Re: [dnssd] Next steps for privacy discovery

Bob Bradley <bradley@apple.com> Fri, 26 October 2018 16:57 UTC

Return-Path: <bradley@apple.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A845130DE9 for <dnssd@ietfa.amsl.com>; Fri, 26 Oct 2018 09:57:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B25RQBGLhkm1 for <dnssd@ietfa.amsl.com>; Fri, 26 Oct 2018 09:57:23 -0700 (PDT)
Received: from nwk-aaemail-lapp03.apple.com (nwk-aaemail-lapp03.apple.com [17.151.62.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73B8C127133 for <dnssd@ietf.org>; Fri, 26 Oct 2018 09:57:23 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp03.apple.com [127.0.0.1]) by nwk-aaemail-lapp03.apple.com (8.16.0.22/8.16.0.22) with SMTP id w9QGv1Vq022392; Fri, 26 Oct 2018 09:57:14 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-transfer-encoding : content-type : sender : subject : from : in-reply-to : date : cc : message-id : references : to; s=20180706; bh=INW0mHNFDS3ULBa7f8PwKBr+e4kiG839JuNLjoImxKw=; b=rvT+sxgPscmBi+cO6M5RuECWBUp3+XGXwLz2QZhN9o0EIjiYmzOkkbh6oOWmjd+Rmg3i Rqg+9/TLBZVZ4ecxXnE+pH4HRivLvB+jVotEpH53kVdXYQWGgbLwFfVE91pU9JnazJeo l2wOKyu4clIMY3vg4G47qhXgJydpK/PlG3Fk94U9mGU3L10EUAwhMS0raCK6sqiBoR5h JetFmRfkYQ/GtvlRIqmCqLNeLji8v8r6xeZn13mbmShOkWjDzo33Cdx0XHmI5Xcm7JJ0 jkLouQwea5O1ftD+e5uCD+qg1eyscR0WFFqMJrCEwveftuzp6M1KnDxbcxw8c8NinsaB 4Q==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by nwk-aaemail-lapp03.apple.com with ESMTP id 2n80wbtdax-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 26 Oct 2018 09:57:14 -0700
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PH70004FTR4TRH0@ma1-mtap-s01.corp.apple.com>; Fri, 26 Oct 2018 09:57:05 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PH700D00TKJDO00@nwk-mmpp-sz13.apple.com>; Fri, 26 Oct 2018 09:57:04 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 71dc84467274b5628813a22f30ceafa8
X-Va-E-CD: cd92e8e7a72a12fe881f4b967bb78df8
X-Va-R-CD: 23cb4d007a8cf68f9daff7890c8be7a6
X-Va-CD: 0
X-Va-ID: 8dc06b22-422e-46d9-9f7c-f7450fd3bd55
X-V-A:
X-V-T-CD: 058bbac8ca772bcfc9e38720b87faa94
X-V-E-CD: cd92e8e7a72a12fe881f4b967bb78df8
X-V-R-CD: 23cb4d007a8cf68f9daff7890c8be7a6
X-V-CD: 0
X-V-ID: 2809efbd-e003-4757-9876-5a9ca93bc4de
Received: from process_milters-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PH700F00TPHJ000@nwk-mmpp-sz13.apple.com>; Fri, 26 Oct 2018 09:57:04 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-26_09:,, signatures=0
Received: from [17.234.69.77] by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PH7003OTTR4MO30@nwk-mmpp-sz13.apple.com>; Fri, 26 Oct 2018 09:57:04 -0700 (PDT)
Sender: bradley@apple.com
From: Bob Bradley <bradley@apple.com>
In-reply-to: <48bc4612-018e-7aac-6492-05657c466313@huitema.net>
Date: Fri, 26 Oct 2018 09:57:03 -0700
Cc: dnssd <dnssd@ietf.org>
Message-id: <28F9784B-6243-453E-8926-A4EA039217C9@apple.com>
References: <48bc4612-018e-7aac-6492-05657c466313@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-Mailer: Apple Mail (2.3445.102.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-26_09:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/MHCL_xn6QjOgre2CiiMkKksNAK4>
Subject: Re: [dnssd] Next steps for privacy discovery
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 16:57:26 -0000

If I understand correctly, a revision to draft-ietf-dnssd-privacy-05 would change it from each server advertising a _pds._tcp service instance for each of its paired peers to advertising a single _pds._tcp service instance for only itself (which sounds like a nice improvement). For that case, I think the scalability comparison between predictable nonces vs trial decryptions would be the cost of filtering additional multicast traffic vs performing additional signature verifications.

Assuming a network with 50 peers and 3 of them I'm paired to, here's my understanding of the work between the two approaches:

Predictable nonces:

When I join the network and start discovery, I announce my own _pds._tcp service instance (hash of time). Each peer would receive it and for each of its paired peers, calculate PrivateInstanceName = <time> | hash( <time> | <peer public key> ) and compare that to the announced name (47 ignore it, 3 cache it). Then send a PTR query for _pds._tcp. Each peer on the network responds with its own _pds._tcp service instance. For each response I receive, calculate a PrivateInstanceName for each of my paired peers and compare each response to my list of PrivateInstanceNames (47 ignored, 3 cached).

Trial decryptions:

When I join the network and start discovery, I announce my availability via a probe (signature of time) . Each would peer would receive it and for each of its paired peers, perform a signature verification (47 ignore it and 3 cache it). The 3 paired peers send a response. When I receive each response, perform a signature verification against each of my paired peers (which should succeed so it caches all 3 responses).

The question seems to be whether the traffic reduction in the trial decryption approach of only needing to respond to paired peers is worth the CPU cost of additional signature verifications.

Another option could be to use the predictable nonce approach, but in the PTR query for _pds._tcp, include an additional record containing the predictable nonce of the querier. The receiver could use this to suppress responses to unpaired peers. This could provide a similar traffic reduction to the trial decryption approach while retaining the CPU optimization of predictable nonces.

> On Oct 26, 2018, at 12:08 AM, Christian Huitema <huitema@huitema.net> wrote:
> 
> With some prodding from David and Barbara, I resubmitted the DNSSD
> Privacy and Pairing drafts before the Bangkok meeting. The changes are:
> 
> * For both drafts, add reference to the privacy requirement draft and to
> the scaling draft,
> 
> * For both drafts, add a short paragraph in the intro stating that
> things might change based on the scaling analysis,
> 
> * For the privacy draft, remove the requirement analysis part and
> replace it by a reference to the requirement draft.
> 
> David is prodding me to write a complete revision of the privacy draft,
> using the "shared public key" approach, which has very good scaling
> capabilities and reasonably robust resilience to attacks. It is a bit
> different from the draft that Bob Bradley sent, and I will comment on that
> later. I could not submitted a revised discovery proposal before the dead
> line, but here are the broad lines of what I would do: 
> 
> 1) Server has a public key, which is "somewhat secret" -- it is only
> provided to authorized clients and they are expected to keep it secret.
> 
> 2) Single announcement per server of the form nonce|proof, where the
> nonce is a "predictable nonce" computed as a hash of quantized time and
> secret public key.
> 
> 3) Clients do a search for the nonce, just like in the current spec, but
> there is only one nonce per server, so the client will get exactly one
> response.
> 
> 4) If we kept the current "two phase" structure, use a TLS protocol
> extension to demonstrate knowledge of the server's public key in the
> client hello. I think we can build on the work done for SNI encryption,
> which would fit quite well.
> 
> 5) We may consider having a different nonce for each available service,
> e.g. have the announcement computed as hash of quantized time, service
> type and secret public key. This would allow for a single phase solution.
> 
> 6) We may also have the service name used as a proof, e.g. encoding of
> nonce and service name with the server's private key.
> 
> 7) We need to say something about protecting the service connections
> from clients to server. DNSSD privacy would not be that much useful if
> the clear text data on the service connection revealed the identity of
> client or server. I think a combination of SNI encryption and TLS 1.3
> would work, but that may be extra work.
> 
> 8) We also need to recommend randomized host names for the A/AAAA
> records of the servers, otherwise there is also a big leak.
> 
> Some of the complexity in the DNSSD approach comes from a desire to fit
> into the existing DNSSD formats. This leads to some tricks like Base64
> encoding of nonce, time stamps and proofs so they fit in existing
> fields like service type or instance name. Bob's draft jettisons DNSSD
> compatibility and defines a new binary format. That is definitely
> cleaner, but there is a trade-off: a new protocol implies that we cannot
> reuse the DNSSD server infrastructure. It would be interesting to gauge
> the WG consensus on that tradeoff.
> 
> The other big difference between Bob's draft and the evolving proposal
> is the use of trial decryption. In Bob's approach, clients send probes
> that the server tries to decrypt by using the public keys of various
> registered peers or friends. This has scaling issues similar to the
> pairwise keys that we relied on in our first drafts. After discussions,
> we grew very concerned with these scaling issues and the
> corresponding potential for DOS attacks. We instead evolved towards
> a system of "predictable nonces".
> 
> The predictable nonces are a tradeoff between privacy and performance.
> Predictable nonces can be precomputed by the server, which reduces the
> processing cost and also limits the potential of DOS attacks. But then,
> all authorized clients of a server can generate the same predictable
> nonces, and thus all authorized clients can detect the presence
> of other authorized clients. This reduces privacy somewhat, although not
> necessarily by a whole lot. All authorized clients can discover the server,
> and thus retrieve its IP address. Network level analysis can then reveal
> which clients are also connecting to that server. This means that the information
> potentially leaked by the predictable nonce is also available at a lower
> layer. I think that the trade-off is thus between a minor privacy leak and
> a significant performance gain, but of course other WG members may have a
> different analysis. It would be interesting to gauge WG consensus on that
> subject.
> 
> Looking forward to the debates in Bangkok!
> 
> -- Christian Huitema
>  
> 
> 
> 
> 
> 
> 
> -- Christian Huitema
> 
> 
> 
> 
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd