Re: [Dots] Magnus Westerlund's No Objection on draft-ietf-dots-server-discovery-14: (with COMMENT)
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 10 November 2020 07:30 UTC
Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A54F3A09FF for <dots@ietfa.amsl.com>; Mon, 9 Nov 2020 23:30:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izMTv3Rg9SLK for <dots@ietfa.amsl.com>; Mon, 9 Nov 2020 23:30:17 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75A9E3A0896 for <dots@ietf.org>; Mon, 9 Nov 2020 23:30:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1604993416; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5xhhZjAXYTZX73EQzgtE8nKod2+kq1puBofmMTEq13I=; b=MKMrq1srGbIBCellcMUkmKVop6ehNn7ZJ78gcU7CrqtCtglOuqkTP6HUElQEi67KHU4+nO eQv54PFt3jWUAC+9JhiCbKMY1XRkwTw/ytvIlAv+WtXPQCsH1WH5gVPJJGqxsb/Yl437a3 BvXCnSy3NKDiOe2kqv3Zon4sWLqTyFE=
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02lp2052.outbound.protection.outlook.com [104.47.38.52]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-540-Ee3OHX6PMkeQ3fYBqdea6Q-1; Tue, 10 Nov 2020 02:30:14 -0500
X-MC-Unique: Ee3OHX6PMkeQ3fYBqdea6Q-1
Received: from DM6PR16MB3402.namprd16.prod.outlook.com (2603:10b6:5:148::13) by DM5PR16MB1403.namprd16.prod.outlook.com (2603:10b6:3:be::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Tue, 10 Nov 2020 07:30:11 +0000
Received: from DM6PR16MB3402.namprd16.prod.outlook.com ([fe80::34c8:e126:315d:718e]) by DM6PR16MB3402.namprd16.prod.outlook.com ([fe80::34c8:e126:315d:718e%5]) with mapi id 15.20.3499.032; Tue, 10 Nov 2020 07:30:11 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>, "draft-ietf-dots-server-discovery@ietf.org" <draft-ietf-dots-server-discovery@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Thread-Topic: Magnus Westerlund's No Objection on draft-ietf-dots-server-discovery-14: (with COMMENT)
Thread-Index: AQHWs3t9S513Nb09M0CuTcs3PWb/SKm6uevAgAAyAYCABgvcwA==
Date: Tue, 10 Nov 2020 07:30:10 +0000
Message-ID: <DM6PR16MB34029662F100D57D98B8E693EAE90@DM6PR16MB3402.namprd16.prod.outlook.com>
References: <160458459549.15207.15947838166522017934@ietfa.amsl.com> <DM6PR16MB3402A32E4756607C1F7F46C9EAED0@DM6PR16MB3402.namprd16.prod.outlook.com> <0372e8d7a906dca1041212e6ed989b58304d633b.camel@ericsson.com>
In-Reply-To: <0372e8d7a906dca1041212e6ed989b58304d633b.camel@ericsson.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.6.0.68
dlp-reaction: no-action
x-originating-ip: [49.37.167.51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 05a94aac-5b58-44db-7911-08d8854a7505
x-ms-traffictypediagnostic: DM5PR16MB1403:
x-microsoft-antispam-prvs: <DM5PR16MB1403ADD7D3706457B4DF9FB0EAE90@DM5PR16MB1403.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: vniHuYDwg1o4DVdUByO4exnkbc3bOfVZ94qkC+F1JqE3TBfdduNIwjO5UutzFMJs641OoLbT3iyEPJC6jdtdJ6gwk3q06R3QlFrUf7OovQzV862KbICMOE6cVEHXd3epnNio1yzUM/IuxMHzxwDLdvXdiL9AUKH3HnjpXnYMPBzBNA6rqw8UG0v28w5c0DZKm86DEN8Uk1MvV/iVnOnuu7lJCXIwgKAEP7+nqz1LSvQltpci+TfNLwiT02p4nKhCTUjxC5R4RwbDx8+WjF1UTwObXX6DfZ6feZ0Ygb2JbOm6RQai7ehGKMGZsqQMcB22wMh6rhWxoWZBJHz0y1G1+SEqQkFOAsMNvm4oLgkupTkYn+I3o12DqdpqTszG0owpKXbxap8kUVYQU/4XVRtU8WFS9q1NsiJFrpScPZE07927i6f8tuL9Jyk4V5DS1+wtj+kWW3Su6u9MSE6Ph54dVm4zS0J3dKpr1TfSTTepN0g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR16MB3402.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(366004)(136003)(346002)(396003)(32952001)(71200400001)(66476007)(66446008)(64756008)(66946007)(66556008)(86362001)(8676002)(8936002)(6506007)(53546011)(26005)(7696005)(966005)(316002)(9686003)(54906003)(55016002)(83380400001)(2906002)(76116006)(52536014)(33656002)(110136005)(186003)(478600001)(5660300002)(4326008)(85282002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: s36dte7VKKrpgx7e3322x2SWMqNZV+RZlCECFNBljfaSWR8KyNE3B2mOBaDUqy8DCVpOEfHccqxUEY6yi3zM2Sq4Izs1cahLcQbtnusqrTAq1Qaj3MhYNrKgyd2Oic7Czok3dJrA8Kax8+BvYO4ERlYPKtFLkTYRBzn/ZIW609osZwbfqb/7imEaqW/qd3QyFRwSO9sL99PMm4fQSFOch0WAp/PRlfgI0wVQXit58dpL09cqImvEjBAcpcY3rGvKkcE1J7KSYn/WkQNpjexq7uaLfm8nKerz+BZrrg9Zs90hzcptHqaMw3Pj/VjUdZLPsYHD+RMmZ99zisguVuXCHVQTQh0ZZRHOHVrjyATYpA6aJE8NyNX7qtYzLDH3ey6krlhkkiCS1JxP1I4b4x/RszcL15Aut1TeeO1BapAswDWteg6/MaRyt/FEUd87imSypb1y7AhTcg1OoA3lz2ADPNBm49mQqwPnd/VcPlw7hmgKWAeOseGExpN9E9sXgRrP70EW7/tuDpBui6V5NAcGckBz1rmfg1bZ8/SUffcotzaTezpGymXMXR27BDBWTnG7s5GPe3GYe3SRjpaKXRoTmcNJ+JzYzOE68p0ZdN18F04Q6zVIruRCqaPa60rjPNLx3vyEPDoXJqZKZi3UE4k+hQ==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR16MB3402.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 05a94aac-5b58-44db-7911-08d8854a7505
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Nov 2020 07:30:10.9872 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: J6mt+sFAPpuJup8r7vpXnjxgGyKt/9x6MnFQ1AhOCGO8YqHXp0tOd7+/nCM8iWGSJnbJcuWJYtEzDvSRBwQxLoZ4RcUBb+U9ypNtrkoWNHveI+j8iVs9oRKvyulFZ+Ac
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1403
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Language: en-US
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/pDCJibkPWozEQzrJLO7nfW9I4Hw>
Subject: Re: [Dots] Magnus Westerlund's No Objection on draft-ietf-dots-server-discovery-14: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 07:30:20 -0000
> -----Original Message----- > From: Magnus Westerlund <magnus.westerlund@ericsson.com> > Sent: Friday, November 6, 2020 4:12 PM > To: iesg@ietf.org; Konda, Tirumaleswar Reddy > <TirumaleswarReddy_Konda@McAfee.com> > Cc: dots@ietf.org; valery@smyslov.net; draft-ietf-dots-server- > discovery@ietf.org; dots-chairs@ietf.org > Subject: Re: Magnus Westerlund's No Objection on draft-ietf-dots-server- > discovery-14: (with COMMENT) > > On Fri, 2020-11-06 at 07:44 +0000, Konda, Tirumaleswar Reddy wrote: > > > -----Original Message----- > > > From: Magnus Westerlund via Datatracker <noreply@ietf.org> > > > Sent: Thursday, November 5, 2020 7:27 PM > > > To: The IESG <iesg@ietf.org> > > > Cc: draft-ietf-dots-server-discovery@ietf.org; dots-chairs@ietf.org; > > > dots@ietf.org; Valery Smyslov <valery@smyslov.net>; > valery@smyslov.net > > > Subject: Magnus Westerlund's No Objection on draft-ietf-dots-server- > > > discovery-14: (with COMMENT) > > > > > > CAUTION: External email. Do not click links or open attachments unless > you > > > recognize the sender and know the content is safe. > > > > > > Magnus Westerlund has entered the following ballot position for > > > draft-ietf-dots-server-discovery-14: No Objection > > > > > > When responding, please keep the subject line intact and reply to all > email > > > addresses included in the To and CC lines. (Feel free to cut this > > > introductory > > > paragraph, however.) > > > > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > The document, along with other ballot positions, can be found here: > > > https://datatracker.ietf.org/doc/draft-ietf-dots-server-discovery/ > > > > > > > > > > > > ---------------------------------------------------------------------- > > > COMMENT: > > > ---------------------------------------------------------------------- > > > > > > Shouldn't the security consideration section 8.2 ave some additional > > > warnings > > > about the ease of affecting the dns lookup when .local is used. This as > mDNS > > > more easily can be gamed? > > > > Yes, but the discovery uses global names and not ".local". DNSSEC can be > used > > to validate the response. > > Ok, that is better, sorry for missing that part. Still as mDNS results that that > nodes on the network segment or multicast domain used easily can inject > answers. Yes. > So it enlarges the attack surface, but DNS without DNSSEC appears quite > sensitive to targeted attacks on the name resolution of the DOTS servers. > I think comparing sections 8.3 and 8.2 is interesting. In 8.2 you are explicit > about the attackers interest in compromising the S-NAPTR resolution. But > the > same attack potential in DNS-SD is not mentioned. The attack discussed in 8.2 is also applicable to 8.3 and authenticating the discovered DOTS server using TLS server certificate protects against DNS spoofing attack (similar to HTTPS). > > Is redirects allowed here when doing the lookup and does that affect what > domain > name one will use in SNI in DTLS when connecting to the DOTS agent? Just > trying > to understand if the DTLS connection step is a second line of defence for the > DNSSD step? Re-directs are only possible after the (D)TLS session is established, please see https://tools.ietf.org/html/rfc8782#section-4.6 > In other words that an attacker can inject or modify DNS > response to > ensure that the DOTS client connects to the attacks server, but that it isn't > fooled that this is the intended one? Yes, spoofing the DNS response is of no use as it will be detected by the DOTS client during server certificate validation. Cheers, Tiru > > Cheers > > Magnus > > > > >
- [Dots] Magnus Westerlund's No Objection on draft-… Magnus Westerlund via Datatracker
- Re: [Dots] Magnus Westerlund's No Objection on dr… Konda, Tirumaleswar Reddy
- Re: [Dots] Magnus Westerlund's No Objection on dr… Magnus Westerlund
- Re: [Dots] Magnus Westerlund's No Objection on dr… Konda, Tirumaleswar Reddy