IETF Logo Mail Archive

Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 13 March 2019 05:37 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D74412D4E7; Tue, 12 Mar 2019 22:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDZpczh40quy; Tue, 12 Mar 2019 22:37:44 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01E93130E7C; Tue, 12 Mar 2019 22:37:42 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1552455263; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-exchange-diagnostics: x-microsoft-antispam-prvs:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=a Cdr9/xGFf1HbLolaID07Jlvfm9xBSWVk3NbLfzHQy A=; b=CskhOvRQfkX+M9/ORozFYS7/hmD/kIBzCz7hZVZMTiJo DdzwZIFhekCLG6g+/2sgDCXsXXZLz32xO5pVbTbIJICWyr9Bpt ug+yLNUgFUjuzGlk9sGpA70LYHOPrJDbl7eABpsXBiJPI+f3P3 0dsjiNCDmqVxqSIpWtaMLq2nMVU=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4780_2a5a_96df891e_c6d9_470c_9a06_377adf5f94a9; Tue, 12 Mar 2019 23:34:22 -0600
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 12 Mar 2019 23:37:28 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 12 Mar 2019 23:37:28 -0600
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 12 Mar 2019 23:37:27 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2520.namprd16.prod.outlook.com (20.177.224.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.19; Wed, 13 Mar 2019 05:37:26 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1709.011; Wed, 13 Mar 2019 05:37:26 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
Thread-Index: AQHU2C+f7jidn2WHF0WeuF/A93J/OKYGu6uAgAA7DwCAASpAQIAAB3AAgADZPyA=
Date: Wed, 13 Mar 2019 05:37:26 +0000
Message-ID: <BYAPR16MB2790DDBE743A504D0983C7A3EA4A0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <CABcZeBOWM0Ps-j3V-CK6VPy0LAqeo7-t7odUZy+dk9d-oCSDsg@mail.gmail.com> <BYAPR16MB2790E12D58E5ED2F58355CCDEA490@BYAPR16MB2790.namprd16.prod.outlook.com> <CABcZeBNJ+QURYOhu3ginFvnasMbQ53aK=c5fkAuCfgFwarhgzA@mail.gmail.com>
In-Reply-To: <CABcZeBNJ+QURYOhu3ginFvnasMbQ53aK=c5fkAuCfgFwarhgzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fa4f9b87-794a-4083-6107-08d6a775f9c6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2520;
x-ms-traffictypediagnostic: BYAPR16MB2520:
x-ms-exchange-purlcount: 3
x-microsoft-exchange-diagnostics: 1;BYAPR16MB2520;23:7Z2MXTBBuKK2IukfTsAgux/jBL6GYKMxSm9sLXiYr9E0HSz44joqpxgosi7U3/Xp7lB/Oz6sgv0pzQmhFX5oL8Cpckx30f+UjZZ5+HMjxErIidHP5hdVjysYdbGZZqsIJNi4Jsm2WXARKI67IVl/qOEz1BFYZge7BVh71pAAWSg9il8K+GNRvvzX4fp8gmpK4YNsyOnFuLvLzOdNRS2koAwsNYJFdfTbOaXA5zv+RiINNFLbdwhGv81t+YmO4TNmmupYWUNA3eNXdpYB00yOG92RFmMSyp3gzCHMz4u9kbuAxYjv+DqZHYMQ9tzVhKtj0YyRhPvkO3mZoQQkQZiYS6viZhu5Df1ul4gdbyhvk7uanBQyr2UsttQJULX+Og95dgFtzgX4RP6ySO8rk0sL7xHLtfPnP/qtDQSkoGh5cWv5dBoPma8PKwXpz/4DErfxvHp9oLtyuc2rdgqI0cJAFnc29cCEejEqT8ZHASmF2Qc0tpYwqnBSu6GaVg2TPutcTZsCEFk+REUeP5ysyMz4p5CMJ2xnbvlD0dlHxKVE4S2dCVZwjLj2cAV1xQTIyC47GHiaVqdKPEelTR7JG8jJAKHAsjXqhzmZscghV+tfTBaztR+/ywo8eCvwIUnTcN7MiIMKn9ZXvLXNP3QcEkupm9aF+nFTbP5otf0GN4Ep6iEgzpdN/NgS4W4gaIyBsk98+G/fGiQVoYgCV5edHOFAsLVEAY8G2aZDsGAlAGGH6lDgF3JpBWy4q1RpnvPNIv+fnTv5BLWkPsmrzlOLPQP/zPAkLFdUWbWS1jXKHOr4C8daKXN8dDVkZVr92ZqwL9bZ8lcOwGjR5bM1Qllpo19wSP8jp+M7Th+EjGadsrEj6TjTou9YpaxzIibrNUVb70N6p0sEcazCVSytsycCokRNFBLMrEtea8j9itAahevZGiQVLOCRugtrXLWvhNEVMPyHIMUArPuZ7VgICVz1wlpVlihDxZ7NMxu88FJwTaCCOpbXizOoQGa/05jtgbQEn/sx4Favn7gb63BAMm0RV67n3Z+l59hgljdihS4grrCDz7bL3jSKp9xyzM3OOcbKssYvvK/dsX5NCwPwKO7jCIe6mE5VqCcUXl4U4JzKYf3YFpx4s2D/6pdEarldI0bhT70uBVQcBO4Z3VKrosO+RuMoysZ1feD/cvJQqknqXrTVPfzkHpYmv3PErli6kS/LdkybjF7E5nlYXgxStItuO+84F6caZZLdaL5lYoIN7zUWsSaSpAWMtrE4TuQ28whIkDPV4swkdZORB3ynMRaiWn0yLxXcAJ0cR8R8b2bAENEeA9Yl0AMS+yxAWWSiNCNQJajlr0tp6jrYMd4hzhrkm/RyV3psA+8/VaYeWGzTFZccH965BUgS1Jz389aRXAdpnY9M232PRfumbAmMFB3ySZGXx4UJgdln0YbAM2+IahJU1zSyZ9iIKwfLGB0X/CwEUqQL07EBGEcnm58b2xcdWo6XMjk+mTFRkDOa8YKw4gk10EHU3MFp03tslwztcDkB9BWucfCXzZGZHuNZQ1QM8FNPbN3Xk1Esj5uSGdxe4k4EnMxXfA2/NHuVmED4Lw1Nb0Oj
x-microsoft-antispam-prvs: <BYAPR16MB25208A07695096DB08836CF0EA4A0@BYAPR16MB2520.namprd16.prod.outlook.com>
x-forefront-prvs: 09752BC779
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6019001)(376002)(39860400002)(396003)(366004)(346002)(136003)(269900001)(189003)(54094003)(199004)(32952001)(71200400001)(71190400001)(53936002)(53546011)(26005)(8936002)(486006)(7696005)(86362001)(54906003)(66066001)(186003)(55016002)(99286004)(476003)(6246003)(6506007)(256004)(5024004)(8676002)(446003)(11346002)(2906002)(14444005)(81166006)(6436002)(68736007)(81156014)(102836004)(76176011)(4326008)(72206003)(966005)(80792005)(606006)(93886005)(25786009)(6916009)(97736004)(52536013)(229853002)(33656002)(5660300002)(14454004)(236005)(9686003)(105586002)(54896002)(7736002)(316002)(6306002)(74316002)(790700001)(3846002)(6116002)(106356001)(478600001)(85282002)(256605007)(16193025007); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2520; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Az+i2+47Ilq+wdmxmg7ag9n3TfgZw2cVre4cJ1/utGAoEOO+PFWIfn9qNPf+2DL0nK9KZddXkj4UUXyOq9CQc+b8w0zZqXvEk+tbU++FdewvSm+cJKcuwtdzY8UGRHMAGjYzAfxe/Pe2vwLgiDc1frGBiLarm8HrTcmm3VuXRb0Sz3pXVaSngpeDpDcxrTFNrHWSsLY3aLPpqNpK/MKZibZTbvbnarfi4oo0JmTDpJlM1elmK6bJEqZBPJD/HQniJqIq0vi6xXh0xhf1K1DNtaHFiNyBhMDgtlyti+mNNmNr01ytPdNO+UlLTi3QcWnb3XFkk2wWTHz+8rUT9FbZm5BPfmUWbZ6u2wJ3LX1/FBVh03w5tnPf9xcgIkCpDagALpI49Xmqt5piDusZ0lzK/wAIHY06QGDxmyEPHLVa0S0=
Content-Type: multipart/alternative; boundary="_000_BYAPR16MB2790DDBE743A504D0983C7A3EA4A0BYAPR16MB2790namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fa4f9b87-794a-4083-6107-08d6a775f9c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 05:37:26.1762 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2520
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6501> : inlines <7032> : streams <1815557> : uri <2811792>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OgghoqQvp3kJm1N3p0wXYlCC59o>
Subject: Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 05:37:47 -0000

Please see inline

From: Eric Rescorla <ekr@rtfm.com>
Sent: Tuesday, March 12, 2019 9:28 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Cc: doh@ietf.org; dnsop@ietf.org; dns-privacy@ietf.org; Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>; Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________


On Tue, Mar 12, 2019 at 8:51 AM Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
Hi Eric,

In TLS 1.2, it is possible for firewalls to inspect the TLS handshake, and white-list, black-list and grey-list TLS session based on the server identity. In other words, middleboxes are conditionally acting as TLS proxies to specific servers (categorized in the grey-list).
With TLS 1.3 and encrypted SNI, the middle box now has to act as a TLS proxy for all the flows.

It would be most useful not to conflate TLS 1.3 and ESNI.

In ordinary TLS 1.3, the SNI is in the clear but the server cert is not. However, importantly, even in TLS 1.2, the server certificate is not verifiable, and therefore is not significantly more trustworthy than SNI.

[TR] Middle boxes have a trust store (e.g. downloaded from Mozilla CA store) to validate the server certificate.  Malwares lie about SNI (typically use a FQDN whose reputation score is good), validating the server certificate (e.g. certain types of malwares  use self-signed certificates) and SNI mismatch helps detect the client is lying.

With ESNI, the SNI is encrypted (hence the name). However, the xpectation is that enterprises which want to do conditional inspection will disable ESNI on the client. This should not be problematic as they already need access to the client to install their own trust anchor.

[TR] I see Firefox has given an option to disable ESNI, hopefully others will provide a configurable option.

Cheers,
-Tiru

-Ekr



-Tiru

From: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Sent: Tuesday, March 12, 2019 3:14 AM
To: Paul Vixie <paul@redbarn.org<mailto:paul@redbarn.org>>
Cc: nalini elkins <nalini.elkins@e-dco.com<mailto:nalini.elkins@e-dco.com>>; Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; doh@ietf.org<mailto:doh@ietf.org>; dnsop@ietf.org<mailto:dnsop@ietf.org>; Ackermann, Michael <mackermann@bcbsm.com<mailto:mackermann@bcbsm.com>>; Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>>; dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>; Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org<mailto:40open-xchange.com@dmarc.ietf.org>>; Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>
Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________


On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie <paul@redbarn.org<mailto:paul@redbarn.org>> wrote:


nalini elkins wrote on 2019-03-11 10:26:
> Tiru,
>
> Thanks for your comments.
>
>  > Enterprise networks are already able to block DoH services,
i wonder if everyone here knows that TLS 1.3 and encrypted headers is
going to push a SOCKS agenda onto enterprises that had not previously
needed one,

I'm pretty familiar with TLS 1.3, but I don't know what this means. TLS 1.3
doesn't generally encrypt headers any more than TLS 1.2 did, except for
the content type byte, which isn't that useful for inspection anyway.
Are you perchance referring to encrypted SNI? Something else?

-Ekr

and that simply blocking every external endpoint known or
tested to support DoH will be the cheaper alternative, even if that
makes millions of other endpoints at google, cloudflare, cisco, and ibm
unreachable as a side effect?

CF has so far only supported DoH on 1.1.1.0/24<http://1.1.1.0/24> and 1.0.1.0/24<http://1.0.1.0/24>, which i
blocked already (before DoH) so that's not a problem. but if google
decides to support DoH on the same IP addresses and port numbers that
are used for some API or web service i depend on, that web service is
going to be either blocked, or forced to go through SOCKS. this will add
considerable cost to my network policy. (by design.)

--
P Vixie

_______________________________________________
Doh mailing list
Doh@ietf.org<mailto:Doh@ietf.org>
https://www.ietf.org/mailman/listinfo/doh

v2.23.0 | Report a Bug | By Email