Re: [dnssd] Artart last call review of draft-ietf-dnssd-srp-20
Ted Lemon <mellon@fugue.com> Sat, 08 July 2023 12:52 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A10CC153A7F for <dnssd@ietfa.amsl.com>; Sat, 8 Jul 2023 05:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GtYXUkSAruyl for <dnssd@ietfa.amsl.com>; Sat, 8 Jul 2023 05:52:05 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A554CC151085 for <dnssd@ietf.org>; Sat, 8 Jul 2023 05:51:49 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-635f48814b4so17257326d6.1 for <dnssd@ietf.org>; Sat, 08 Jul 2023 05:51:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20221208.gappssmtp.com; s=20221208; t=1688820708; x=1691412708; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4/CT3hr059Pvut1eMNRTrze+k073Dh8GKFjtS5dx9cU=; b=nssGvCKDgcxGEoUWOb3sovpwdSqqeT+kTCWEphSzWEqHAFE9W4+X60Dzs4PK2nSCSJ XQFa4/5hNSC/vQXtnIjKtHQAtTuCzRcSWr4aOA96dUC3NlOo7iTyzo74pbI391SVYDCt vXL3N+090mqAvJRs4laREh/rvVKTmGPfkJ4kwtnFzpYWW37L0HLcTXizj51izcqZXcoS PXw1xUlVmW7MGOV1AEPHhLCLZ+8pJVYlC2ctmejltfMEXT/7Wg9tKZfjgZv1npg9oG+a o2fwGGDNkO5NyRWTIPzjZD9iJShIyGasI0W12zpJUKcBgxAAxd4avT0HjRTVi0cWsGto LnZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688820708; x=1691412708; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4/CT3hr059Pvut1eMNRTrze+k073Dh8GKFjtS5dx9cU=; b=EJugGrVkXoDUGDFgvCBz8L2RjB/Y4bMk18N8SEzt76CbXGS1wu0ybIeL9XaJo72cAT f+vPd4GuXpXWuJFjGHFtCnXM/XmrjYt2z5WJT9DNTM7HcUjVj0jlBOuVgE8C/f84zh+7 KnJexngPiCpAy/89a3AnEfNOAMRgwcbQFq7iENWFwIvngxMHcCkIp1WhtJ+xwdhU06FC kcd+qTNkIFHNMzj8xHTBnLfJ4rxIlzlJhFeYUeq3Xib6OYUSVIa4EF1V/bHxxwqPk5aL oqAxM2P6em401ZomMiUohIcDwlp1L2PXBmhg6AV0uC4Lko+/wiYTyZmhx+86tQDiAUcA 6EEA==
X-Gm-Message-State: ABy/qLYhroUDW86U8+vICjSfZOjZP+fb4840AFiyh5Dx2cP0l6rzPEp8 zFc5rcxHfzw63e55pVHPxj9rPtRxxGSLvLX2w69Gwg==
X-Google-Smtp-Source: APBJJlEzcyrKPytoFDta5Ng44AxA+Fe14/OBFf2sV7C30SSkOUwESIlVgmFI8rBfO44DQiLPcD4XEgNu0rebc/tJBUM=
X-Received: by 2002:a0c:e007:0:b0:637:2eb:6c1f with SMTP id j7-20020a0ce007000000b0063702eb6c1fmr6296518qvk.44.1688820708564; Sat, 08 Jul 2023 05:51:48 -0700 (PDT)
MIME-Version: 1.0
References: <168649377098.61641.16469712538996278808@ietfa.amsl.com> <CAPt1N1=oUs0b7kur=nQyw6=7ETYq5PROc3p2S-WBi_tMbuvEuw@mail.gmail.com> <D66441DB-A3D4-4812-98B4-6073DBEE87FA@paftech.se>
In-Reply-To: <D66441DB-A3D4-4812-98B4-6073DBEE87FA@paftech.se>
From: Ted Lemon <mellon@fugue.com>
Date: Sat, 08 Jul 2023 08:51:12 -0400
Message-ID: <CAPt1N1kjMs6NYa_7puXT9ayXwxXauyEdu-2Fu5DpRWvmimcXwg@mail.gmail.com>
To: Patrik Fältström <paf@paftech.se>
Cc: art@ietf.org, dnssd@ietf.org, draft-ietf-dnssd-srp.all@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006c79e205fff936cd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/OhawRUXiyYm2Em1uCCFI4r8geIU>
Subject: Re: [dnssd] Artart last call review of draft-ietf-dnssd-srp-20
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2023 12:52:09 -0000
Thanks for persisting. I think you make some good points. I don't think we
can address them in this document (the working group did a /lot/ of work to
make sure that all of the sections on constraints and so forth are mutually
consistent and complete, and that's part of why it seems bigger than it
should be—the original spec was indeed smaller, but also had a lot of gaps
where implementors could get confused). I've added the following text which
I think addresses the problem of not having a good introduction (it'll be
in the introduction). This somewhat reiterates language elsewhere in the
document, but as you say, having it in the introduction would make the
reader's life a lot easier.
<t>
It is important to understand that "authenticate" here just means that we
can tell that an update came from the same source
as the original registration. We have not established trust. This has
important implications for what we can and can't do
with data the client sends us. You will notice as you read this document
that we only support adding a very restricted set
of records, and the content of those records is further constrained.</t>
<t>
The reason for this is precisely that we have not established trust. So we
can only publish information that we feel safe in
publishing even though we do not have any basis for trusting the requestor.
We reason that mDNS <xref target="RFC6762"/>
allows arbitrary hosts on a single IP link to advertise services <xref
target="RFC6763"/>, relying on whatever service is
advertised to provide authentication.</t>
<t>
This is considered reasonably safe because it requires physical presence on
the network in order to advertise. An off-network
mDNS attack is simply not possible. Our goal with this specification is to
impose similar constraints. Because of this you will
see in <xref target="add_validation"/> that a very restricted set of
records with a very restricted set of relationships are
allowed. You will also see in <xref target="source_validation"/> that we
give advice on how to prevent off-network attacks.</t>
<t>
This leads us to the disappointing observation that this protocol is not a
mechanism for adding arbitrary information to
DNS zones. We have not evaluated the security properties of adding, for
example, an SOA record, an MX record, or a CNAME
record, and so these are forbidden. A future protocol specification might
include analyses for other records, and extend
the set of records that can be registered here. Or it might require
establishment of trust, and add an authorization model
to the authentication model we now have. But this is work for a future
document.</t>
On Sat, Jul 8, 2023 at 6:41 AM Patrik Fältström <paf@paftech.se> wrote:
> On 7 Jul 2023, at 20:41, Ted Lemon wrote:
>
> >> I presume the choice will be SRP although there are many acronym
> >> collisions...?
> >
> > This isn't even an RFC. I don't think we have a problem here. It's
> really DNSSD SRP, but we don't need to say that every time. :)
>
> Ok, I just wanted to let you know.
>
> >> In section 3.2.1 there is some text that talks about what RR types that
> are
> >> supported. At least for me the text ends up being a bit unclear on
> whether
> >> it
> >> describes what is implemented, or what is required by entities being in
> >> accordance with this specification. As specified in many DNS related
> RFCs,
> >> protocols should allow any RR Type be used, and limiting protocols to
> some
> >> is
> >> by experience a bad thing. For example all crazy use of TXT records
> because
> >> implementations do not handle RR Types properly.
> >
> > This is specifically for DNSSD, so we tried to keep it simple. DNSSD
> uses PTR, TXT, SRV and A/AAAA in very specific ways. The working group
> explicitly chose not to make this more general. That's what RFC2136 is for.
>
> Let me then suggest you say this in the document. The mechanism can indeed
> be generic and I am allergic to DNS related things not being able to handle
> "any RR Type". See the toxic discussions on TXT compared with new RR Types,
> and ultimately the bad use of TXT that we see in so many cases where
> specific RR Types should have been used instead.
>
> >> This spec should be about how things according to this spec should work.
> >> Maybe
> >> it is also explaining differences from other protocols, but it should
> not
> >> explain on what and how this is *not* doing things. Makes it harder to
> >> implement.
> >
> > You're misunderstanding the purpose of this section. The goal of SRP is
> to provide a very constrained update mechanism for DNS specifically to
> support DNSSD, and the reason for all this "it is NOT an SRP update" is so
> the implementor knows what updates it can treat as SRP updates (and do FCFS
> with) and what updates it can't. So this text is exactly as intended, and
> your proposed changes would essentially break the specification.
>
> Ok, I get that part, but I still feel this document is explaining too much
> what one should NOT do instead of explaining what one CAN do, and how it
> SHOULD be done.
>
> >> In section 3.2.4 there is a claim "This model does not work for
> automatic
> >> service registration.". I do not understand why it is not. I can guess
> it
> >> is
> >> "impractical" as there must be a shared secret deployed and various
> other
> >> things, which implies the zero-conf piece of service registration is
> >> messy, but
> >> "...does not work..."?
> >
> > This is what we intended to say. It does not work for this use case. I
> don't think there's any controversy about that.
>
> I disagree with the claim that it "does not work". It definitely does. It
> might be "impractical", but claiming it "does not work" I think is wrong.
>
> >> I also think wording in section 1 (related to 3.2.4) is unfortunate. It
> >> says in
> >> sixth paragraph "to authenticate both the initial claim and subsequent
> >> updates". I do not think it is authenticating the initial claim. It is
> >> using
> >> the FCFS security model together with (section 6.1), if TCP is used,
> >> inability
> >> to inject registrations from outside network locations.
> >
> > So the objection is the use of the term "authentication?"
>
> Yes
>
> > The sense in which it authenticates the update is precisely that we know
> that the update came from the same host that sent the initial registration.
> It's true that the initial update is not authenticated, and I don't think
> the document claims otherwise, so I don't see what change I could make here
> other than to add more text to clarify something I think is already pretty
> clear.
>
> I think you can say what you wrote here (which I also discovered), that
> "After use of the initial FCFS security model, authentication is done by
> ensuring the same host is doing updates that did the original FCFS
> registration". Or something like that.
>
> >> In section 3.2.4 there is a statement "The goal is not to provide the
> >> level of
> >> security of a network managed by a skilled operator." which honestly I
> do
> >> not
> >> understand what it means and why it is in this text.
> >
> > You're the third person to mention this sentence, which I agree is
> pretty confusing and also useless, so it's been removed. :)
>
> :-)
>
> >> In section 3.2.5.3 there is a time constraint of lease time of 14 days
> >> that is
> >> "typical" but it can be chosen to something else. As this is a choice
> that
> >> might impact the security (and reuse of the same name) my question is
> >> whether
> >> it is not for security reasons necessary to say it MUST be higher than a
> >> certain lowest value.
> >
> > No, I don't think so. Although we do suggest in the update-lease
> document that values lower than 30s are a bad idea for performance/DoS
> reasons.
>
> Ok, fair.
>
> >> In section 6.3 a reference is made to RFC8624. Should be to RFC9157.
> >
> > Thanks for noticing that. I added this reference before 9157 was
> published and didn't notice the update.
>
> Ok, such things happens all the time... ;-)
>
> >> In 3.2.5.4 there is a claim that compression saves "substantial space".
> >> Although it might do, I think this specification should stay at saying
> >> "compression MUST be supported".
> >
> > Yeah, that wording is pretty optimistic, isn't it? I changed it as
> follows:
> >
> > Compression of the
> > target can save space in the SRP Update, so we want clients to be
> able
> > to assume that the SRP server will handle
> > this. Therefore SRP registrars MUST support compression of SRV RR
> > targets.
>
> Excellent, thanks!
>
> >> In 3.3.1.3 it is stated that some A or AAAA records can be ignored by
> the
> >> server. I think it would be more proper to say that the server can
> ignore
> >> ANY
> >> request due to contents of the update request be "weird".
> >
> > I don't know what specific advice we'd give here, and I'd rather not say
> something this vague.
> >
> > In section 4 about TTLs it is said the request TTL should only be
> advisory.
>
> Hmm....I at least read it as an advice to be able to ignore A or AAAA
> records:
>
> > A and/or AAAA records that are not of of sufficient scope to be validly
> published in a DNS zone can be ignored by the SRP server, which could
> result in a host description effectively containing zero reachable
> addresses even when it contains one or more addresses.
>
> What I am saying is that I feel a better text could be:
>
> > Resource records, for example A and/or AAAA records, that are not of of
> sufficient scope to be validly published in a DNS zone can be ignored by
> the SRP server, which could result in a host description effectively
> containing zero reachable addresses even when it contains one or more
> addresses.
>
> >> I
> >> understand why the SRP registrar might believe the TTL is too short, but
> >> that
> >> should be flagged in the response. A client must according to my view be
> >> able
> >> to request something short so that the client can honor the use of the
> >> service
> >> for the protected time period.
> >>
> >
> > This is the wrong model for what we're doing here. If this were a
> general DNS protocol, that might make sense, but the goal here isn't to
> provide a general mechanism for updating DNS zones. It's to provide a
> replacement for mDNS using DNS.
>
> Fair, I do though see this as unfortunate ;-) I like what you have written
> here.
>
> > In that context, the client's preference can only ever be advisory. If
> the client wants a service to only be valid for a short time, it can use a
> short lease, and in fact that is the current practice. A short TTL would
> not actually accomplish this, if the zone weren't updated to withdraw the
> service.
> >
> > Anyway, I've updated the document as best I can to address your
> suggestions. Sorry about my lack of cooperation on the ones that I don't
> think should be changed!
>
> Thanks!
>
> Patrik
>
- [dnssd] Artart last call review of draft-ietf-dns… Patrik Fältström via Datatracker
- Re: [dnssd] Artart last call review of draft-ietf… Ted Lemon
- Re: [dnssd] Artart last call review of draft-ietf… Ted Lemon
- Re: [dnssd] Artart last call review of draft-ietf… Patrik Fältström
- Re: [dnssd] Artart last call review of draft-ietf… Ted Lemon