IETF Logo Mail Archive

Re: [homenet] Dnsdir telechat review of draft-ietf-homenet-front-end-naming-delegation-18

Matt Brown <ietf@mattb.net.nz> Thu, 20 October 2022 20:37 UTC

Return-Path: <ietf@mattb.net.nz>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CB00C14CF19; Thu, 20 Oct 2022 13:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.604
X-Spam-Level: *
X-Spam-Status: No, score=1.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_SBL_CSS=3.335, RCVD_IN_XBL=0.375, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mattb.net.nz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdri_1R-jbFO; Thu, 20 Oct 2022 13:37:31 -0700 (PDT)
Received: from muslin.katalinabrown.co.nz (muslin.katalinabrown.co.nz [IPv6:2600:3c03::f03c:91ff:fe93:7ef4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FB21C14CE29; Thu, 20 Oct 2022 13:37:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mattb.net.nz; s=20190916; h=Content-Transfer-Encoding:Content-Type:Cc:To: Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oUb0zBBacCmFupGwR5JPZ5MrVUuW7Ywl1wmT0Xr35d0=; b=BrfWdSggx9aKgl0J6z0y0qQ3pF o27p9XoceBRDOOwAKGsE5IplVPuAdXEYYfGCo9W7C5z0dPB4EkKlerMLzNmWC3tYhwA7e8hVYT1Tl 3R7EuzN91wOcYqij2xxos4JuwDFb1hzR7bwtSsa+ShO7IuYsFUnSv2C7M1RVyfeRA/Hk=;
X-Gm-Message-State: ACrzQf2FxVNvcm8TYg+WKsqYvU8WdqJ4zG2MAbS0XkgR/KdNF1IPHLop Opd/ikk2YGDKgj3EPDMOejU+TuLEV51bdrZQ65Q=
X-Google-Smtp-Source: AMsMyM4Su6JEZib+VgRjBtfGEXrEM4/wj5+wvVUBHwreyH2DQG2yy0/j0/1qdX9F3WhW8WtXtLi7cnyzJdoR3EF+bz0=
X-Received: by 2002:a17:906:fc6:b0:72f:d080:416 with SMTP id c6-20020a1709060fc600b0072fd0800416mr12718808ejk.1.1666298244394; Thu, 20 Oct 2022 13:37:24 -0700 (PDT)
MIME-Version: 1.0
References: <166601224491.24452.9575096761631204136@ietfa.amsl.com> <CADZyTknfP8MJLhaEUm=5YqJMRnN+HXnjNnoK1qe1m_mK+f1uSQ@mail.gmail.com> <CAMgEDbTDY3w42-Aw0dBabcfkM6BssZ_qNvin9E_Qaj3R=d__jw@mail.gmail.com> <CADZyTkkr=gV9neZNfxARcAasiHAhfKkgD2zR=+9yJ8fbg1ujsA@mail.gmail.com>
In-Reply-To: <CADZyTkkr=gV9neZNfxARcAasiHAhfKkgD2zR=+9yJ8fbg1ujsA@mail.gmail.com>
From: Matt Brown <ietf@mattb.net.nz>
Date: Fri, 21 Oct 2022 09:37:34 +1300
X-Gmail-Original-Message-ID: <CAMgEDbS2JJiCjG5zCs4Y8s6kSWEf4Fz75D3kupuaPqDUCJZP+g@mail.gmail.com>
Message-ID: <CAMgEDbS2JJiCjG5zCs4Y8s6kSWEf4Fz75D3kupuaPqDUCJZP+g@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: dnsdir@ietf.org, draft-ietf-homenet-front-end-naming-delegation.all@ietf.org, homenet@ietf.org, last-call@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/14IYx71TNGhysEJoNsn60yRT-s8>
Subject: Re: [homenet] Dnsdir telechat review of draft-ietf-homenet-front-end-naming-delegation-18
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 20:37:36 -0000

On Thu, Oct 20, 2022 at 5:53 PM Daniel Migault <mglt.ietf@gmail.com> wrote:
>
> Thanks for the feed back. Please see my response inline. Note that we are clarifying the use of transport protocols in the current document. For the synchronization channel we mandate XoT, for the control channel we mandate DoT - still with mutual authentication. I hope the line below adresse you concern regarding mutual authentication.
> Yours,
> Daniel
>
> On Wed, Oct 19, 2022 at 8:29 PM Matt Brown <ietf@mattb.net.nz> wrote:
>>
>> On Wed, Oct 19, 2022 at 3:25 PM Daniel Migault <mglt.ietf@gmail.com> wrote:
>> >

<snip>

>> > I would be happy to understand though why DoT would be an issue. The only point I can see is that 7858 specifies that it limits its scope to client -to resolver communications while admitting such restriction is due to a charter limitation. Since XoT mentions it is heavily relying on DoT, and resolvers and authoritative servers both handle DNS packets, I tend to assume that we may consider DoT can be used for any DNS communications, but I might be missing something.
>>
>> What I understand when I read this draft is a proposal is to take a
>> protocol (DoT, RFC7858) with a primary purpose of providing *privacy*
>> and which states in its design that authentication of clients is not
>> in scope and use it in a context where *authentication of clients* is
>> the primary requirement (e.g. the DM needs to know that it's receiving
>> a connection from a client authorized to control the domain in the
>> messages). That type of usage outside of the scope envisaged by
>> RFC7858 brings two concerns to my mind:
>> 1) *How* will clients/servers choose to implement the client
>> authentication and will they be compatible with each other without
>> further guidance/constraint being provided on how client
>> authentication in DoT should be performed?
>
> This is correct that if client authentication is disable it will not happen. That said, we can believe that if that is what we are looking at the TLS library will be configured appropriately. IN this case the clients and the server are specific entities.
>
> Regarding 7858, it does not say the client is not authenticated, it says that the client authenticates the server and after the negotiation completes the connection is encrypted. Client authentication is part of the TLS negotiation.
>
> Another example is also that when session resumption occurs, it becomes hard to claim the client is not authenticated as TLS uses tha PSK-ECDHE scheme.
>
> To keep things simple, I would say if DoT were not defined we would have said the traffic is secured by TLS. If we cannot use DoT we are happy to do so, but I do not think using Dot is a concern there. That said, I am happy to learn more if I am missing anything.

If I'm understanding you correctly, the argument is that the
underlying TLS libraries support mTLS, so can be used in the way
proposed, even though it is outside the scope of what is standardised
in RFC7858. This may very well be true, but in my understanding it's
then incorrect to call this using DoT. To me, what is proposed is to
build further protocol specifics (client authentication) on top of DoT
- which may work, but if that is what is intended, then it needs to be
done explicitly - e.g."this standard extends the DoT specification to
support client authentication via mTLS" or similar.

Are there existing DoT implementations using mTLS to authenticate
clients to DoT servers that you are aware of? I could not find any in
a quick search.

As you noted previously the XoT spec provides a good example that
building on top of DoT in this way is feasible and a reasonable thing
to do - which is useful - but I think two things should be noted from
that comparison (emphasis mine below):
1) XoT does not say it uses DoT, it says (end of Introduction):
"encrypting zone transfers using TLS [RFC8499] -- **based closely on
DoT [RFC7858]** -- seems like a simple step forward. This document
specifies how to use TLS (1.3 or later) as a transport to prevent zone
collection from zone transfers." - e.g. it is clear that what is being
described is not DoT, but something close to it.
2) The level of detail in how to accomplish that extension is higher
than I see present in this draft (e.g. RFC9103 7.1, 7.3 cover TLS
establishment specifically, and 9.3.3 and 10.0 then cover the addition
of authentication, etc).

Cheers

-- 
Matt Brown
DNS Directorate Member

On Thu, Oct 20, 2022 at 5:53 PM Daniel Migault <mglt.ietf@gmail.com> wrote:
>
> Thanks for the feed back. Please see my response inline. Note that we are clarifying the use of transport protocols in the current document. For the synchronization channel we mandate XoT, for the control channel we mandate DoT - still with mutual authentication. I hope the line below adresse you concern regarding mutual authentication.
> Yours,
> Daniel
>
> On Wed, Oct 19, 2022 at 8:29 PM Matt Brown <ietf@mattb.net.nz> wrote:
>>
>> On Wed, Oct 19, 2022 at 3:25 PM Daniel Migault <mglt.ietf@gmail.com> wrote:
>> >
>> > Hi Matt,
>> >
>> > Thanks for the review. I am only responding to the major comments - for now. I apologize for the partial response but I promise I will go through all other comments tomorrow (my) morning and hope you will still have this partial response (your) morning.
>>
>> No problem, likewise responding just to this first message now, and
>> hopefully to your subsequent message later today!
>>
>> >> Major Issues (aka Not Ready):
>> >>
>> >> Mutual TLS and DoT - 3.2 and 4.6 recommend that the HNA and DM secure their
>> >> control channel communications using mutual TLS and DoT - but DoT is not
>> >> specified to support mutual authentication. While mutual TLS auth at the
>> >> underlying TLS layer is clearly viable - how to integrate that at the DNS
>> >> layer, and whether that is compatible with DoT on the existing port, or would
>> >> need a further port allocation (and subsequent IANA consideration in 13) would
>> >> need to be addressed. None of the alternative future protocols listed in 3.2
>> >> support mTLS either as far as I am aware.
>> >>
>> >> Given the recommendation to use XoT (RFC9103) (which does specify mTLS
>> >> capability) for the Synchronization channel in 5.1 - I wonder why this protocol
>> >> has not also been considered for the control channel instead of DoT?
>> >>
>> > The section securing the Synchronization channel  mentions:
>> >
>> > The AXFR request from the DM to the HNA SHOULD be secured and the use of TLS is RECOMMENDED {{!RFC9103}}.
>> >
>> > So this is effectively what we rely on, mostly for the following reasons: 1) most of our exchanges are IXFR/AXFR and these are the one with the main concern, and 2) we wanted to reuse what is implemented in major distributions.
>> > To put it in another way, we wanted the transaction between the HNA and the DM to be protected by TLS, and probably split from DNS over TLS to DoT. Would replacing DoT by XoT address your concern ?
>>
>> I'll confess my first encounter with XoT was in reading this draft, so
>> I don't have a lot of context on its suitability for this use-case
>> yet, but in as much as it looks at a glance to be a protocol that is
>> intended to support mTLS (where DoT is not) in a context where
>> authentication is expected, then I think it would address my
>> concern... more below.
>>
>> > I would be happy to understand though why DoT would be an issue. The only point I can see is that 7858 specifies that it limits its scope to client -to resolver communications while admitting such restriction is due to a charter limitation. Since XoT mentions it is heavily relying on DoT, and resolvers and authoritative servers both handle DNS packets, I tend to assume that we may consider DoT can be used for any DNS communications, but I might be missing something.
>>
>> What I understand when I read this draft is a proposal is to take a
>> protocol (DoT, RFC7858) with a primary purpose of providing *privacy*
>> and which states in its design that authentication of clients is not
>> in scope and use it in a context where *authentication of clients* is
>> the primary requirement (e.g. the DM needs to know that it's receiving
>> a connection from a client authorized to control the domain in the
>> messages). That type of usage outside of the scope envisaged by
>> RFC7858 brings two concerns to my mind:
>> 1) *How* will clients/servers choose to implement the client
>> authentication and will they be compatible with each other without
>> further guidance/constraint being provided on how client
>> authentication in DoT should be performed?
>
>
> This is correct that if client authentication is disable it will not happen. That said, we can believe that if that is what we are looking at the TLS library will be configured appropriately. IN this case the clients and the server are specific entities.
>
> Regarding 7858, it does not say the client is not authenticated, it says that the client authenticates the server and after the negotiation completes the connection is encrypted. Client authentication is part of the TLS negotiation.
>
> Another example is also that when session resumption occurs, it becomes hard to claim the client is not authenticated as TLS uses tha PSK-ECDHE scheme.
>
> To keep things simple, I would say if DoT were not defined we would have said the traffic is secured by TLS. If we cannot use DoT we are happy to do so, but I do not think using Dot is a concern there. That said, I am happy to learn more if I am missing anything.
>
>> 2) What are the security implications of authenticating clients in
>> DoT? No doubt there are ways to do it that are not secure and should
>> be avoided, but neither DoT or this now proposed draft examine this in
>> any way.
>
>
> XoT did that and optimized AXFR over TLS.
>>
>>
>> Generally any time I see a security protocol/mechanism designed for
>> one purpose (e.g. privacy) re-used in another context (e.g. client
>> authentication) without significant examination of the implications
>> and safety of that, I hear warning bells.
>
>
>>
>>
>>
>> > Another point I would like to clarify is why another port would be needed for mTLS as this is a capacity announced by the TLS server. The support of mTLS is simply announced by the server by sending a CertificateRequest. The TLS client may only accept such communications. I do not necessarily see this as an issue, but again maybe I am missing something.
>>
>> Sorry for the confusion here, the point I was trying to make was
>> simply whether DoT on the existing port could be used, or whether to
>> get the authentication properties you need from the connection you
>> actually need a new protocol (not DoT) that is designed fro
>> authentication, not privacy to achieve that, and if that were the
>> case, then such a hypothetical new protocol would presumably require
>> its own port.
>>
>> Hope that clarifies.
>>
> yes it does. I do not think we need a new port.
>
>>
>> --
>> Matt Brown
>> DNS Directorate Member
>
>
>
> --
> Daniel Migault
> Ericsson



-- 
Matt Brown
DNS Directorate Member

v2.23.0 | Report a Bug | By Email