Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-01.txt

Willem Toorop <willem@nlnetlabs.nl> Wed, 06 November 2019 15:26 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB661208B0 for <dnsop@ietfa.amsl.com>; Wed, 6 Nov 2019 07:26:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IG6l7eFK0bw1 for <dnsop@ietfa.amsl.com>; Wed, 6 Nov 2019 07:26:21 -0800 (PST)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30AA1120128 for <dnsop@ietf.org>; Wed, 6 Nov 2019 07:26:21 -0800 (PST)
Received: from [IPv6:2a04:b904::160] (unknown [IPv6:2a04:b904::160]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 44D3F28747 for <dnsop@ietf.org>; Wed, 6 Nov 2019 16:26:19 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=willem@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1573053979; bh=Vk4A3m0eMjWMtFEVHXAwBAI2QpNmo2bWKhU3UbgVgeY=; h=To:References:From:Subject:Date:In-Reply-To; b=v3Xtk8sZULNKuPLKkD9f+YWtamMX2KsHeJdai2yMDvbhwXeIEkBcUDVcGVolvAy9D T7tdmP3ogsjkAg0a9122MqX9Nd/Vfq6W8C5KDbCFrMpypfNgW0nW8r1ck3PUlLDR7V 3Pytt8igbG4ef7ZChsYFucFOnrQmfWsM1Dfj5Qkk=
To: dnsop@ietf.org
References: <157290108089.13928.16346384980882076091@ietfa.amsl.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; prefer-encrypt=mutual; keydata= mQINBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABtCNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPokCPgQTAQIAKAIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AFAlbUE5oFCRDr7kkACgkQ5fj4IS93pJiGfA/8C1+/M+EaQItVzQ/iPCbagBTq WOSispMzJne9gmimJzPs+lxgnrXOuYlIBywHpWB2Jmz45h+Cc4+di48WQfV9tHENn9MVFkwK zSdcY6v5eot6xSY5FRHS226MPR9UJ8/z5PvlizZUVbbM+Ngxg3Rx045Q0FnQm0o5VasEJ1Po R3CSiELJoZ13ukTk5pQlKyVknUKH1E1ds+Xtg1jpZBqiLiBzcLkKWYqBvrXI6XAEPr+woRgj 3xV8P24Uj232uK7xoe82jWIeZWXt/AbHBSmNOWPIgMd9i3FjdeTDml5sZSy3BlDYMr8hINen hYLhdLpJnXwPcsaj0ivcV+xSjLtSh0mE4gudcVhk5XR1M6emSlATC6+Bqn0M9JNTn4SHhkNS yo87aPwKqWFDlvjAZlRyPym9miJBlzech2uOlYSk6GFuead7MpGAipf5PwNNRKDMDi3y+H47 YG2izbrqj3cOZdqZmErwrzCU8xVkxzY/EY6w/MNMFNeqmXVGxzIZ8y9KAjH6JO96M/AxS4mX HJh1ocfHtSm90Ahy/HPJK+2+5+IgkAymKsvyIbvjs7FccMUo+OiSPWYi+xO/NXA4pBlUuGmV 55Kog7ym1flzo8OD9uHfLPrVORBHgnsITbzf9vgJ0emy8fxMCkzFT334gC1OVhD1ff1frbPX yVbcGI8AO+q5Ag0ETWzzUQEQAKTs4hWz94K66PtsHj/cBtHmJCJx9BsHP8eoUjd4iBR7cWgT Tgt1PGCNBzCPGIuUia808dqxu1L8OWjQpwXDCjXqAibn0mCJMRONVszxJKkjYnZGKGOo8cg7 OmQBZyEd6qrfxVf/dwHLsdQTJZzz9bGOxuYVAAu0q3PHW5gGFc+pp3eN47qzGMxEjsoETj/c laxjqisohG13/hkP6PvDoD7OOdOGdQQP8b4GRBD6rZ/FqMLv4C80zDnzCH1rLpNGQplf1any 06WTAsDL4f6gEALH62TIxOX4U7WxeuvHxyKXOAuN+ex/MvF2az124YbcWC7t1dqVW3ys20zK aememyXSKxV6aMn4KBcJF3CdM1oABZDyviL9el7Q/yQylpZC6El4QowaPIOAuzOdIc6cuM6P TWvBArcKVgQhWfJshfeFmfkxpz/hWc9K40yCjmb+hPZIr3RbXSsQItUUkBqOSMHNroIgX+Ia WMq3e7yMHdMqlKr0lU52lfBbfECjleB/NO4K3SGJBPzTgLtze+LsWxSJQoQMWKv6ISwQrW3r smUjqgQNrSGROX3rRy8Nvuzravs4a3FmdUpHIWw2KfY2M6AsX9HBFuRsimgqFjQm5VbqXA7N tHJCnA1RvqXlg/iJ5w+DElHosxwjHS+UbejDGmVQ+ITqlh3991osPjZq1Iy1ABEBAAGJAiUE GAECAA8CGwwFAlbUE5oFCRDr7kkACgkQ5fj4IS93pJjBwxAAnko5CSFDX/ZqW97satNacACH SAOOM8/jz1p2QtJSwbrbLsJRMpN1mSnjXWPBTmXoP4SGHGtxTVZxrYCpSMEHMqOV4yK3QlUn QXnf+CSvo2Ud3rpCh/lFLVHqG2Sy5Ietf/T+GGsoPd9DIdTHO0aFlW2yRQPxSrbYpv1v2aAC gRO4114qkex2j36diqlLod/OU4OQ51nuSesjTrUM9Fz6ikBJ1UDjakjAXe/HiRxUmdv4LANC mso+Gn17Co5lUdpn3fa8zTwNNAgLm6RBiBSSdaYExM9ir6pHrcWL5N+iZKnVmfE5CBufziZq 7V1E3I4FRuvDN4echbf58c6YxBQDsd9VZMJeFWY60w4JEXpHQdt129GS1FN/2PQ8NmAUXYCk YYk6Lv1tnGJCSLnD3ObLyWm+sjA5yAK2H8WU+nutsDF63yFJujNMpmB3bi9+699TzsyQNVKd 2fH38cgk1gZFb6Nbx9+lrTIwzAJJlOu8UwbR0HgGuRmrWp0EIm3tcy4xqWF3CavnM22BAOKK KH+qnwx8BRrx58coHQFMswW4W7Bo+jpKbQJ4RV2cXUEbmHbYUoXDHZyv/RzOI46dXAoWFc3o CoqLqpsZYZstJ4UJHXB5aHi1zxJDwzKxsflmSKfIUr3glRWCy/ylcPMEXzPBb3qbGFMUboio UjqLuNV4SSY=
Message-ID: <4479f132-c558-85d2-40d3-793fe1d52b52@nlnetlabs.nl>
Date: Wed, 6 Nov 2019 16:26:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <157290108089.13928.16346384980882076091@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DEkkWPgerNUm6k_GYPJcQeSsOvE>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 15:26:23 -0000

Dear dnsop,

This version has an updated Client Cookie construction section in which
it is now REQUIRED to change a Client Cookie when the Client IP address
changes.

Previously (in versions before the previous version) the Client IP
address was used in Cookie construction, however that turned out to be
impractical to implement and therefore dropped from the previous version
recommending to disable DNS Cookies when privacy was a requirement.

Philip Homburg pointed out that, although impractical to determine the
Client IP before Client Cookie construction, it is feasible for a Client
to detect it when it learns a Server Cookie from a specific Server.  It
can subsequently be tried to be reused for the same Server which will
fail if the Client IP has changed.

This new (and practically implementable) requirement does not only
enhance privacy and make DNS Cookies work with the IPv6 Privacy
Extensions (by preventing tracking), it also makes them work in other
environments where Client source IP can change frequently, such as in
setups with multiple outgoing gateways.

Op 04-11-2019 om 21:58 schreef internet-drafts@ietf.org:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
> 
>         Title           : Interoperable Domain Name System (DNS) Server Cookies
>         Authors         : Ondrej Sury
>                           Willem Toorop
>                           Donald E. Eastlake 3rd
>                           Mark Andrews
> 	Filename        : draft-ietf-dnsop-server-cookies-01.txt
> 	Pages           : 15
> 	Date            : 2019-11-04
> 
> Abstract:
>    DNS cookies, as specified in RFC 7873, are a lightweight DNS
>    transaction security mechanism that provides limited protection to
>    DNS servers and clients against a variety of denial-of-service and
>    amplification, forgery, or cache poisoning attacks by off-path
>    attackers.
> 
>    This document provides precise directions for creating Server Cookies
>    so that an anycast server set including diverse implementations will
>    interoperate with standard clients.
> 
>    This document updates [RFC7873]
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-server-cookies/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-server-cookies-01
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-server-cookies-01
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-server-cookies-01
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>