IETF Logo Mail Archive

DNS64, DANE and DPRIV

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 06 December 2014 17:45 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34F91A1A4E for <ietf@ietfa.amsl.com>; Sat, 6 Dec 2014 09:45:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHqnlLz0lOWh for <ietf@ietfa.amsl.com>; Sat, 6 Dec 2014 09:45:15 -0800 (PST)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A2C1A1A15 for <ietf@ietf.org>; Sat, 6 Dec 2014 09:45:15 -0800 (PST)
Received: by mail-la0-f41.google.com with SMTP id hv19so2180783lab.0 for <ietf@ietf.org>; Sat, 06 Dec 2014 09:45:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=BIIACCZseBm+eDG2BcMt003nNdU1DtVNw6SfHqKCI70=; b=ZgVne20l7FPmn4ytn5UJK8/sxCwdsA1yy9P/YbIkYe7gG44UdjsdHDDOnIHVVFBF8d /yvefoLnTXHIBEGrWy632+PJDgxasgIFl/SSjEOujSnMmTGb4XdKycIBkJfpiJt9mA1d u4KuaJdPYG7qNoY7DlWqcSF9y7XOx2TsXzuIPPxWYbDo4jgFASf7D8VZMcvECrvOD15a g6nU20byuIqxt/Ctbq4t4REJr7LPHkYgmsrWajapFexIn3DEbEYEp0/qY5TLN/oZOVJF ZXF0Jsw97RIupPJtIqYVWJNZjXxGnOBkpsD9+0i5yOxeT/i2GKnnmDQqfFionXPJo0p2 Kocg==
MIME-Version: 1.0
X-Received: by 10.112.199.40 with SMTP id jh8mr8582907lbc.5.1417887913355; Sat, 06 Dec 2014 09:45:13 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Sat, 6 Dec 2014 09:45:13 -0800 (PST)
Date: Sat, 06 Dec 2014 12:45:13 -0500
X-Google-Sender-Auth: grA0__EXQ0QM-6r2biQaDt7CyaA
Message-ID: <CAMm+Lwj+KjTVka1M7O+tsp76C_OCGR0bWKH_k5UrZXSYZrF+GA@mail.gmail.com>
Subject: DNS64, DANE and DPRIV
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: IETF Discussion Mailing List <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3457668319605098fc125"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/2T9uQvx_UbysTTmyObsujtEL8oQ
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 17:45:17 -0000

Following up on the DNS64 discussion. There is an important action item
that IETF can take right now that has a lot of leverage for IPv6
deployment.

* DPRIV be required to provide a mechanism for mutual authentication as
well as confidentiality.

This is not a major increase in scope. Authentication is essential for
confidentiality. But it is a big improvement in leverage.


The idea of DPRIV is that instead of sending requests to a random DNS
resolver in plaintext, we instead send them encrypted. And by implication
we also direct them to a resolver that can be trusted not to disclose the
traffic to an attacker.

So in the DPRIV model, the resolver is trusted. I suggest that there are in
fact quantized levels of trust.

0) Service: To provide responses to requests
1) Confidentiality: To not disclose traffic to third parties
2) Routing Integrity: To provide A and AAAA record responses that connect
traffic to the correct end point
3) Security Integrity: To provide keys for the end points.

Now depending on how much processing you are prepared to put in the client
you can reduce the level of trust. But you do need more code (or human
intervention).

So it is in theory possible to use DNSSEC to avoid the need to rely on the
resolver to return responses but I have never seen that done in a
completely robust fashion because it would require a lot of code and a lot
of corner cases.

The point of DNS64 is to provide a mechanism that makes it easy to turn on
IPv6 today. All the client needs is a connection to a DNS router that
supports DNS64.


Because of network circumstances a client using DNS64 is almost certainly
going to need to use DPRIV for access simply because port 53 has been
sabotaged so thoroughly. So we are going to have to trust the DPRIV
resolver to level 1 at minimum

The fact that we are considering DNS64 at all implies that we are willing
to trust the resolver to level 2. But to do that we have to have
authentication of the resolver at minimum and I would argue that mutual is
also necessary for enterprise deployment.

As soon as we have DPRIV with authentication it becomes possible to ship
IPv6 only products today. The only facility those products require to
connect to the IPv4 Internet is a DPRIV connection to a DNS resolver that
offers DNS64.


Note however, that trust to level 2 does not entail trust to level 3. An IP
address and a Key or Key fingerprint are two very different things. A Key
or Key fingerprint is an authenticator. An IP address is not an
authenticator, or at least it is a very weak one whose interpretation
requires us to trust a great deal more than our resolver.

v2.23.0 | Report a Bug | By Email