IETF Logo Mail Archive

Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok

Christopher Wood <christopherwood07@gmail.com> Tue, 26 February 2019 03:55 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED64130E6A for <dnssd@ietfa.amsl.com>; Mon, 25 Feb 2019 19:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L73R5QQyBQUo for <dnssd@ietfa.amsl.com>; Mon, 25 Feb 2019 19:55:52 -0800 (PST)
Received: from mail-yw1-xc31.google.com (mail-yw1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01741295EC for <dnssd@ietf.org>; Mon, 25 Feb 2019 19:55:49 -0800 (PST)
Received: by mail-yw1-xc31.google.com with SMTP id i204so2088604ywb.0 for <dnssd@ietf.org>; Mon, 25 Feb 2019 19:55:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2Jriw6HV7/o6J9RQmUEwEGsb3UO7pDzRL/8YeCftXkk=; b=JI//sBqCSPu+VHfN3al8ceoeMuhIyXyaGcXvRE4VhevyyjfTgi8S14Qh4sT/9dH5/P 52cCxTadRAuF1iV0dP0Iw06C43QSv7iAoNk8/q8JziP4oDJ1dnhzLV8cKt1ErkwW0NZa ppHassN+hrpTXejbRjfAT2WFMUalny8slvI8FPkuL7jGdccNRFHNBb5J1sWAfznypUIy h+tYOKyPy4qF0dYUTWKbVYEB2LLgt9z+Qw1c0uU5tTmj5FAUiLyhW/G6seDMpgXGNohy 86Rr9Ub2fosnozdiR6ksVljNBDkFSPgJaBEvpucG7uBPgOMPiV/k5kqIYo8967gBpCog rHzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2Jriw6HV7/o6J9RQmUEwEGsb3UO7pDzRL/8YeCftXkk=; b=jvT3RjmmsH+/Na5Jn4wMdaMvwoB3kmNLy0ah3qCWVoZfbTvIpSmzruiuO1Z4gg+I7N 8oRZkm51oXbx73cDo70X2v43NAjE8oab7vORGjUzTCrjc/CvpH7G27qQiO5DAxLY7NwM pH9D5FpJy4xpBPIT+mv9DlKmVX+eOQlF7Wurx8qJMBPYyzp7tlkFLYgb74HO++YKofb5 TQyRDEF+W/Ex1IEu12sPqgYyaM8XNVT9yMqJQxUBu0MTL/wCgm+rlp66mVtwmp25dCGV XMXBopkMFbDBINoxoIKFFQllhHyTpQsxrtkSFtKxeMh1WNQ7C/zLi52c0m5/wqxQkX4n CPkw==
X-Gm-Message-State: AHQUAuYufrLQi+g+1twoVrSt676Iztet2V3KcMeyHC/Y6noXcZBW4u8t hAFDFvHGy326XvnL4t/Rk4n4qGzKMFCyyMPMSaQ=
X-Google-Smtp-Source: AHgI3Iaj/8mEiVTYqh5qbjvwhiGcGWJtcJ1vGb8YNO64ZRvjJr28jPnuFljv9hy7sT5WTtsv3EiDH5Nhd7TKSaEX6jg=
X-Received: by 2002:a81:2544:: with SMTP id l65mr16663909ywl.263.1551153348730; Mon, 25 Feb 2019 19:55:48 -0800 (PST)
MIME-Version: 1.0
References: <CAPDSy+6YyW_G7uwfwGPv1KLtJqL96dZ87R-5pnmmffEEniTigg@mail.gmail.com> <47A82E32-32B9-476F-AB79-76C8D182624F@apple.com>
In-Reply-To: <47A82E32-32B9-476F-AB79-76C8D182624F@apple.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Mon, 25 Feb 2019 19:55:37 -0800
Message-ID: <CAO8oSXkGAErtKQgMGGT+88PY4Y+wJ_6Rz493exaymZ_L8F4FNg@mail.gmail.com>
To: Bob Bradley <bradley@apple.com>
Cc: DNSSD <dnssd@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/gZbxmnYERe4uPskNeoL1gvovEpI>
Subject: Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 03:55:57 -0000

(Paging back in discussions from the meeting...)

On Wed, Nov 14, 2018 at 9:36 PM Bob Bradley <bradley@apple.com> wrote:
>
> I'm a little unclear what is being considered single-stage vs two-stage. How is single-stage able to send encrypted without knowing the destination? Is it encrypting a query with an asymmetric private key and multicasting? Or does single-stage refer to the predictable nonce approach? I was considering predictable nonce's two-stage because it has to first discover known peer service instances (stage 1) then perform encrypted queries/responses (stage 2).

If I understand and remember correctly, the single stage approach
would encrypt the service ID in the first query using the recipient's
public key, along with the predictable nonce generated using the
sender's public key. The response would contain the address of the
service in question. If we are concerned with the dictionary attack
mentioned earlier, a second round is required.

I assume the joint design with you, Christian, and Daniel will attempt
to find an appropriate balance here.

Best,
Chris

> Regarding the discussion:
>
> 1. Server mode. My proposal doesn't have a good way to support it. Normal server mode wasn't an important use case for me, but sleep proxy support would be nice. I just don't know how to do it yet, at least not without giving the sleep proxy your keys.
>
> 2. Multicast traffic. One problem I saw with draft-ietf-dnssd-privacy is each device advertising a service instance for each pairing. The network I'm on now has 300+ devices and if each one has 50 friends, that's 15000 service instances on the network, which seems very high.
>
> I tried to reduce this by each device only advertising itself via multicast and then everything else is unicast. The first part of key exchange was also rolled into the advertisement packet to allow a single query packet and single response packet while still maintaining forward secrecy and per-pairing confidentiality.
>
> 3. CPU cost. This seems to be a comparison between more packets, but lower per-packet cost (in the per-pairing service instance model where predictable nonce hashes are precomputed) vs fewer packets, but more expensive per-packet signature verification. The two main use cases I was considering were home networks (where neither traffic nor CPU is likely to be an issue due to the small number of devices) and busy enterprise networks (office, dorm, coffee shop), which I assumed would be more powerful devices (laptops, phones, servers) where reducing traffic would be more important than the CPU usage for checking multicast probes.
>
> 4. One privacy concern regarding predictable nonces is that it would allow spoofing. Anyone with your public key could generate your predictable nonce. It could also enable friend relationships to be recovered. Maybe not a huge concern, but something to consider. Even the signature approach has a replay vulnerability, but it's time bounded.
>
> On Nov 14, 2018, at 5:37 PM, David Schinazi <dschinazi.ietf@gmail.com> wrote:
>
> Hello everyone,
>
> It the room at IETF 103, there was a very productive discussion about DNSSD privacy:
> https://www.youtube.com/watch?v=hPuTD19R-uQ&t=28m43s
>
> During that discussion, the room reached consensus on the following items:
>
> 1) single-stage approach -- Up until now, we were considering two approaches: single-stage (send encrypted and authenticated service identifier, receive encrypted and authenticated service response) and two-stage (send encryption and authenticated identifier, receive encrypted and authenticated response, derive secrets, send and receive subsequent queries encrypted using derived secrets). There was consensus in the room to go with the single-stage approach.
>
> 2) Use of TLS -- The single-stage approach no longer requires a key exchange mechanism such as TLS. There was consensus in the room that we do not need TLS as part of this protocol.
>
> 3) Evolution of documents -- It was proposed that we would take all input and compound it into a single document and only advance that one. We will use draft-ietf-dnssd-privacy since that document has already been adopted by the working group. Christian Huitema has offered for Bob Bradley to join as co-author if Bob would like.
>
> If you disagree with any of these points, please say so before 2018-12-02.
>
> Thanks,
> David
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd
>
>
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd

v2.23.0 | Report a Bug | By Email