Lemon <mellon@fugue.com> wrote:
>>
>>> I think that would make sense, yes.
>>>
>>> On Sat, Mar 30, 2024 at 10:58 AM Erik Nygren <erik+ietf@nygren.org>
>>> wrote:
>>>
>>>> Do we want a few sentences in Security Considerations that references
>>>> https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1 to call this
>>>> out?
>>>>
>>>> This seems like something that became less clear when we split these
>>>> two docs apart.
>>>> Most of draft-ietf-tls-svcb-ech used to be a section of what is now
>>>> rfc9460 but got split out
>>>> due to publication timelines.  It may be that some non-normative
>>>> references back to rfc9460
>>>> might help readers not miss things like this which might have been more
>>>> clear when they
>>>> were a single document.
>>>>
>>>>    Erik
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Mar 29, 2024 at 11:31 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>
>>>>> Yes, that fully addresses my concern. Thanks!
>>>>>
>>>>> Op vr 29 mrt 2024 om 22:54 schreef Eric Rescorla <ekr@rtfm.com>
>>>>>
>>>>>>
>>>>>> Hi Ted,
>>>>>>
>>>>>> Doesn't this section of RFC 9460 address this case and say what you
>>>>>> are recommending:
>>>>>>
>>>>>> https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1
>>>>>>
>>>>>> -Ekr
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 29, 2024 at 6:49 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>>>
>>>>>>> Okay, I think I see the disconnect, maybe. The issue I'm pointing to
>>>>>>> is that you may or may not be doing DNSSEC validation. And you may or may
>>>>>>> not be /able/ to do DNSSEC validation if the infrastructure breaks it
>>>>>>> accidentally or deliberately.
>>>>>>>
>>>>>>> The document says: "The SVCB-optional client behavior specified in
>>>>>>> (Section 3 of [SVCB]) permits clients to fall back to a direct connection
>>>>>>> if all SVCB options fail. This behavior is not suitable for ECH, because
>>>>>>> fallback would negate the privacy benefits of ECH."
>>>>>>>
>>>>>>> So it's saying that the default handling of SVCB is incorrect and
>>>>>>> would fail open, and overriding that behavior. Given that this is the case,
>>>>>>> that implies that it matters whether the data has been validated, but
>>>>>>> nowhere in the document, certainly not in Security Considerations, is any
>>>>>>> mention made of this issue. So that's what I'm pointing out.
>>>>>>>
>>>>>>> It is absolutely not the case in practice that all stub resolvers do
>>>>>>> validation. You are making a security decision about trust based on data
>>>>>>> the trustworthiness of which you've not discussed, in a situation where the
>>>>>>> implementor has meaningful choices to make with respect to validating that
>>>>>>> trustworthiness. So it's worth mentioning that if the policy is not to
>>>>>>> validate, this vulnerability exists.
>>>>>>>
>>>>>>> I'm a DNS guy, not a TLS guy, so I don't know the history of this
>>>>>>> work—I'm just making this observation about the document I was asked to
>>>>>>> review. The fact that (apparently) no DNSDIR review ever raised this issue
>>>>>>> about the other documents you mentioned is of no interest to me—I'm not
>>>>>>> reviewing those documents.Whether you take this advice is between you and
>>>>>>> the IESG. I'm not even claiming to be right—just pointing out the issue I
>>>>>>> see.
>>>>>>>
>>>>>>> On Fri, Mar 29, 2024 at 7:21 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>>>>
>>>>>>>> I don't think it relates to DNSSEC. You can fail at DNS (DNSSEC
>>>>>>>> failure) or you can fail during ECH (unless you want to use non-ECH, which
>>>>>>>> is not ECH, and not part of this draft).
>>>>>>>>
>>>>>>>> It makes sense to me: one can reject a request unless the
>>>>>>>> requirements embedded in the SVCB are met (the server chooses those, which
>>>>>>>> can include many aspects of the request). I don't understand why one would
>>>>>>>> insert DNSSEC here. That seems to be the whole point--it works without it.
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>> Rob
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 29, 2024 at 3:57 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>>>>>
>>>>>>>>> I'm not telling you that you have to require DNSSEC. I'm saying
>>>>>>>>> the document is incomplete if you don't talk about how it relates to
>>>>>>>>> DNSSEC. I think EKR got the point, so maybe go with his approach?
>>>>>>>>>
>>>>>>>>> On Fri, Mar 29, 2024 at 6:27 PM Rob Sayre <sayrer@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> It's a policy choice, though, right? I think ekr hinted at this
>>>>>>>>>> issue as well.
>>>>>>>>>>
>>>>>>>>>> It's that one might also view requests that reveal the SNI as
>>>>>>>>>> insecure. If that's the case, DNSSEC doesn't help. There will certainly be
>>>>>>>>>> a transition period where that will be impractical for many servers. I
>>>>>>>>>> think these are separate problems, though.
>>>>>>>>>>
>>>>>>>>>> thanks,
>>>>>>>>>> Rob
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, Mar 29, 2024 at 3:10 PM Ted Lemon <mellon@fugue.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> It looks like if you can't get the SCVB you're going to fail
>>>>>>>>>>> insecure, so being able to use DNSSEC to prevent that for signed domains
>>>>>>>>>>> seems worthwhile.
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Mar 29, 2024 at 4:41 PM Rob Sayre <sayrer@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker <
>>>>>>>>>>>> noreply@ietf.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I don't think it's reasonable to specify the privacy
>>>>>>>>>>>>> properties of SVCB and
>>>>>>>>>>>>> /not/ talk about DNSSEC validation.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Could you explain more about this part? I think DNSSEC doesn't
>>>>>>>>>>>> add much here, unless you want to accept non-ECH traffic. For example, many
>>>>>>>>>>>> of the test servers will bounce you to some other site if you don't send
>>>>>>>>>>>> ECH or screw it up in some way (speaking as someone who has screwed it up
>>>>>>>>>>>> many times...).
>>>>>>>>>>>>
>>>>>>>>>>>> I think there might be a DoS attack here, where someone messes
>>>>>>>>>>>> with the response, but they can also turn off the DNSSEC bit unless it's
>>>>>>>>>>>> DoT/DoH/DoQ etc. So, if using those, it's just the trustworthiness of the
>>>>>>>>>>>> DNS server itself, right? Sorry if I'm missing something.
>>>>>>>>>>>>
>>>>>>>>>>>> thanks,
>>>>>>>>>>>> Rob
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>> TLS mailing list
>>>>>>> TLS@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>>>>
>>>>>> --
> dnsdir mailing list
> dnsdir@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsdir
>

v2.23.0 | Report a Bug | By Email