IETF Logo Mail Archive

Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok

Bob Bradley <bradley@apple.com> Thu, 15 November 2018 16:32 UTC

Return-Path: <bradley@apple.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828361292AD for <dnssd@ietfa.amsl.com>; Thu, 15 Nov 2018 08:32:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Df2bNlLFiyTv for <dnssd@ietfa.amsl.com>; Thu, 15 Nov 2018 08:32:09 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACEE6130DE1 for <dnssd@ietf.org>; Thu, 15 Nov 2018 08:32:09 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.22/8.16.0.22) with SMTP id wAFGVrUa018901; Thu, 15 Nov 2018 08:32:07 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : message-id : subject : date : in-reply-to : cc : to : references; s=20180706; bh=iUHiGnMgSeRD+shHOt0H8/z5Hl5T4UjCY8anIfosmWw=; b=mqtEXJ0W48XUrkF4ypxL2maW5Uo2TVw1A4BAsNwrufzyqZKmgeJ8bXkndj18rsVsKvZ1 F31F3GOUVWhzjEwFqNPxzHHDNb8D9Vob982AnAwTXiSSkUS/juj42Un/lHEODymc7GMk ErdfZ7uANZe0NQbAwrAXUtT5rsF3MUo1LAK+rGIqcD0VneR645ZYPIpqmDZQmytNIuot 7tjaItLyZbeUQXsard1jzimvxJqHnJlylEzXXlI90HXnogM0vqyxCza+0sHbFPannYmW kVPso1lnejkTNDsNA0hwYSghXwLz8rsC3Td/8LOlTPd7N9hneYkfxFLwpuwJ5+F9uLDz tQ==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2nr7bsfvr8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 15 Nov 2018 08:32:07 -0800
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_aEP2HilGPZ0g0Gw2uL++4g)"
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PI800CMKTXHGL00@ma1-mtap-s01.corp.apple.com>; Thu, 15 Nov 2018 08:32:06 -0800 (PST)
Received: from process_viserion-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PI800C00TG7ID00@nwk-mmpp-sz13.apple.com>; Thu, 15 Nov 2018 08:32:06 -0800 (PST)
X-Va-A:
X-Va-T-CD: a17ff691283ebf009da5140641b3832f
X-Va-E-CD: a4bee68cb9a28f988d727c8ecff39609
X-Va-R-CD: edf26e1a2599e7fb606d76b44a391aa1
X-Va-CD: 0
X-Va-ID: 8245b10d-ffab-442c-b037-fe65f57c5c72
X-V-A:
X-V-T-CD: 926c12acc1b9dc6b65aaa75f7f2e2b1b
X-V-E-CD: a4bee68cb9a28f988d727c8ecff39609
X-V-R-CD: edf26e1a2599e7fb606d76b44a391aa1
X-V-CD: 0
X-V-ID: c65094bf-a104-468b-98e3-cdff5b6147e5
Received: from process_milters-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PI800K00TWXSV00@nwk-mmpp-sz13.apple.com>; Thu, 15 Nov 2018 08:32:06 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-15_12:,, signatures=0
Received: from [17.234.78.114] by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PI8002AZTXHZQ10@nwk-mmpp-sz13.apple.com>; Thu, 15 Nov 2018 08:32:05 -0800 (PST)
Sender: bradley@apple.com
From: Bob Bradley <bradley@apple.com>
Message-id: <4880CD23-08E4-4907-B272-6F376AF6C4F7@apple.com>
Date: Thu, 15 Nov 2018 08:32:05 -0800
In-reply-to: <CAPt1N1nzbyMVDofO-FWmL3hxjZykE=5BWaL_+DkCCdcH4oPOEQ@mail.gmail.com>
Cc: dnssd <dnssd@ietf.org>
To: Ted Lemon <mellon@fugue.com>
References: <CAPDSy+6YyW_G7uwfwGPv1KLtJqL96dZ87R-5pnmmffEEniTigg@mail.gmail.com> <47A82E32-32B9-476F-AB79-76C8D182624F@apple.com> <CAPt1N1nzbyMVDofO-FWmL3hxjZykE=5BWaL_+DkCCdcH4oPOEQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-15_12:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/eW1p6tFNL-PziiCVpEXQutmYmIk>
Subject: Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 16:32:13 -0000

I wasn't as concerned with public keys leaking. The case I was thinking of is people I've shared my key with being able to determine who else I've shared with. If they haven't mutually shared keys, they can only determine if someone you've shared with is present. For mutually shared keys, they can identify specific people you've shared with: "Wow, I didn't know Alice and I both shared with Eve". For location-based devices, such as a printer or coffee shop, it can reveal where you've been.

> On Nov 15, 2018, at 7:23 AM, Ted Lemon <mellon@fugue.com> wrote:
> 
> Hm.  To your point #4, I guess the question is, how easy is it for the public key to leak?   If you ever share your public key with anyone, they can definitely spoof you, but what do they get out of that?
> 
> On Thu, Nov 15, 2018 at 12:36 AM Bob Bradley <bradley@apple.com <mailto:bradley@apple.com>> wrote:
> I'm a little unclear what is being considered single-stage vs two-stage. How is single-stage able to send encrypted without knowing the destination? Is it encrypting a query with an asymmetric private key and multicasting? Or does single-stage refer to the predictable nonce approach? I was considering predictable nonce's two-stage because it has to first discover known peer service instances (stage 1) then perform encrypted queries/responses (stage 2).
> 
> Regarding the discussion:
> 
> 1. Server mode. My proposal doesn't have a good way to support it. Normal server mode wasn't an important use case for me, but sleep proxy support would be nice. I just don't know how to do it yet, at least not without giving the sleep proxy your keys.
> 
> 2. Multicast traffic. One problem I saw with draft-ietf-dnssd-privacy is each device advertising a service instance for each pairing. The network I'm on now has 300+ devices and if each one has 50 friends, that's 15000 service instances on the network, which seems very high.
> 
> I tried to reduce this by each device only advertising itself via multicast and then everything else is unicast. The first part of key exchange was also rolled into the advertisement packet to allow a single query packet and single response packet while still maintaining forward secrecy and per-pairing confidentiality.
> 
> 3. CPU cost. This seems to be a comparison between more packets, but lower per-packet cost (in the per-pairing service instance model where predictable nonce hashes are precomputed) vs fewer packets, but more expensive per-packet signature verification. The two main use cases I was considering were home networks (where neither traffic nor CPU is likely to be an issue due to the small number of devices) and busy enterprise networks (office, dorm, coffee shop), which I assumed would be more powerful devices (laptops, phones, servers) where reducing traffic would be more important than the CPU usage for checking multicast probes.
> 
> 4. One privacy concern regarding predictable nonces is that it would allow spoofing. Anyone with your public key could generate your predictable nonce. It could also enable friend relationships to be recovered. Maybe not a huge concern, but something to consider. Even the signature approach has a replay vulnerability, but it's time bounded.
> 
>> On Nov 14, 2018, at 5:37 PM, David Schinazi <dschinazi.ietf@gmail.com <mailto:dschinazi.ietf@gmail.com>> wrote:
>> 
>> Hello everyone,
>> 
>> It the room at IETF 103, there was a very productive discussion about DNSSD privacy:
>> https://www.youtube.com/watch?v=hPuTD19R-uQ&t=28m43s <https://www.youtube.com/watch?v=hPuTD19R-uQ&t=28m43s>
>> 
>> During that discussion, the room reached consensus on the following items:
>> 
>> 1) single-stage approach -- Up until now, we were considering two approaches: single-stage (send encrypted and authenticated service identifier, receive encrypted and authenticated service response) and two-stage (send encryption and authenticated identifier, receive encrypted and authenticated response, derive secrets, send and receive subsequent queries encrypted using derived secrets). There was consensus in the room to go with the single-stage approach.
>> 
>> 2) Use of TLS -- The single-stage approach no longer requires a key exchange mechanism such as TLS. There was consensus in the room that we do not need TLS as part of this protocol.
>> 
>> 3) Evolution of documents -- It was proposed that we would take all input and compound it into a single document and only advance that one. We will use draft-ietf-dnssd-privacy since that document has already been adopted by the working group. Christian Huitema has offered for Bob Bradley to join as co-author if Bob would like.
>> 
>> If you disagree with any of these points, please say so before 2018-12-02.
>> 
>> Thanks,
>> David
>> _______________________________________________
>> dnssd mailing list
>> dnssd@ietf.org <mailto:dnssd@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnssd <https://www.ietf.org/mailman/listinfo/dnssd>
> 
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org <mailto:dnssd@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnssd <https://www.ietf.org/mailman/listinfo/dnssd>

v2.23.0 | Report a Bug | By Email