IETF Logo Mail Archive

Re: [DNSOP] [Ext] Request for adoption: draft-sah-resolver-information

tirumal reddy <kondtir@gmail.com> Thu, 18 July 2019 09:47 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D89E12017C for <dnsop@ietfa.amsl.com>; Thu, 18 Jul 2019 02:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_9_1D73o3d1 for <dnsop@ietfa.amsl.com>; Thu, 18 Jul 2019 02:47:38 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 617D812001A for <dnsop@ietf.org>; Thu, 18 Jul 2019 02:47:38 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id s7so50355825iob.11 for <dnsop@ietf.org>; Thu, 18 Jul 2019 02:47:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtwHKGIEgGbWSuKYn17LRmgBRxqYuQbkQLvdNHA2P1s=; b=MGwlDBRxEkSQxJCC5OmX9c5eiFK8LXDeuNgxrj/JkuAKDaj7ZuDBUonAQ99ld9rlyJ GxZxvehITCOdd5UvHNT56TvMHT2UZW/RjzQxN7x7JeSVEK7URVpcKr/lei0E6vhzYzHV uogSj1/TFCowcTgqCvuWf8JtIa388g3hkFw7hMKh1Dt1CTT5oWgYrkWLHtET51Ar+XuP 1yEEPMebMTvuvbW9oIbM/AdO8cSNB8PRYSJzvfSDPwGeAf+CKtXRYpFo5FtBUMQTK6kr KMpC2ZELLSsUrrXjNYro9c+jbgCTUNQUcx3VZ6JCWPqqdfXnXG6DfU8J7zcRADB2U09J Zoww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtwHKGIEgGbWSuKYn17LRmgBRxqYuQbkQLvdNHA2P1s=; b=ccHaD4yVOoSwyqtmruRB4TD2vhff6qhuGKYYqXVVOFMCZmsnq6ybL4kpThpq610NiC hk66dUS6Mau1IjUNzjTWJZ0newYM5v+6w+RQm8XTh7BRCmj6PEd7d8ycUtpb2f5UEYDz cyuzzSKJK1jFpscewMikiN6424LBu9+d+Jbkv1Qmp+XvFyzoJd5/rfu/SwMoVYoEK1vu RDJDmm/DUs/6ibBZTgmqT3Y5Y0jLrcinJUfSQXEby03fNbeor/kj/ibkpDkJc5BRHr37 greYM0DIJCA8CQutY/VovyfYy7h7Lpmw/d2jTK2lzvUDVeddYHWMBt5fdrWVavpPgrs0 Ygog==
X-Gm-Message-State: APjAAAVnlMvK782tdxK1bB6/1sYUD5LVGf/yNBNocSBreQmdPazow53X qk0LCKz4uTyReFgUauQ1ogQLOi/giXjwP5Ckiio=
X-Google-Smtp-Source: APXvYqzSsClkOpZUy4SSZyrS2xzy2SEAsWT8ITYlXi4BmONcnU9qcriv9EVWg9GiGABl4JlTw2OKmIimCquA6v5zMyU=
X-Received: by 2002:a5d:8497:: with SMTP id t23mr17741047iom.298.1563443257649; Thu, 18 Jul 2019 02:47:37 -0700 (PDT)
MIME-Version: 1.0
References: <F00B09EC-24D8-40C1-8A6C-86C2FD63A062@icann.org> <CAFpG3gcLF-tYJtiiV8kDKHa-rdSb=DQqLYuV-n+XX-PG5qEWmw@mail.gmail.com> <76A15C99-20BB-4AC8-9F34-D690D27B81EA@icann.org> <CAFpG3gdySm18k5jD9hthMEnzb1dPSP7tsq4N02ApcmoyP9O2rA@mail.gmail.com> <78FC8A42-B9E0-4785-90DF-FE7434FB4457@icann.org>
In-Reply-To: <78FC8A42-B9E0-4785-90DF-FE7434FB4457@icann.org>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 18 Jul 2019 15:17:26 +0530
Message-ID: <CAFpG3gf0=JzTSrLXjspAMkCgFLuaRggf6MHY1jqOVOWxb4A=pg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffb2c8058df17f29"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4ubj2D4bzxS1VTsZKzcNqBcWgtM>
Subject: Re: [DNSOP] [Ext] Request for adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 09:47:41 -0000

Hi Paul,

Please see inline

On Wed, 17 Jul 2019 at 21:47, Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Jul 17, 2019, at 7:36 AM, tirumal reddy <kondtir@gmail.com> wrote:
> >> One example is that the stub or browser may want to change DoH servers,
> such as if it has discovered one that has a better security policy.
> >>
> > Attackers can also host DoH servers and claim they have better security
> policy, How will the stub resolver know the server is not lying ?
>
> The same way that they will authenticate any policy information. This is
> no different than any other policy choice, is it?
>

No, I am not aware of any standard techniques used by endpoints and IoT
devices to authenticate the policy information provided by the network ?
If you are aware of such techniques, Please share.


>
> > > 2) DHCP clients typically have no secure and trusted relationships to
> DHCP servers, how will the client know it is communicating with the
> recursive resolver hosted in the attached network ?
> >
> >> It will not. This has always been the problem with DHCP, and efforts to
> make DHCP authenticated have not borne fruit.
> >>
> > Yes, but how will the client know it is communicating with an attacker's
> DoH server or not ?
> > In other words, if the client does not securely learn the IP address or
> domain name of the resolver, the client could end-up retrieving the
> attacker's resolver information.
>
> Are you saying that the only way for a client to learn policy information
> is from secure DHCP or secure RA? It seems like others here disagree with
> that, and want network administrators to be able to leverage the resolvers
> under their control to issue policy statements.
>

I am not proposing to use Secure DHCP or secure RA. Consider a scenario
where an attacker also hosts a resolver and issues policy statements to
claim better security and privacy than the one provided the network
administrator. How will the client know the policy statement is issued by
the resolver deployed by the network administrators or by an attacker ?

> Discussing these future configuration options without solving the secure
> bootstrapping problem is of little use to implementations and deployments.
>
> Others seem to disagree with that statement.
>

Sure, but I don't see any discussion in the draft explaining how the client
determines the future configuration options is coming from a trusted
source. If the source cannot be trusted, endpoint can be configured to use
a malicious resolver server compromising the endpoint security and privacy,
and the future configuration options is not helpful.


>
> > > 4) Any specific reason for picking I-JSON ?
> >
> >> Absolutely. I-JSON is more likely to be interoperable than plain JSON:
> that's why it exists. Given that the developers of the clients for this
> protocol will be different than the developers of the servers, greater
> interoperability should be an emphasis.
> >>
> > JSON also provides interoperability, please see
> https://tools.ietf.org/wg/jose/charters.
>
> I-JSON was partially motivated by problems discovered in JOSE.
>

Okay.


>
> > My other question is why JSON and not CBOR ?
>
> CBOR has no advantages in this use case, and JSON is easy to put into
> master files.
>

CBOR has smaller message size compared to JSON and is faster to process
than JSON.

Cheers,
-Tiru


>
> --Paul Hoffman

v2.23.0 | Report a Bug | By Email