IETF Logo Mail Archive

Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok

Bob Bradley <bradley@apple.com> Thu, 15 November 2018 05:36 UTC

Return-Path: <bradley@apple.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13A06127148 for <dnssd@ietfa.amsl.com>; Wed, 14 Nov 2018 21:36:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kmst861Cpk-c for <dnssd@ietfa.amsl.com>; Wed, 14 Nov 2018 21:36:20 -0800 (PST)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9482312426A for <dnssd@ietf.org>; Wed, 14 Nov 2018 21:36:20 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.22/8.16.0.22) with SMTP id wAF5WQFS055536 for <dnssd@ietf.org>; Wed, 14 Nov 2018 21:36:19 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : subject : date : references : to : in-reply-to : message-id; s=20180706; bh=j3Yehub0Hdv+JzKEfRoZ3jFMxmhapIz+vmNx6PSiegI=; b=U0MC1txRC6NPvo+I+vrgxVQvoxwgW40dVYwUh2iCdBnfRR7t7OOJJPTKJ5PnINW0mm1d a4ybsOvEbT85xySHsoz+QYUQHIJoThcnSLr3mrc8i8rOf6pZEm35PSINKhyT4KR9auuC StTO0Cff8Fgto3x9y2imc5S9lkJjzwOnC7502l1HP07aaueXQnnCy4iqPWLy+H7LfsFG BFOymUeOjvFIIZG8ZVk8/gtyUyUjsn4JEn25O1GRzOY/u42UdJdVlPo+hMY1hkVs+lIo 3A0MOZaS5b76h4BqPKkkvjtY11Ft6ED+vocF/WwemhCfSZ42bkbLEbfmG2+1Ks6VqPbq FA==
Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 2nr7bsyrr3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dnssd@ietf.org>; Wed, 14 Nov 2018 21:36:19 -0800
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_VYceCtChgJjJTQMzioferg)"
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PI700K7JZKIG670@ma1-mtap-s03.corp.apple.com> for dnssd@ietf.org; Wed, 14 Nov 2018 21:36:19 -0800 (PST)
Received: from process_viserion-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PI700G00ZAEHX00@nwk-mmpp-sz11.apple.com> for dnssd@ietf.org; Wed, 14 Nov 2018 21:36:18 -0800 (PST)
X-Va-A:
X-Va-T-CD: 30a9c062f6936833101a7e3ef1ad5808
X-Va-E-CD: a4bee68cb9a28f988d727c8ecff39609
X-Va-R-CD: edf26e1a2599e7fb606d76b44a391aa1
X-Va-CD: 0
X-Va-ID: 5372510d-2d2c-4ad7-9fb8-39f84632fcb0
X-V-A:
X-V-T-CD: 67f481029bce65efa0808f4eee5f1f07
X-V-E-CD: a4bee68cb9a28f988d727c8ecff39609
X-V-R-CD: edf26e1a2599e7fb606d76b44a391aa1
X-V-CD: 0
X-V-ID: ee7c94fb-b375-4d6b-86c5-e9c57beb9a1e
Received: from process_milters-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PI700J00ZHZJL00@nwk-mmpp-sz11.apple.com> for dnssd@ietf.org; Wed, 14 Nov 2018 21:36:18 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-15_03:,, signatures=0
Received: from [17.234.61.203] by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PI700IPRZKHPJ30@nwk-mmpp-sz11.apple.com> for dnssd@ietf.org; Wed, 14 Nov 2018 21:36:18 -0800 (PST)
Sender: bradley@apple.com
From: Bob Bradley <bradley@apple.com>
Date: Wed, 14 Nov 2018 21:36:15 -0800
References: <CAPDSy+6YyW_G7uwfwGPv1KLtJqL96dZ87R-5pnmmffEEniTigg@mail.gmail.com>
To: DNSSD <dnssd@ietf.org>
In-reply-to: <CAPDSy+6YyW_G7uwfwGPv1KLtJqL96dZ87R-5pnmmffEEniTigg@mail.gmail.com>
Message-id: <47A82E32-32B9-476F-AB79-76C8D182624F@apple.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-15_03:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/cLne04U3cRddqLqeTcQKu6sE-QE>
Subject: Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 05:36:23 -0000

I'm a little unclear what is being considered single-stage vs two-stage. How is single-stage able to send encrypted without knowing the destination? Is it encrypting a query with an asymmetric private key and multicasting? Or does single-stage refer to the predictable nonce approach? I was considering predictable nonce's two-stage because it has to first discover known peer service instances (stage 1) then perform encrypted queries/responses (stage 2).

Regarding the discussion:

1. Server mode. My proposal doesn't have a good way to support it. Normal server mode wasn't an important use case for me, but sleep proxy support would be nice. I just don't know how to do it yet, at least not without giving the sleep proxy your keys.

2. Multicast traffic. One problem I saw with draft-ietf-dnssd-privacy is each device advertising a service instance for each pairing. The network I'm on now has 300+ devices and if each one has 50 friends, that's 15000 service instances on the network, which seems very high.

I tried to reduce this by each device only advertising itself via multicast and then everything else is unicast. The first part of key exchange was also rolled into the advertisement packet to allow a single query packet and single response packet while still maintaining forward secrecy and per-pairing confidentiality.

3. CPU cost. This seems to be a comparison between more packets, but lower per-packet cost (in the per-pairing service instance model where predictable nonce hashes are precomputed) vs fewer packets, but more expensive per-packet signature verification. The two main use cases I was considering were home networks (where neither traffic nor CPU is likely to be an issue due to the small number of devices) and busy enterprise networks (office, dorm, coffee shop), which I assumed would be more powerful devices (laptops, phones, servers) where reducing traffic would be more important than the CPU usage for checking multicast probes.

4. One privacy concern regarding predictable nonces is that it would allow spoofing. Anyone with your public key could generate your predictable nonce. It could also enable friend relationships to be recovered. Maybe not a huge concern, but something to consider. Even the signature approach has a replay vulnerability, but it's time bounded.

> On Nov 14, 2018, at 5:37 PM, David Schinazi <dschinazi.ietf@gmail.com> wrote:
> 
> Hello everyone,
> 
> It the room at IETF 103, there was a very productive discussion about DNSSD privacy:
> https://www.youtube.com/watch?v=hPuTD19R-uQ&t=28m43s <https://www.youtube.com/watch?v=hPuTD19R-uQ&t=28m43s>
> 
> During that discussion, the room reached consensus on the following items:
> 
> 1) single-stage approach -- Up until now, we were considering two approaches: single-stage (send encrypted and authenticated service identifier, receive encrypted and authenticated service response) and two-stage (send encryption and authenticated identifier, receive encrypted and authenticated response, derive secrets, send and receive subsequent queries encrypted using derived secrets). There was consensus in the room to go with the single-stage approach.
> 
> 2) Use of TLS -- The single-stage approach no longer requires a key exchange mechanism such as TLS. There was consensus in the room that we do not need TLS as part of this protocol.
> 
> 3) Evolution of documents -- It was proposed that we would take all input and compound it into a single document and only advance that one. We will use draft-ietf-dnssd-privacy since that document has already been adopted by the working group. Christian Huitema has offered for Bob Bradley to join as co-author if Bob would like.
> 
> If you disagree with any of these points, please say so before 2018-12-02.
> 
> Thanks,
> David
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd

v2.23.0 | Report a Bug | By Email