Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-01.txt

Willem Toorop <willem@nlnetlabs.nl> Thu, 07 November 2019 09:04 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5399B12088A for <dnsop@ietfa.amsl.com>; Thu, 7 Nov 2019 01:04:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nz2UjIILBRNt for <dnsop@ietfa.amsl.com>; Thu, 7 Nov 2019 01:04:10 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86F2C120834 for <dnsop@ietf.org>; Thu, 7 Nov 2019 01:04:10 -0800 (PST)
Received: from [IPv6:2a04:b904::160] (unknown [IPv6:2a04:b904::160]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 4EBE92973E; Thu, 7 Nov 2019 10:04:08 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=willem@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1573117448; bh=mz0wT+f03ZB84yACID1qeHanH0kt8wx7J+cQc53xlho=; h=To:References:From:Subject:Date:In-Reply-To; b=bpFH/3uKNBn7hf/j628E2eMgknq9f95CAUSJ5/TCtBmZUpi+964acKQmdNUJY8IT6 ZIUNFSPKePsdMxVFrywkf3my1gsXBAR4Fecec5q1vgipyjDhTzJnvSpTqPQ0q2H8PN 7eTke7jcY02MKNxdUAl7TChP/Det1H6FeIYl1sAU=
To: Philip Homburg <pch-dnsop-4@u-1.phicoh.com>, dnsop@ietf.org
References: <157290108089.13928.16346384980882076091@ietfa.amsl.com> <4479f132-c558-85d2-40d3-793fe1d52b52@nlnetlabs.nl> <m1iSO9v-0000LaC@stereo.hq.phicoh.net>
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; prefer-encrypt=mutual; keydata= mQINBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABtCNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPokCPgQTAQIAKAIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AFAlbUE5oFCRDr7kkACgkQ5fj4IS93pJiGfA/8C1+/M+EaQItVzQ/iPCbagBTq WOSispMzJne9gmimJzPs+lxgnrXOuYlIBywHpWB2Jmz45h+Cc4+di48WQfV9tHENn9MVFkwK zSdcY6v5eot6xSY5FRHS226MPR9UJ8/z5PvlizZUVbbM+Ngxg3Rx045Q0FnQm0o5VasEJ1Po R3CSiELJoZ13ukTk5pQlKyVknUKH1E1ds+Xtg1jpZBqiLiBzcLkKWYqBvrXI6XAEPr+woRgj 3xV8P24Uj232uK7xoe82jWIeZWXt/AbHBSmNOWPIgMd9i3FjdeTDml5sZSy3BlDYMr8hINen hYLhdLpJnXwPcsaj0ivcV+xSjLtSh0mE4gudcVhk5XR1M6emSlATC6+Bqn0M9JNTn4SHhkNS yo87aPwKqWFDlvjAZlRyPym9miJBlzech2uOlYSk6GFuead7MpGAipf5PwNNRKDMDi3y+H47 YG2izbrqj3cOZdqZmErwrzCU8xVkxzY/EY6w/MNMFNeqmXVGxzIZ8y9KAjH6JO96M/AxS4mX HJh1ocfHtSm90Ahy/HPJK+2+5+IgkAymKsvyIbvjs7FccMUo+OiSPWYi+xO/NXA4pBlUuGmV 55Kog7ym1flzo8OD9uHfLPrVORBHgnsITbzf9vgJ0emy8fxMCkzFT334gC1OVhD1ff1frbPX yVbcGI8AO+q5Ag0ETWzzUQEQAKTs4hWz94K66PtsHj/cBtHmJCJx9BsHP8eoUjd4iBR7cWgT Tgt1PGCNBzCPGIuUia808dqxu1L8OWjQpwXDCjXqAibn0mCJMRONVszxJKkjYnZGKGOo8cg7 OmQBZyEd6qrfxVf/dwHLsdQTJZzz9bGOxuYVAAu0q3PHW5gGFc+pp3eN47qzGMxEjsoETj/c laxjqisohG13/hkP6PvDoD7OOdOGdQQP8b4GRBD6rZ/FqMLv4C80zDnzCH1rLpNGQplf1any 06WTAsDL4f6gEALH62TIxOX4U7WxeuvHxyKXOAuN+ex/MvF2az124YbcWC7t1dqVW3ys20zK aememyXSKxV6aMn4KBcJF3CdM1oABZDyviL9el7Q/yQylpZC6El4QowaPIOAuzOdIc6cuM6P TWvBArcKVgQhWfJshfeFmfkxpz/hWc9K40yCjmb+hPZIr3RbXSsQItUUkBqOSMHNroIgX+Ia WMq3e7yMHdMqlKr0lU52lfBbfECjleB/NO4K3SGJBPzTgLtze+LsWxSJQoQMWKv6ISwQrW3r smUjqgQNrSGROX3rRy8Nvuzravs4a3FmdUpHIWw2KfY2M6AsX9HBFuRsimgqFjQm5VbqXA7N tHJCnA1RvqXlg/iJ5w+DElHosxwjHS+UbejDGmVQ+ITqlh3991osPjZq1Iy1ABEBAAGJAiUE GAECAA8CGwwFAlbUE5oFCRDr7kkACgkQ5fj4IS93pJjBwxAAnko5CSFDX/ZqW97satNacACH SAOOM8/jz1p2QtJSwbrbLsJRMpN1mSnjXWPBTmXoP4SGHGtxTVZxrYCpSMEHMqOV4yK3QlUn QXnf+CSvo2Ud3rpCh/lFLVHqG2Sy5Ietf/T+GGsoPd9DIdTHO0aFlW2yRQPxSrbYpv1v2aAC gRO4114qkex2j36diqlLod/OU4OQ51nuSesjTrUM9Fz6ikBJ1UDjakjAXe/HiRxUmdv4LANC mso+Gn17Co5lUdpn3fa8zTwNNAgLm6RBiBSSdaYExM9ir6pHrcWL5N+iZKnVmfE5CBufziZq 7V1E3I4FRuvDN4echbf58c6YxBQDsd9VZMJeFWY60w4JEXpHQdt129GS1FN/2PQ8NmAUXYCk YYk6Lv1tnGJCSLnD3ObLyWm+sjA5yAK2H8WU+nutsDF63yFJujNMpmB3bi9+699TzsyQNVKd 2fH38cgk1gZFb6Nbx9+lrTIwzAJJlOu8UwbR0HgGuRmrWp0EIm3tcy4xqWF3CavnM22BAOKK KH+qnwx8BRrx58coHQFMswW4W7Bo+jpKbQJ4RV2cXUEbmHbYUoXDHZyv/RzOI46dXAoWFc3o CoqLqpsZYZstJ4UJHXB5aHi1zxJDwzKxsflmSKfIUr3glRWCy/ylcPMEXzPBb3qbGFMUboio UjqLuNV4SSY=
Message-ID: <cedbd0f7-3552-f01d-e692-8fa85c5bc0af@nlnetlabs.nl>
Date: Thu, 7 Nov 2019 10:04:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <m1iSO9v-0000LaC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4gjEU1C6Dw5k47YpfkWFNkcTTfg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 09:04:12 -0000

Op 06-11-2019 om 17:27 schreef Philip Homburg:
>> Philip Homburg pointed out that, although impractical to determine the
>> Client IP before Client Cookie construction, it is feasible for a Client
>> to detect it when it learns a Server Cookie from a specific Server.  It
>> can subsequently be tried to be reused for the same Server which will
>> fail if the Client IP has changed.
>>
>> This new (and practically implementable) requirement does not only
>> enhance privacy and make DNS Cookies work with the IPv6 Privacy
>> Extensions (by preventing tracking), it also makes them work in other
>> environments where Client source IP can change frequently, such as in
>> setups with multiple outgoing gateways.
> 
> Note that my preference was a pseudo-random client cookie. 
> 
> I can see two issues with the current approach:
> 1) I'm not sure this actually fixes the IPv6 privacy extensions problem.
>    The same client cookie can be used on different addresses if the 
>    server doesn't support cookies and the client at some point forgets
>    that the server doesn't support cookies (and sends the server the
>    same client cookie after a new privacy address is generated).
> 
> 2) As an extension of the previous, if no server supports cookies, then the
>    client will not change the Client Secret and continues to use the same
>    client cookie after it moves to new location.

Ack!

I see e need to adapt Client Construction section again. Also, these
considerations should be well expressed in a privacy and security
section as well.