Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok
David Schinazi <dschinazi.ietf@gmail.com> Wed, 27 February 2019 20:18 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC3D61310AC for <dnssd@ietfa.amsl.com>; Wed, 27 Feb 2019 12:18:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLysH05GwCfN for <dnssd@ietfa.amsl.com>; Wed, 27 Feb 2019 12:18:06 -0800 (PST)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67ACD126C01 for <dnssd@ietf.org>; Wed, 27 Feb 2019 12:18:06 -0800 (PST)
Received: by mail-pf1-x433.google.com with SMTP id a3so8520095pff.11 for <dnssd@ietf.org>; Wed, 27 Feb 2019 12:18:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9T7MpwQh7q3wur3Ch0vT0aSoJsywnLPab4IC5gxqxPs=; b=Sn/IpvlRGKsE8YBAgX3CA/HlRzKOCx4t1GTOwC/cQDg2VAf6W12OxhQB8qQqwLTYoZ /Xb7XV66K4Z2DDleZu+yHoMgwCW49Qf3zru+koEDWGiyHe2uvOkpCUhhrFbifOtinXqB LYJ7/85MHbuL6gq15ydkCi37YCXbzr+7S3DSlWfwzsTyjIjGMBl53XmAuG6UP3RyA4FK O89K7a+HLXNJqDcbswDH7cNl7HPC6RkASWKQdAs3d9gNaIsrjCZC5KrHvIa6UVOAu0OM ZHA9Mzbj5SjQvETTi8UDweLZBtiqY6NiHUCqboUYtszMdtIVNAa0a6RcpRHWkDaKrwUV kAKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9T7MpwQh7q3wur3Ch0vT0aSoJsywnLPab4IC5gxqxPs=; b=Eo4pxypV2QhyB2UU6OygMjlGAG9BVxhRIITVWabCLOc5X8W1wJasNgMhYfErf0365z pFvs3CDmSB6WM54DjsPDLOmZK57GzKkR+fKnCSHpZFTNH+kPv4f7XWxa7/K8sIAsYJRV rn20hlirYtK2bmGhQ5VXFrpCkTu8DlE264h6paO77qMMPJ4D/TivyOBSMVzXKs7WnRVO ETbFPKzSeJqo8njj7mRsmQyl7wKFsMqsg6uXmXi0aLZ/fXW/IYm3NaU7uOwT94sbgBbk M6FgSGzzp0+So3LRDrtQLgrAb94CzzjGQVN8K5kIm647xKi759C50PAonvzORjWWEuNT UmqQ==
X-Gm-Message-State: AHQUAuaO33IpiWV49hqx9WYEAoM+wsh2J+0Pg2iJpaPqEZdJLytoAKn7 fEkSchN+vhwgvS7eztlrin9Op1u2ItjpEx7Y/iw=
X-Google-Smtp-Source: AHgI3IZIlbcQRTp1ehBgrFOg3/4a4b8fEn5EwbT60pOVRJdwzQwklBg+0oprskDJ7Ioh1cUK66/VYfL/9JTRmgkSjpE=
X-Received: by 2002:a65:63c2:: with SMTP id n2mr4658966pgv.439.1551298685517; Wed, 27 Feb 2019 12:18:05 -0800 (PST)
MIME-Version: 1.0
References: <CAPDSy+6YyW_G7uwfwGPv1KLtJqL96dZ87R-5pnmmffEEniTigg@mail.gmail.com> <47A82E32-32B9-476F-AB79-76C8D182624F@apple.com> <CAO8oSXkGAErtKQgMGGT+88PY4Y+wJ_6Rz493exaymZ_L8F4FNg@mail.gmail.com> <CAPDSy+68V=rx8cAbVq6rKxNbb9yHisCCPURwHoLKsA179NooLw@mail.gmail.com> <e9b4900d-94e3-c79a-2a72-e2f996663b9d@huitema.net>
In-Reply-To: <e9b4900d-94e3-c79a-2a72-e2f996663b9d@huitema.net>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 27 Feb 2019 12:17:54 -0800
Message-ID: <CAPDSy+4d27SQCStGzPpzzv=pjGiCM+0df988BesRGHdV_vvteA@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Christopher Wood <christopherwood07@gmail.com>, Bob Bradley <bradley@apple.com>, DNSSD <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001745150582e5dfd5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/lYwONYx649VaVRuMeHys2SB-9Oc>
Subject: Re: [dnssd] Confirming consensus from DNSSD Privacy discussion in Bangkok
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 20:18:10 -0000
Thanks for writing this up Christian. I went through the minutes of our last in-person meeting in Bangkok <https://datatracker.ietf.org/meeting/103/materials/minutes-103-dnssd> and while we did not explicitly ask for consensus then, I got a feeling that the sense in the room was: 1) Is the server mode important for the scenarios that we are thinking about? - No one in the room came out strongly in favor of server mode - Server mode would add complexity My personal recommendation: we declare server mode out of scope for now. 2) Do we care about compatibility with the existing DNS-SD formats? - No one in the room came out strongly in favor of this - It was mentioned it would be nice to have but not critical - This would cause some security tradeoffs regarding hash size My personal recommendation: we declare compatibility with existing formats out of scope for now. 3) Do we want private discovery to work as a system component, or as an app library? (a.k.a. per device or per app.) - We had briefly discussed this at IETF 100 in Singapore following Stuart's discussion of requirements: https://tools.ietf.org/html/draft-cheshire-dnssd-privacy-considerations-01#section-3 - I recall there was support in the room for having finer granularity such as per-app My personal recommendation: we focus on per-app for now. Based on the above, as chair, I'm proposing we move forward with a reduced scope solution for now, that is without server mode, using binary formats, and runs as an app library. To clarify, this wouldn't mean we won't try to build a follow-up solution for those requirements later, this is just meant as framing to help us make progress towards a concrete proposal. Please share your opinions on this potential approach. Thanks, David On Wed, Feb 27, 2019 at 10:35 AM Christian Huitema <huitema@huitema.net> wrote: > I think we understand the envelope of the solutions, but we have to > stabilize three design choices first: > > 1) Is the server mode important for the scenarios that we are thinking > about? > > 2) Do we care about compatibility with the existing DNS-SD formats? > > 3) Do we want private discovery to work as a system component, or as an > app library? (a.k.a. per device or per app.) > > We can easily write a spec that works without server mode, using binary > formats, and runs as an app library. That's basically Bob's design, with an > optional tweak to add an hint and minimize the CPU cost of trial > decryption. We could also tweak the same spec and make it somehow fit in > DNS formats, with a liberal usage of TXT records, but I don't know whether > that's justified. We do not have a consensus on a server based solution, > let alone on a server based solution that would reuse DNS servers. > > Basically, the best way for the chairs and the working group to help is to > focus the work on a key scenario, and answer the three questions above. > > -- Christian Huitema > > > On 2/26/2019 9:35 AM, David Schinazi wrote: > > Thanks for kicking this discussion off again, Chris! > > Bob, Christian, is there anything the chairs can do to facilitate making > progress towards a joint proposal before Prague? > > Thanks, > David > > On Mon, Feb 25, 2019 at 7:56 PM Christopher Wood < > christopherwood07@gmail.com> wrote: > >> (Paging back in discussions from the meeting...) >> >> On Wed, Nov 14, 2018 at 9:36 PM Bob Bradley <bradley@apple.com> wrote: >> > >> > I'm a little unclear what is being considered single-stage vs >> two-stage. How is single-stage able to send encrypted without knowing the >> destination? Is it encrypting a query with an asymmetric private key and >> multicasting? Or does single-stage refer to the predictable nonce approach? >> I was considering predictable nonce's two-stage because it has to first >> discover known peer service instances (stage 1) then perform encrypted >> queries/responses (stage 2). >> >> If I understand and remember correctly, the single stage approach >> would encrypt the service ID in the first query using the recipient's >> public key, along with the predictable nonce generated using the >> sender's public key. The response would contain the address of the >> service in question. If we are concerned with the dictionary attack >> mentioned earlier, a second round is required. >> >> I assume the joint design with you, Christian, and Daniel will attempt >> to find an appropriate balance here. >> >> Best, >> Chris >> >> > Regarding the discussion: >> > >> > 1. Server mode. My proposal doesn't have a good way to support it. >> Normal server mode wasn't an important use case for me, but sleep proxy >> support would be nice. I just don't know how to do it yet, at least not >> without giving the sleep proxy your keys. >> > >> > 2. Multicast traffic. One problem I saw with draft-ietf-dnssd-privacy >> is each device advertising a service instance for each pairing. The network >> I'm on now has 300+ devices and if each one has 50 friends, that's 15000 >> service instances on the network, which seems very high. >> > >> > I tried to reduce this by each device only advertising itself via >> multicast and then everything else is unicast. The first part of key >> exchange was also rolled into the advertisement packet to allow a single >> query packet and single response packet while still maintaining forward >> secrecy and per-pairing confidentiality. >> > >> > 3. CPU cost. This seems to be a comparison between more packets, but >> lower per-packet cost (in the per-pairing service instance model where >> predictable nonce hashes are precomputed) vs fewer packets, but more >> expensive per-packet signature verification. The two main use cases I was >> considering were home networks (where neither traffic nor CPU is likely to >> be an issue due to the small number of devices) and busy enterprise >> networks (office, dorm, coffee shop), which I assumed would be more >> powerful devices (laptops, phones, servers) where reducing traffic would be >> more important than the CPU usage for checking multicast probes. >> > >> > 4. One privacy concern regarding predictable nonces is that it would >> allow spoofing. Anyone with your public key could generate your predictable >> nonce. It could also enable friend relationships to be recovered. Maybe not >> a huge concern, but something to consider. Even the signature approach has >> a replay vulnerability, but it's time bounded. >> > >> > On Nov 14, 2018, at 5:37 PM, David Schinazi <dschinazi.ietf@gmail.com> >> wrote: >> > >> > Hello everyone, >> > >> > It the room at IETF 103, there was a very productive discussion about >> DNSSD privacy: >> > https://www.youtube.com/watch?v=hPuTD19R-uQ&t=28m43s >> > >> > During that discussion, the room reached consensus on the following >> items: >> > >> > 1) single-stage approach -- Up until now, we were considering two >> approaches: single-stage (send encrypted and authenticated service >> identifier, receive encrypted and authenticated service response) and >> two-stage (send encryption and authenticated identifier, receive encrypted >> and authenticated response, derive secrets, send and receive subsequent >> queries encrypted using derived secrets). There was consensus in the room >> to go with the single-stage approach. >> > >> > 2) Use of TLS -- The single-stage approach no longer requires a key >> exchange mechanism such as TLS. There was consensus in the room that we do >> not need TLS as part of this protocol. >> > >> > 3) Evolution of documents -- It was proposed that we would take all >> input and compound it into a single document and only advance that one. We >> will use draft-ietf-dnssd-privacy since that document has already been >> adopted by the working group. Christian Huitema has offered for Bob Bradley >> to join as co-author if Bob would like. >> > >> > If you disagree with any of these points, please say so before >> 2018-12-02. >> > >> > Thanks, >> > David >> > _______________________________________________ >> > dnssd mailing list >> > dnssd@ietf.org >> > https://www.ietf.org/mailman/listinfo/dnssd >> > >> > >> > _______________________________________________ >> > dnssd mailing list >> > dnssd@ietf.org >> > https://www.ietf.org/mailman/listinfo/dnssd >> >> _______________________________________________ >> dnssd mailing list >> dnssd@ietf.org >> https://www.ietf.org/mailman/listinfo/dnssd >> > > _______________________________________________ > dnssd mailing listdnssd@ietf.orghttps://www.ietf.org/mailman/listinfo/dnssd > >
- [dnssd] Confirming consensus from DNSSD Privacy d… David Schinazi
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Bob Bradley
- Re: [dnssd] Confirming consensus from DNSSD Priva… Ted Lemon
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Bob Bradley
- Re: [dnssd] Confirming consensus from DNSSD Priva… Ted Lemon
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… David Schinazi
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… David Schinazi
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… David Schinazi
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Bob Bradley
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christopher Wood
- Re: [dnssd] Confirming consensus from DNSSD Priva… Michael Richardson
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Martin Thomson
- Re: [dnssd] Confirming consensus from DNSSD Priva… Christian Huitema
- Re: [dnssd] Confirming consensus from DNSSD Priva… Daniel KAISER