Re: [DNSOP] [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 08 December 2020 14:56 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9703A0EB3; Tue, 8 Dec 2020 06:56:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSh0gU_KVztW; Tue, 8 Dec 2020 06:56:31 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 265A43A0F39; Tue, 8 Dec 2020 06:56:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 999D5BE4C; Tue, 8 Dec 2020 14:56:27 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Rk7YEWOmCv2; Tue, 8 Dec 2020 14:56:24 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BD0EABE2F; Tue, 8 Dec 2020 14:56:24 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1607439384; bh=rbqEY/IXn0kmb1SC93nkcMagS9Qj/5wh/F230iIX0FU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=Tz50zTKth+BHxH6PSHx5FVy0TQdXJ3aPtREtQtCoQ93bnBAlEGtQDVxS6ek6UEAPr paf0t1rSpXPt28NDFWMZiuWHnFM186fYw/AVDdHGDvM2pjngcyLaH1JY0KNuISRGXr RU7aSHw3Y0709VYlR6hweQkQ1/CylzJPRKv4ej68=
To: Benjamin Kaduk <kaduk@mit.edu>, Ondřej Surý <ondrej@isc.org>
Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG <dnsop@ietf.org>, secdir@ietf.org
References: <20201204203635.GS64351@kduck.mit.edu> <F84E2C04-2916-4B88-B8CA-8CE7428A0C1C@isc.org> <20201208012332.GJ64351@kduck.mit.edu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <200cabf3-79a5-bb61-57b7-30317dbb0944@cs.tcd.ie>
Date: Tue, 08 Dec 2020 14:56:23 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <20201208012332.GJ64351@kduck.mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="yUnDk8M4VytKCSRxIKXkjK9AI5qRap8sP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gJgBL_FprAbbcFO_f-lfqqBPrt8>
Subject: Re: [DNSOP] [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 14:56:34 -0000

Hiya,

(I wouldn't put that much store on my specific response, but
since you asked...)

On 08/12/2020 01:23, Benjamin Kaduk wrote:
> Hi Ondřej,
> 
> Thanks for this detailed writeup; it really helps bring clarity to the
> current situation.
> 
> In light of the follow-ups from others, it seems that there are actually
> two distinct but somewhat entangled issues:
> 
> (1) whether SipHash is a strong cryptographic hash function that delivers
> its stated properties.

Right. And whether there are any oddities, e.g. ways in which
one ought not use the algorithm. Asking about that is IMO a
good plan because once this gets used somewhere it'll be used
again elsewhere so I'd prefer we know if/when that's ok or
not. (Additionally, I'll admit a slight personal bias against
adding new algorithms where we have existing ones that are
fine - I figure that just costs more and damages interop for
little or no benefit. That could be outweighed though if the
new alg is already implemented and deployed for the purpose
in question and/or if it's widely available in libraries.)

> 
> (2) whether the stated properties of SipHash are appropriate for the
> scenario we are using it for in this document.

For DNS cookies, I'd say it'd be very unlikely that this is
not ok.

Cheers,
S.


> 
> I had initially assumed that Stephen's review was asking about (2), but for
> the most part we tend to ask CFRG about things like (1).  So, while I agree
> that it's valuable to get input from the CFRG on (1) and am willing to
> start the conversation there if needed, I would also like to get Stephen's
> (or anyone else's really) input about question (2).  I suspect that we are
> okay in that regard, not least because of the other similar usage that you
> describe, but request that the analysis of what properties we need from a
> hash function for this use case (and that SipHash meets them) be included
> in a future version of the draft.
> 
> Thanks again,
> 
> Ben
> 
> On Fri, Dec 04, 2020 at 10:14:29PM +0100, Ondřej Surý wrote:
>> Hi Benjamin,
>>
>> I did not used appeal to authority as an argument, but I’ve just provided examples that SipHash has been implemented in the similar scenarios and there hasn’t been reported issue with the choice for years now.
>>
>> Using fast PRF (pseudorandom function) for the DNS Cookies is a good choice because it matches the required properties - it needs to be fast and secure in a sense that attacker can’t compute neither the key nor the output of the function. DNS Cookies are not MACs.
>>
>> Sorry for the misnomer of the brute force - what I meant was a protection against a replay attack. I’m just currently very tired with day to day job.
>>
>> Please note that DNS Cookies doesn’t protect the actual DNS message payload, it merely provide means to establish trust between the client and the server as to distinguish between a legitimate and spoofed traffic, so different policies can be used - Response Rate Limiting (RRL) could be turned off for DNS messages with cookies or when under attack it could require fallback to TCP for DNS queries without the DNS Cookie. The DNS cookies doesn’t protect the actual content in any way, neither it does protect the communication from the on path adversary.
>>
>> In that regard, the client cookie is just nonce (and it’s just convenient to use same algorithm to generate it, but it could be output from CSPRNG as well) and the server cookie is a cryptographic primitive that uses the client nonce, key and timestamp to construct the server cookie. Such server cookie is used by the DNS client to authenticate to the server (it’s shared secret, but it requires no per-client state on the server). Just to repeat, the actual payload (DNS message) is not protected by the DNS cookie.
>>
>> If the DNS server could keep a state for every DNS client, a CS random number would be as good as the output of the SipHash.
>>
>> I might not be a cryptographer as my daily job, but I am reasonably confident that SipHash has matching properties, it hasn’t been broken as of today. Also all DNS vendors have agreed to make this choice and the RFC here is merely a way how to ensure interoperability between various implementations.
>>
>> (Typing this on phone, so excuse any irregularities in the text.)
>> Ondrej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>>> On 4. 12. 2020, at 21:37, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>
>>> Hi Ondřej,
>>>
>>> Just because someone else does something, even a "big name", doesn't
>>> necessarily make it a good idea for us to also do it.
>>> We should be able to justify our algorithm choices on cryptographic
>>> principles, not just appeal to authority.
>>>
>>> In a similar vein, you said something about the 32-bit timestamp being wide
>>> enough to prevent brute-force attacks.  Could you say a bit more about what
>>> attacks those are that are being prevented?  I'm not really seeing how the
>>> width of the timestamp comes into play for that concern, just from a quick
>>> skim of the document.  (Timestamps tend to not provide much protection
>>> against brute force by themselves, since time is relatively guessable,
>>> especially to seconds precision.)
>>>
>>> Thanks,
>>>
>>> Ben
>>>
>>>> On Wed, Dec 02, 2020 at 11:18:29PM +0100, Ondřej Surý wrote:
>>>> SYN cookies in both Linux and FreeBSD uses siphash.
>>>>
>>>> * FreeBSD: https://svnweb.freebsd.org/base?view=revision&revision=253210 (since 2013)
>>>> * Linux: https://github.com/torvalds/linux/commit/fe62d05b295bde037fa324767674540907c89362#diff-14feef60c3dbcf67539f089de04546c907233cbae09e1b2dd2c2bc6d6eae4416 (since 2017)
>>>>
>>>> I believe that the SYN cookies have exactly the same properties as DNS cookies.
>>>>
>>>> Ondrej
>>>> --
>>>> Ondřej Surý (He/Him)
>>>> ondrej@isc.org
>>>>
>>>>>> On 2. 12. 2020, at 22:15, Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>
>>>>> Well hash tables are an application with somewhat different security properties than MACs, so I don't think this is dispositive.
>>>>>
>>>>
>>>> _______________________________________________
>>>> secdir mailing list
>>>> secdir@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/secdir
>>>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>>
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>