Re: [DNSOP] [dns-privacy] FW: New Version Notification for draft-pan-dnsop-edns-isp-location-00
Petr Špaček <petr.spacek@nic.cz> Mon, 20 March 2017 14:31 UTC
Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96C91314A1; Mon, 20 Mar 2017 07:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlmQTaDR-IY3; Mon, 20 Mar 2017 07:31:38 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D05313149F; Mon, 20 Mar 2017 07:31:38 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:9811:8ff:feef:6976] (unknown [IPv6:2001:1488:fffe:6:9811:8ff:feef:6976]) by mail.nic.cz (Postfix) with ESMTPSA id 5A37660183; Mon, 20 Mar 2017 15:31:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1490020297; bh=9dwL3ErMjBuY7KcIPwoDefnmk66AYmxgkHrT/zQXVdw=; h=To:From:Date; b=PVG2dZYzAreOKQHYYCk0SSe9mWgfBtrVvGShCj9/5lS3HJqSC+yP98ihhk68+fxKn 1F2vttDM1ejmZQELEJTra8ltOzJyI9LEGEUndYbXQuTusHfzmEpclGiB/pDrMb7r29 mci6cFnOI3i7Xm7B5GhssjMvpKMqO7aVPRmQWIbc=
To: Lanlan Pan <abbypan@gmail.com>, Barry Raveendran Greene <bgreene@senki.org>
References: <000f01d29dfe$50b6b190$f22414b0$@cn> <CANLjSvXGO3rSpqb7hzwmV=vfm=UTHnQYqfBmt=uD9Mi8cL59Jg@mail.gmail.com> <16B293AD-27A2-4A6D-8A96-7CD847B59708@senki.org> <CANLjSvUJfU1cafGXHyg=DuCnhm09mBm5z4ve2_g6j2ONgt2tRQ@mail.gmail.com>
Cc: dns-privacy@ietf.org, dnsop <dnsop@ietf.org>, "fuyu@cnnic.cn" <fuyu@cnnic.cn>
From: Petr Špaček <petr.spacek@nic.cz>
Organization: CZ.NIC
Message-ID: <df8da203-6fbc-02d9-7876-e220f2bbe884@nic.cz>
Date: Mon, 20 Mar 2017 15:31:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CANLjSvUJfU1cafGXHyg=DuCnhm09mBm5z4ve2_g6j2ONgt2tRQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xKihcsWHaZy8lD-W9xGerLKyFMo>
Subject: Re: [DNSOP] [dns-privacy] FW: New Version Notification for draft-pan-dnsop-edns-isp-location-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 14:31:42 -0000
Hello, On 20.3.2017 08:49, Lanlan Pan wrote: > Hi Barry, > > Thanks for your comments. > > Because the draft discussed the DNS privacy problem of ECS, and was first presented in In NDSS 2017 DNS Privacy Workshop, so I cc the email to dprive WG. > > > Barry Raveendran Greene <bgreene@senki.org <mailto:bgreene@senki.org>>于 > 2017年3月19日周日 上午2:22写道: > > Hello Yu Fu, > > I was not at the workshop. Warren already mentioned some issues. I > second what he is saying in a stronger terms: > > + What you are proposing has no value for optimizing content > delivery on the Internet. Physical location and the topology of > content delivery do not match. Also, Anycast is used. It is NOT > expensive. The reason why so many CDN operator use DNS based tools > for content delivery is granularity of action. An edge compute > system (i.e. what many CDNs are) can do all sorts of checks via DNS > approach vs an Anycast approach. > > > Everyone has known that physical location and the topology of content > delivery DO NOT MATCH. > As last mail reply to Warren, my proposal can offer the SAME critical > information for authoritative server to make tailored response decision > as ECS's client subnet. > Because in database such as maxmind, ECS (client subnet) can be map > into <AS number, country, province, ISP>, which also guide network > topology. > Therefore, if ECS has ANY value for optimizing content delivery on the > Internet, then EIL has. > > For example,If ECS is tell AUTH : the query is from 114.240.0.0/24 > <http://114.240.0.0/24>. The AUTH knows that ECS(114.240.0.0/24 > <http://114.240.0.0/24>) is indicated (CHINA, BEIJING, UNICOM), which is > not only geolocation, but also contains network topology information. > Then AUTH can return satisfied ip address according to the topology of > content delivery. Thank you for this example, it helps. > For user privacy concern, we can revise ECS(114.240.0.0/24 > <http://114.240.0.0/24>) => EIL (CHINA, BEIJING, UNICOM),give a > tradeoff between privacy and precise. Nice, this sounds like appropriate tradeoff to me. Side-effect of this is that it removes need to maintain copies of various Geo-IP databases all over the place, which is an improvement to operational practice. To sum it up, I support this. Nice work! Petr Špaček @ CZ.NIC > |||| > > > > Also, the ECS security assessment if off. ECS from the resolver to > the aDNS is sending a subnet configured by the operator of the rDNS. > Once the connection to the client to the CDN is made, the CDN > operator has the full details of the client. The term “leak client > subnet to AUTH” is misleading from a “privacy risk.” Once the > connection is made to my CDN, I know the IP specifics. > > > Privacy risk of ECS: > 1. If ECS is clear text in the resolution path => eavesdrop => encrypt > the dns traffic, in long term. > 2. The passive DNS log analysis risk > - avoid recursive dns analysis, reserve the optimization ECS, we can > send EIL query by some proxy tunnel. > - avoid authoritative dns analysis. If CDN is ALSO the authoritative > server, AGREE WITH YOU. But to a third-party authoritative service, the > more domains publish their zones on the third-party authoritative > server, the more end user privacy information can be gathered by the > authoritative server according to the ECS queries from recursive. > > ECS's security issue is described in DNS Privacy Workshop 2017 > Background > <http://www.internetsociety.org/events/ndss-symposium/ndss-symposium- > 2017/dns-privacy-workshop-2017-call-papers>, Understanding the Privacy > Implications of ECS > <http://www.cc.gatech.edu/~ynadji3/docs/pubs/dimva16_ecs.pdf>. > And In RFC7871(ECS) <https://tools.ietf.org/html/rfc7871>'s abstract > section: > > /Since it has some known operational and privacy shortcomings, a revision > will be worked through the IETF for improvement./ > > > > + What you are proposing has great value for Law Enforcement and > State Security. It would cut out the Operator as the middle man and > eliminate the need for a court order to release details on suspects. > > This also is a tool for criminals. I can easily see bad guys who are > dropping ransomware use this as a tool to say “pay up or I’ll SWAT > your house” or move from E-mail exertion threats to phone based threats. > > Barry > > > On Mar 17, 2017, at 6:57 PM, Lanlan Pan <abbypan@gmail.com > <mailto:abbypan@gmail.com>> wrote: > > > > Hi all, > > > > In NDSS 2017 DNS Privacy Workshop, I presented a EIL option as an > alternative privacy improvement for ECS. > > > > The paper and slide are attached. Test code in github : > https://github.com/abbypan/dns_test_eil > > > > Any comments or suggestions will be appreciated. > > > > Regards. > > > > Yu Fu <fuyu@cnnic.cn <mailto:fuyu@cnnic.cn>>于2017年3月16日周四 上 > 午10:37写道: > > Hi all, > > > > We have submitted a new draft as draft-pan-dnsop-edns-isp-location-00. > > This document is an improved solution for ECS(RFC7871), describes > an EDNS ISP Location (EIL) extension to address the privacy problem > of ECS, find the right balance between privacy improvement and user > experience optimization. EIL is defined to convey ISP location > information that is relevant to the DNS message. It will provide > sufficient information for the Authoritative Server to decide the > response without guessing geolocation of the IP address. > > > > Your comments are appreciated. > > > > Thanks > > Lanlan & Yu > > > > >-----Original Message----- > > >From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > [mailto:internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>] > > >Sent: Monday, March 13, 2017 6:07 PM > > >To: Pan Lanlan; Lanlan Pan; Yu Fu > > >Subject: New Version Notification for > draft-pan-dnsop-edns-isp-location-00.txt > > > > > > > > >A new version of I-D, draft-pan-dnsop-edns-isp-location-00.txt > > >has been successfully submitted by Yu Fu and posted to the IETF > repository. > > > > > >Name: draft-pan-dnsop-edns-isp-location > > >Revision: 00 > > >Title: ISP Location in DNS Queries > > >Document date: 2017-03-13 > > >Group: Individual Submission > > >Pages: 14 > > >URL: > https://www.ietf.org/internet-drafts/draft-pan-dnsop-edns-isp-location-00.txt > > >Status: > https://datatracker.ietf.org/doc/draft-pan-dnsop-edns-isp-location/ > > >Htmlized: > https://tools.ietf.org/html/draft-pan-dnsop-edns-isp-location-00 > > > > > > > > >Abstract: > > > This document describes an Extension Mechanisms for DNS (EDNS0) > > > option that is in active use to carry information about the > network > > > that originated a DNS query and the network for which the > subsequent > > > response can be cached. > > > > > > It is inspired by EDNS Client Subnet (ECS) with some privacy > > > considerations, goals to reduce the "guess geolocation of client's > > > IP" work on Authoritative Nameservers. > > > > > > > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > > https://www.ietf.org/mailman/listinfo/dnsop > > -- > > 致礼 Best Regards > > > > 潘蓝兰 Pan Lanlan > > > <Slide_EIL_Dealing_with_the_Privacy_Problem_of_ECS_PanLanlan.pdf><Paper_EIL_Dealing_with_the_Privacy_Problem_of_ECS.pdf>_______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > > https://www.ietf.org/mailman/listinfo/dnsop > > -- > 致礼 Best Regards > > 潘蓝兰 Pan Lanlan
- [DNSOP] FW: New Version Notification for draft-pa… Yu Fu
- Re: [DNSOP] FW: New Version Notification for draf… Lanlan Pan
- Re: [DNSOP] FW: New Version Notification for draf… Warren Kumari
- Re: [DNSOP] FW: New Version Notification for draf… Barry Raveendran Greene
- Re: [DNSOP] FW: New Version Notification for draf… Lanlan Pan
- Re: [DNSOP] FW: New Version Notification for draf… Paul Vixie
- Re: [DNSOP] FW: New Version Notification for draf… Lanlan Pan
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Petr Špaček
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Brian Hartvigsen
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Lanlan Pan
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Ask Bjørn Hansen
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Lanlan Pan
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Ask Bjørn Hansen
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Lanlan Pan
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Paul Vixie
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Lanlan Pan
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Paul Vixie
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Lanlan Pan
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Barry Raveendran Greene
- Re: [DNSOP] [dns-privacy] FW: New Version Notific… Lanlan Pan