[DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-server-cookies-04: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Tue, 15 December 2020 23:51 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 086063A08D9; Tue, 15 Dec 2020 15:51:40 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-server-cookies@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.23.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <160807629951.1692.12444176077552301909@ietfa.amsl.com>
Date: Tue, 15 Dec 2020 15:51:40 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yppq4yTD-B7dkl7XK4kn71edgE4>
Subject: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-server-cookies-04: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2020 23:51:40 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-dnsop-server-cookies-04: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-server-cookies/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- The following points notwithstanding, I'm excited to see this mechanism get specified and am looking forward to balloting Yes once my concerns are resolved. Thank you for writing this document (and implementing it, etc.)! There seems to be an internal inconsistency in the normative guidance for how long a given cookie value should be accepted. Section 4.3 says that "[t]he DNS Server SHOULD allow Cookies within 1 hour period in the past and 5 minutes into the future to allow operation of low volume clients and some limited time skew between the DNS servers in the anycast set" (before going on to recommend that the server generates a new cookie if it receives one from the client that is more than half an hour old). In contrast, Section 5 says "[t]he operator SHOULD wait at least longer than the period clients are allowed to use the same Server Cookie, which SHOULD be half an hour, see Section 4.3". If I'm reading correctly the "1 hour" in Section 4.3 is supposed to line up with the "half an hour" in Section 5, but does not. Also, as was mentioned in the secdir review thread, I think we should clearly state what properties we require of a MAC in order to be a useful server cookie (including why the chosen inputs are the right thing to MAC!) That is, what message is being authenticated, and why is that a useful message to authenticate? I will also take this opportunity to consult the CFRG on the suitability of SipHash-2-4 for its stated purpose, though I do not feel a strong need to delay IESG approval of this document until a positive answer is received. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Abstract This seems quite long for an Abstract! I suspect that everything after the first paragraph could be consolidated into a single second paragraph, if desired. Section 1 attackers. This document specifies a means of producing interoperable strong cookies so that an anycast server set including diverse implementations can be easily configured to interoperate with standard clients. While the need for a precise and interoperable specification is clear in this case of diverse implementations backing a single anycast service, isn't there also some benefit in having a well-studied algorithm even for use within a single implementation or non-anycast service? Section 3 While I recognize that (UDP) DNS packets do feel some need to economize on space, I also feel that we should consider what role the client cookie is playing as a nonce and how much randomness is needed in order for it to succeed in that role. In particular, in some sense it is *not* being used as a cryptographic nonce, but rather an ephemeral opaque identifier for a given client+IP address, that should be unguessable. Specifically, the client cookie can be used for more than one cryptographic operation, as it is re-used when the server generates a new "fresh" cookie. So I would suggest rewording to not call this a 'nonce'. That notwithstanding, my generic advice for random nonces is to use at least 128 bits if you want to not think about it much (https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html apparently suggests 256-bit, though that's just a link I happened to see recently on some other list), and I feel that there is a need to include reasoning to justify the choice of any smaller nonce in terms of what properties the nonce needs to provide and how they are achieved within the target security margin. In this case (IIUC) we are a bit constrained by the size of the client cookie being a protocol constant, but we can still provide some analysis of what properties we are able to provide within that constraint. One way to track Client IP addresses, is to register the Client IP address alongside the Server Cookie when it receives the Server Cookie. In subsequent queries to the Server with that Server Cookie, nit/editorial: given the previous mention of "tracking" as being a bad thing done by external observers, the transition to this topic is a bit rough. I'd consider something like "One way to satisfy this requirement for non-re-use is to register [...]", for a smoother transition. the socket MAY be bound to the Client IP address that was also used (and registered) when it received the Server Cookie. Failure to bind (Does this "MAY" flow well with "one way to"?) Section 4 The Server Cookie is effectively a Message Authentication Code (MAC) and should be treated as such. The Server Cookie is calculated from the Client Cookie, a series of Sub-Fields specified below, the Client IP address, and a Server Secret known only to the servers responding on the same address in an anycast set. (Is it conventional to think of a single server as being "the one and only server in a degenerate anycast set", or would we consider adding a clarification that it remains secret to the server in the single-server case?) Section 4.3 The Timestamp value prevents Replay Attacks and MUST be checked by the server to be within a defined period of time. The DNS Server SHOULD allow Cookies within 1 hour period in the past and 5 minutes into the future to allow operation of low volume clients and some limited time skew between the DNS servers in the anycast set. FWIW we hardcoded 5 minutes of skew into Kerberos but the current thinking is that that's way too much. A modern performant server should have no trouble getting accurate time to within a few seconds, is my understanding. The DNS Server SHOULD generate a new Server Cookie at least if the received Server Cookie from the Client is more than half an hour old. Presumably it also MAY generate a new cookie more often than that? Section 4.4 I recognize that the stakes here are relatively small, but I don't think that should excuse us from adhering to general cryptographic best practices and ensuring that the mapping from protocol parameters to the byte string input to the hash (MAC) function is an injective mapping. (See https://tools.ietf.org/html/rfc5116#section-3.3 for some discussion in a similar context.) IIUC the client cookie is fixed length by protocol, so it and the version/reserved/timestamp are fixed-width, thus injective by default. However, the length of the Client-IP can vary based on address family, so either a length prefix or address-family indicator might be in order (though the overall length of the input is probably enough to differentiate between the two cases for address family). And SipHash is inherently immune to length-extension attacks, hooray. This would probably be a good section to put the analysis of what properties are needed from the hash/MAC and how SipHash meets them (per the secdir review thread), if we don't want to put it in the toplevel Section 4. Section 5 All servers in an anycast set must be able to verify the Server Cookies constructed by all other servers in that anycast set at all times. Therefore it is vital that the Server Secret is shared among all servers before it is used to generate Server Cookies. (editorial) I suggest "before it is used to generate Server Cookies on any server". Stage 3 This stage is initiated by the operator when it can be assumed that most clients have learned the new Server Secret. Clients never learn the Server Secret itself! This should presumably be "most clients have obtained a Server Cookie derived from the new Server Secret". Section 6 [SipHash-2.4] is a pseudorandom function suitable as Message Authentication Code. This document REQUIRES compliant DNS Server to use SipHash-2.4 as a mandatory and default algorithm for DNS Cookies to ensure interoperability between the DNS Implementations. (Where does the "SipHash-2.4" notation originate from? The original paper at https://www.aumasson.jp/siphash/siphash.pdf seems to use the "SipHash-2-4" notation.) Section 8 DNS traffic. An on-path adversary that can observe a Server Cookie for a client and server interaction, can use that Server Cookie for amplification and denial-of-service forgery attacks for the lifetime of the Server Cookie. Such an adversary is limited to using that cookie for attacks directed against the client associated with the cookie, though, right? Unfortunately, tracking Client IP Address Changes is impractical with servers that do not support DNS Cookies. To prevent tracking of clients with non DNS Cookie supporting servers, a client MUST NOT send a previously sent Client Cookie. [...] I think there's a missing qualifier here, like "to a server not known to support the cookie mechanism" or "in the absence of an associated server cookie" or similar. A blanket prohibition on sending previously sent client cookies would seem to render the cookie mechanism entirely unusable... Summarizing: * In order to provide minimal authentication, a client MUST use a different Client Cookie for each different Server IP Address. (This is only "summarizing" if the RFC 7873 discussion is considered to be a previous mention.) Even RFC 7873 doesn't seem to discuss in much detail *why* this is the case. IIUC the risk is that in sending a client cookie to a third-party server, that third party could send that cookie as a client cookie to the target server and potentially get back the same server cookie as is used between the primary client/server, thus gaining the ability to spoof responses as if they were the primary server. Should we lay this scenario out in more detail? ("No" is probably an okay answer, though I'm not 100% convinced yet.) * To prevent tracking of clients for a non DNS Cookie supporting server, a client MUST NOT send a previously sent Client Cookie to that server, unless it can track Client IP Address changes for those servers too. I don't think we should have two "MUST NOT" statements covering the same topic but with slightly different caveats -- it sets up the risk of skew between directives and consequent internal inconsistency. I prefer one of my formulations suggested above, though they are of course not the only way to resolve the potential issue. Besides the Client Cookie construction, this update on [RFC7873] does not introduce any new characteristics to DNS Cookies operations and the Security Considerations section of [RFC7873] still applies. We also have the new Server Cookie construction, that by design includes some defined fields in cleartext. Some discussion of the associated considerations, or why there are no considerations, seems in order. Section 10 Following the reference for [SipHash-2.4] suggests that https://www.aumasson.jp/siphash/ might be a more targeted URL than the current one (that redirects to the only the root path of the www.aumasson.jp site). Appendix A.4 I guess the timestamp should in theory be recoverable from the listed cookie value, though maybe it is helpful to say it in a more human-readable form as well.
- [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dn… Benjamin Kaduk via Datatracker