Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 12 March 2019 15:14 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288D5130FB8; Tue, 12 Mar 2019 08:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKsLXxY7rfxg; Tue, 12 Mar 2019 08:14:26 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35E68130F04; Tue, 12 Mar 2019 08:14:25 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1552403469; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=4 frP5tCxjKkJaoyVfyPYo7aOLdn+aDiC4nv76q6HMr c=; b=Cvaz2/Iildm5QOVQQJ8q+n/eFarh8mKD0sfeKET0+C7v 9ucJUDkYlsNtY98d+MQh6zw8DRk5FY/ITrJ0B9ErklPv4gp1oa mGbcdQKcoo7y7g0pQ/HzC6VtHXf94Yg00jX+radC8C7E4PxECL GCqVMDKev3b4nsZ9aA9Rmja01Dc=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 0729_5df1_7980db65_f632_4099_adf0_fe01e5083251; Tue, 12 Mar 2019 09:11:08 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 12 Mar 2019 09:13:54 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 12 Mar 2019 09:13:54 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 12 Mar 2019 09:13:49 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2710.namprd16.prod.outlook.com (20.178.232.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Tue, 12 Mar 2019 15:13:49 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1709.011; Tue, 12 Mar 2019 15:13:49 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Neil Cook <neil.cook@noware.co.uk>
CC: "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "Paul Vixie" <paul@redbarn.org>
Thread-Topic: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
Thread-Index: AQHU2NXrAignavqBHk2zotAw7nV7baYIGTiw
Date: Tue, 12 Mar 2019 15:13:49 +0000
Message-ID: <BYAPR16MB27905CEEB60A2B607E5B638CEA490@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <CAPsNn2VAgLDW++kb=Csfczp4oydqa4sY-dKWw7P7qTwj=MfxdQ@mail.gmail.com> <b405fbdd-dc36-5df1-b5bc-9ff2dcb149a2@cs.tcd.ie> <BYAPR16MB27902B449F94D0332AAED8E8EA490@BYAPR16MB2790.namprd16.prod.outlook.com> <2508EF3D-F82D-4BA5-A2FC-6287A76724BA@noware.co.uk>
In-Reply-To: <2508EF3D-F82D-4BA5-A2FC-6287A76724BA@noware.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.203.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 302892e2-b59e-496f-4268-08d6a6fd5491
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2710;
x-ms-traffictypediagnostic: BYAPR16MB2710:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <BYAPR16MB271098E5EDFBF3E0F2FBE61DEA490@BYAPR16MB2710.namprd16.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(396003)(376002)(366004)(346002)(189003)(13464003)(199004)(32952001)(55674003)(11346002)(446003)(6306002)(68736007)(476003)(93886005)(52536013)(5660300002)(8936002)(3846002)(186003)(54906003)(6246003)(33656002)(316002)(6116002)(486006)(790700001)(53936002)(256004)(26005)(5024004)(14444005)(102836004)(9686003)(54896002)(236005)(2906002)(55016002)(71190400001)(71200400001)(229853002)(6436002)(53386004)(8676002)(14454004)(966005)(66066001)(106356001)(7736002)(6916009)(72206003)(99286004)(76176011)(6506007)(105586002)(53546011)(86362001)(97736004)(478600001)(81166006)(7696005)(81156014)(80792005)(74316002)(4326008)(25786009)(66574012)(606006)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2710; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 9AJ2HmtGJA5QEdNZvKM3CjMbUiQp79TuYwU8jpZtcKwfpNwBkpg2tLh2+D4yZzWuy8MsHAOoKqQVNiazpjJ2SaZjJ77QC8rcAXJltORDHoIuqf6BgjX8MAX0fXZpy3CeHsbIKzgG4Uco3D4OBc+oE2JvMPE9UHSw0ACLiXTNLnUXhFY/VYQct/VYNVM0EByn+S/kZyR/HDMDAQy1AkswF2Se4DjkBq0Rj4wNle/pjG7V5MdHMWwr95zgkqyxUgxkhy9xIoluJmZj/t4dpQJTS4zq+gHAOj8uOmc8TWSa07jO+VnCaHpZr9H7O/Acw4Vjgqor8EAReCGH3SFaNUaR2V1VFaMInMTXmo6MTee2nmMRU7VCUSgi0yLiLJE2nE4c6G+9bi/TFRO9Sn0v0kRuddzwEWMy/2yv/bmGl3oIjWk=
Content-Type: multipart/alternative; boundary="_000_BYAPR16MB27905CEEB60A2B607E5B638CEA490BYAPR16MB2790namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 302892e2-b59e-496f-4268-08d6a6fd5491
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 15:13:49.3665 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2710
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6501> : inlines <7032> : streams <1815500> : uri <2811440>
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/RFVEhGENP05-Css8T_deJO9UGu8>
Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 15:14:29 -0000

Please see inline [TR]

From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Neil Cook
Sent: Tuesday, March 12, 2019 5:14 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Cc: doh@ietf.org; Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>rg>; dnsop@ietf.org; Paul Vixie <paul@redbarn.org>rg>; Christian Huitema <huitema@huitema.net>et>; nalini elkins <nalini.elkins@e-dco.com>om>; dns-privacy@ietf.org; Ackermann, Michael <mackermann@bcbsm.com>om>; Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
ISTM that it is quite possible that enterprises that deploy their own DoH
services could potentially reduce such leakage and gain overall. (I'm
assuming here that sensible browser-makers will end up providing
something that works for browsers running in networks with split-horizon
setups before those browsers turn on DoH as a default at scale.)

If Enterprise network provides a DoT/DoH server, browser should be able to discover and use the Enterprise DoT/DoH server.

Well until now there has been no discovery mechanism for DoH servers. There is now draft adopted by the DoH WG that proposes a discovery mechanism. However whether browsers actually use it is another question. Hence the draft by VIttorio.

[TR] Discovery alone will not solve the problem, the DoH client needs to trust the discovered DoH servers (see https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-01).

Cheers,
-Tiru

Neil


On 12 Mar 2019, at 06:14, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>> wrote:

-----Original Message-----
From: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>
Sent: Tuesday, March 12, 2019 5:30 AM
To: Paul Vixie <paul@redbarn.org<mailto:paul@redbarn.org>>; doh@ietf.org<mailto:doh@ietf.org>
Cc: nalini elkins <nalini.elkins@e-dco.com<mailto:nalini.elkins@e-dco.com>>; Konda, Tirumaleswar Reddy
<TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; dnsop@ietf.org<mailto:dnsop@ietf.org>; Ackermann,
Michael <mackermann@bcbsm.com<mailto:mackermann@bcbsm.com>>; Christian Huitema
<huitema@huitema.net<mailto:huitema@huitema.net>>; dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>; Vittorio Bertola
<vittorio.bertola=40open-xchange.com@dmarc.ietf.org<mailto:vittorio.bertola=40open-xchange.com@dmarc.ietf.org>>
Subject: Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients


(This distribution list is too scattered and diverse. Be great if some AD or
someone just picked one list for this.
In the meantime...)

On 11/03/2019 20:43, nalini elkins wrote:

impact assessment that certain changes such as DoH and TLS1.3 will
have on enterprises,

TLS1.3 will, I expect, noticeably improve security for an awful lot of
enterprises in time.

As for DoH, I wonder has anyone done studies on how split-horizon names
and access patterns leak today?

I don't recall having read that kind of study. I can imagine many ways in
which that kind of stuff would leak. I'd be very surprised if it never happens.
I don't know how often it does.

For names, leaking once is kinda fatal. For access patterns, I guess one leak
exposes an IP address that's interested in a name (e.g. secret-
project.example.com<http://project.example.com>) but more would be needed for broader access
patterns to be exposed to "foreign"
recursives and/or in-band networks.

ISTM that it is quite possible that enterprises that deploy their own DoH
services could potentially reduce such leakage and gain overall. (I'm
assuming here that sensible browser-makers will end up providing
something that works for browsers running in networks with split-horizon
setups before those browsers turn on DoH as a default at scale.)

If Enterprise network provides a DoT/DoH server, browser should be able to discover and use the Enterprise DoT/DoH server.

-Tiru



Cheers,
S.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop