Re: [dnssd] Next steps for privacy discovery

Mohit Sethi M <mohit.m.sethi@ericsson.com> Sat, 03 November 2018 03:43 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F892130E1D for <dnssd@ietfa.amsl.com>; Fri, 2 Nov 2018 20:43:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.77
X-Spam-Level:
X-Spam-Status: No, score=-4.77 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=C6hhMyZa; dkim=pass (1024-bit key) header.d=ericsson.com header.b=BGZR9c8H
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuIcMyAF5bp5 for <dnssd@ietfa.amsl.com>; Fri, 2 Nov 2018 20:43:29 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F56E128A6E for <dnssd@ietf.org>; Fri, 2 Nov 2018 20:43:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1541216606; x=1543808606; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=hIil//35WTpcZgWlhGu38gCHLPruhHcPlAFlcdhgoWw=; b=C6hhMyZanhrpL0ck98aOKPE2A2eMRC3GhYfuAXIQA7jNJxCmqIMzRjC/btsxu6Gu C+gV2mNL7XZEhV6KVc8q5uEGvh1UcXNJAKukW++wO7Aw1nnahGZ8eP3zc6kB1W5C 5IPV0oTw+khaeaZks5cqwREizKlO9R9Wkvv7RdqenL8=;
X-AuditID: c1b4fb30-1ebff70000007d19-4e-5bdd195e9f0a
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id A8.35.32025.E591DDB5; Sat, 3 Nov 2018 04:43:26 +0100 (CET)
Received: from ESESBMR506.ericsson.se (153.88.183.202) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sat, 3 Nov 2018 04:43:26 +0100
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESBMR506.ericsson.se (153.88.183.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sat, 3 Nov 2018 04:43:26 +0100
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Sat, 3 Nov 2018 04:43:25 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hIil//35WTpcZgWlhGu38gCHLPruhHcPlAFlcdhgoWw=; b=BGZR9c8HiSF/bGkefeOtE39U0/k4keiZoTy4f7SV+p+X6IeM6clXn6+3rjIjdQSd01oxBpy9WR+wR3u1kWIhKT4CZ3qzjlEC8bY7NbFi/UBt5vs4pQsEqPuOpEgygAQKQp5z6xlCApLJwvExb5f5+a6Qre5JZRHRfg7zevoLb9c=
Received: from VI1PR07MB4717.eurprd07.prod.outlook.com (20.177.54.82) by VI1PR07MB3277.eurprd07.prod.outlook.com (10.175.243.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.14; Sat, 3 Nov 2018 03:43:25 +0000
Received: from VI1PR07MB4717.eurprd07.prod.outlook.com ([fe80::8412:d8ae:dfa0:c61f]) by VI1PR07MB4717.eurprd07.prod.outlook.com ([fe80::8412:d8ae:dfa0:c61f%4]) with mapi id 15.20.1294.027; Sat, 3 Nov 2018 03:43:25 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Christian Huitema <huitema@huitema.net>, Lanlan Pan <abbypan@gmail.com>
CC: dnssd <dnssd@ietf.org>
Thread-Topic: [dnssd] Next steps for privacy discovery
Thread-Index: AQHUcydfEGC1Hs6wvEyMfFltSPw4DQ==
Date: Sat, 3 Nov 2018 03:43:24 +0000
Message-ID: <bae4578e-9f1d-0d65-8829-eb301d7f70db@ericsson.com>
References: <48bc4612-018e-7aac-6492-05657c466313@huitema.net> <CANLjSvXkQS3hGYCHoXu-jNP0Hvad02XBw4AsPMwTM02BvQkKKQ@mail.gmail.com> <0f32e79a-447a-f308-4888-4037a41716dd@huitema.net>
In-Reply-To: <0f32e79a-447a-f308-4888-4037a41716dd@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
x-originating-ip: [89.166.49.243]
x-clientproxiedby: AM5PR0602CA0012.eurprd06.prod.outlook.com (2603:10a6:203:a3::22) To VI1PR07MB4717.eurprd07.prod.outlook.com (2603:10a6:803:69::18)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB3277; 6:rf2BbzoIfRnJtPZZqqt+6+5zplzVfdt/HqTplBTh7ZZODvHKSr6LA5hXCqoG5pTUoKnObbEFF5D4YM6Qsur1sLm3vm09plY+GFK3rroFD2iLyegnF9Wr/0NNPUK9MM9ZvmpqVgxeLq0vJPSAwQtHe7I3YgzB0iNmNCn6gogBY5g6t6aZdpRfAqTWvkx6ZP+qJqGoqTafej3ofp+xDAsLWHM78dl18lwvLgpI2HcMcwskDDCzLn0kSmbVx/NEwgybBI+osgvLFTWFzv29V/wjLohNcPO0OrKBZ/vUtEypmanM2beL69EqAyNeOtgWD+VLPn+5Oz4kDj/s8KSVNIL9gnLtHR/puTOTP3GCw9DRXnbVK/UuJzfm/F7HtI747HHo90y+gTlZiGkp4XKnx5rRfo/V6gwJ8WRU0RIxeDMw8OG+Sg+XDM78ZuVndP8iROG9XcfINM5kTANJBXnLJOBjeA==; 5:X1H7Frjiu0865M0S9Mpw8fi0t1v67MJe/3hpzBQNlDSz1hBWoGftLTXpPupp1vO+6yh2lo43tEORnSBwyu++c9S8rLPKlFzBumLTOS5iQxyWnqpSr0Euzt6CrOPLOvD7YxDPFlJX/h3DRQ+b++P9LSZUjq/xEKbFdCCjQ+13pzY=; 7:ts5S4n+6WOKnrwHlnS2Zg/8WHSCMwTvFSG/wGAuKDWAfjjg6gpxiAfr/+YU6XjHbrwaHVS4383Igp6gyThn8FuhBRUUD4Jz2HrZelXFdmpTuj/zqfek0o4qG25a+nNZtg2tPT0vf6qYudUcRP6sv/g==
x-ms-office365-filtering-correlation-id: 586d22e0-ee48-43bc-054a-08d6413e820b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB3277;
x-ms-traffictypediagnostic: VI1PR07MB3277:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-microsoft-antispam-prvs: <VI1PR07MB327790576696D01DF89E8544D0C80@VI1PR07MB3277.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(85827821059158);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(10201501046)(93006095)(93001095)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:VI1PR07MB3277; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB3277;
x-forefront-prvs: 08457955C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(346002)(39860400002)(366004)(136003)(54094003)(199004)(189003)(86362001)(97736004)(6486002)(6116002)(2906002)(31686004)(36756003)(102836004)(110136005)(7736002)(316002)(68736007)(14454004)(58126008)(6436002)(65826007)(105586002)(106356001)(966005)(53546011)(2900100001)(229853002)(386003)(6506007)(606006)(5660300001)(3846002)(31696002)(4326008)(81166006)(66066001)(476003)(65806001)(2616005)(65956001)(486006)(256004)(39060400002)(25786009)(11346002)(81156014)(71200400001)(71190400001)(8936002)(53936002)(76176011)(186003)(26005)(478600001)(6306002)(54896002)(64126003)(52116002)(99286004)(6246003)(446003)(8676002)(6512007)(236005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB3277; H:VI1PR07MB4717.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: bH6DQgHD6xcRSZXWFG1+i7Bx4b37vPM3V9HxT1bXTCWe/VBsfL+4RQVCSjzPv3ErFbE9QcUt6nJZfjbQ3N/UwgueaS4jadsN52s+SDce7EmXzN0kGgH1H9sHwt+3nyfGQYSUIH/vb3IAfAlBB0AK2hwNTU4DLoIw5flyglnkkXzRdwwhLbo1dGIDHYiJDXYysPrvfKxuKIX1vKg/VFuNKzZo9ljiwxneqq70ja3z3o5EtxqWAgu7GJo6cAljNXJdz/UDhuCERjC4o/ONtBQ3R+JRLXPIqFpH5YdJA0MMOlM4bA2JNKRj4O5CfJ0J+UAxP1vF75V8otbVmeohvU2Qnx4BXe8WcIyPsksFS5MYdGE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_bae4578e9f1d0d658829eb301d7f70dbericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 586d22e0-ee48-43bc-054a-08d6413e820b
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2018 03:43:24.9034 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3277
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sb0hTURjGO/fe7V6Xg9Ny+mZIOYRSSqdlGqQmfRmGFdYHcWVNvbihTtlU MigUlUIz/5JuWhlOUrHMNM0ZgSaZpmZ+yPAPORrVkpxgK020tt0Vfvs97/Oc877v4TCkaIDn zajU2axGrUiX8AWULr4352Dirnm5tNLkH/5u00iHW5v1KLy6oJ4+Tsr69PO0bKZulJIZDGvE GTJBcCyFTVflspqgyEsCpbnjJ5U1E3X59UwPPx+tRJQgNwbwYbjfOkmUIAEjwkMI8tsb+Jyw ITDYpnn/xUjvG5oTTQSs9q07HQpXkPBi0kBxThUBLytWXMKEwGhtoh1t+FgK1TUtTvbAJ2Fx sp/vYBJ7w0RXKeHgnTgUJu4WEFzmCDyqW7XnGTsHQv7jVEeZwn7Q0NzCc7AQR0FVxUPXsEYE 5bWc4WY3nn6wOu9H2BN+jbYTXC8vmDHfI7i1MRievyU5FoPl06bzrBjHQ+HIBsXVfWF8yeTK 6xCsVO/h+ACMT5sRxz4wda8UOYYA/J4Ps+U6mjNi4fO3JYozhhFc/2pz3RoAloVV13QXYPlP OVGBDum3DMhxMtjWKvl656Y7YERnpvT2xyCxP3QYg7iIL9SUmmiO90Nxwx0Xy6BA30ZvzTQi pg2Jtaw2KSM1JCSQ1aiStdpMdaCazX6C7B9roHtd+gxZvkQPIswgibtwUTwvF/EUudq8jEEE DCnxEP4onpOLhCmKvCusJvOiJied1Q6i3Qwl8RKGn+pKEOFURTabxrJZrOafSzBu3vnobHxn SsBcdmdGyUKkNC7iQXNVn7Q/OO5G7O/uTh8wuV8tkgfVBxf5Zc5+vDZ885aHerWs1LptLCxk yq02KO+cbF9aTExNqzL5fIKisjY0d+z07Q36aKU4VKnbUJ1I7OmTv7Ki7dOFZcvRkR1DVr+x 70krcZYwT2EV1hcrG/eOSSitUhEcQGq0ir99dphSVAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/YmqqiMmOM9Nh3gmxKK5CRMFg2GU>
Subject: Re: [dnssd] Next steps for privacy discovery
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 03:43:31 -0000

Hi Christian,

I would recommend you to have a look at EAP-NOOB (https://tools.ietf.org/html/draft-aura-eap-noob-04). The draft is doing things at a different layer and is solving a different problem. It is doing pairing between a device and a virtual cloud service (EAP server).

However, many of things are related and could be useful for your work. As you rightly note in https://tools.ietf.org/html/draft-ietf-dnssd-pairing-info-02, OOB channels do not provide confidentiality. EAP-NOOB is designed in a way that  prevents impersonation and man-in-the-middle attacks even in situations where the attacker is able to eavesdrop the OOB channel. The "Authentication principle" section has more details: https://tools.ietf.org/html/draft-aura-eap-noob-04#section-6.1

--Mohit

On 10/30/18 12:20 AM, Christian Huitema wrote:


On 10/28/2018 6:48 PM, Lanlan Pan wrote:


Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>>于2018年10月26日周五 下午3:09写道:
...

4) If we kept the current "two phase" structure, use a TLS protocol
extension to demonstrate knowledge of the server's public key in the
client hello. I think we can build on the work done for SNI encryption,
which would fit quite well.

I wonder if we could consider about use tls psk (pre-shared key) ?  server can assign different key to different client.

That's what we were specifying in the current privacy draft. There are two issues. The first one is that if you use TLS-PSK, the Client Hello must include a key identifier. If there is a different key for each client, the key identifier could become a client identifier. We solved that  by using a "predictable nonce" for key identifier. The second issue is of course that assigning different keys to different clients requires extra management at the server, something that is not needed in the "private public key" class of solutions.

-- Christian Huitema



_______________________________________________
dnssd mailing list
dnssd@ietf.org<mailto:dnssd@ietf.org>
https://www.ietf.org/mailman/listinfo/dnssd