IETF Logo Mail Archive

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Eliot Lear <lear@cisco.com> Fri, 27 February 2015 10:16 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DC3E1A1A74 for <ietf@ietfa.amsl.com>; Fri, 27 Feb 2015 02:16:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.211
X-Spam-Level:
X-Spam-Status: No, score=-14.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3DL3INV6My1 for <ietf@ietfa.amsl.com>; Fri, 27 Feb 2015 02:16:35 -0800 (PST)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9B881A1A5A for <ietf@ietf.org>; Fri, 27 Feb 2015 02:16:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2530; q=dns/txt; s=iport; t=1425032195; x=1426241795; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=A5lp5z6LZnnIuKkgos6Hdi2tZ4gm8sg/ImlEGFYwxfg=; b=jE7hx6Yz2mB2i7VNRlZGkZMJRCnqo+iLXphnJdgyDy/Ja4BpO9OrLrfJ eg8z4Ak/kN+3vFf5kxJsx9OBrJRf9/tlhw28FXub6LlNjm7z+T2Mvbp7Y EMFVzUiSJyrJXiTLon/nN8+gdR4rkEPOxTbyhoAOKZ1VwR3XEgK6egoxu g=;
X-Files: signature.asc : 486
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ATBQC3Q/BU/xbLJq1bg1Ragwq/BoV0AoFtAQEBAQEBfIQQAQEEI1UBEAsYCRYEBwICCQMCAQIBRQYNAQUCAQGIK7xWmhIBAQEBAQEBAQEBAQEBAQEBAQEBAQEXixKEDBEBUAcJgl+BQwWRVYEuUYVmgRs5hRWJKoM+I4IygT09MYELgTgBAQE
X-IronPort-AV: E=Sophos;i="5.09,658,1418083200"; d="asc'?scan'208";a="358110486"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP; 27 Feb 2015 10:16:25 +0000
Received: from [10.61.193.10] ([10.61.193.10]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t1RAGOnI027991; Fri, 27 Feb 2015 10:16:24 GMT
Message-ID: <54F043F8.6090409@cisco.com>
Date: Fri, 27 Feb 2015 11:16:24 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Patrik Fältström <paf@frobbit.se>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
References: <20150127223859.28024.43756.idtracker@ietfa.amsl.com> <4257D8A3-0EFE-40E3-B0AD-8E23772B7693@mnot.net> <6F9BB11D-C224-4D7B-A06C-41EACBAAB4B2@netnod.se> <54C9DA42.5040901@cisco.com> <9EB44D8A-278B-42FC-A542-1C182AD43128@netnod.se> <A74A30F4D1214630918FD4CA@JcK-HP8200.jck.com> <20150223153757.GI1260@mournblade.imrryr.org> <20150223155241.GJ1260@mournblade.imrryr.org> <tsl8ufoh9ko.fsf@mit.edu> <20150224170209.GV1260@mournblade.imrryr.org> <54F03F38.9090601@cisco.com> <1ED9F633-40B1-4A90-85FE-14526C27A485@frobbit.se>
In-Reply-To: <1ED9F633-40B1-4A90-85FE-14526C27A485@frobbit.se>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="37wX9j2rj3rvIoUsDT9HVLKQlhR047phw"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/UKLrE2XE7-0U9R5N5eck5XCkfhI>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2015 10:16:48 -0000


On 2/27/15 11:04 AM, Patrik Fältström wrote:
>> On 27 Feb 2015, at 10:56, Eliot Lear <lear@cisco.com> wrote:
>>
>> Given a slightly modified example from your document:
>>
>>   $ORIGIN example.net.
>>   _http._web    IN URI 10 1 "httpS://www.example.com/"
>>
>> If the intent here is to declare an equivalence between
>> http://example.com and https://www.example.com the problem is that
>> absent DNSSEC one is subject to a downgrade attack.  Thus a browser
>> cannot trust the equivalence.
> Absolutely!
>
> I get that, completely.
>
> I wanted to know what is so special about URI that SRV and MX do _not_ have.

Truthfully I do not think there is a substantial difference, although
the form of attack varies slightly.

In the case of MX, the security properties (whether or not to use TLS)
do not explicitly change, although as you know, Patrik, it is possible
an attacker could divert someone's email with a low weight MX such that
STARTTLS is not offered, or if it is offered, it is for another
certificate.  We have no standard defense to indicate that STARTTLS is
required at the MX level.

In the case of SRV the situation is much the same.  You don't specify
whether to start TLS based on SRV.  But in the case of URI, if the
returned URI is intended to contain https: and yet an attacker somehow
prevents that from happening, no TLS is started.  There is no easy
workaround for this sort of attack (or the others) because the traffic
is redirected to a perhaps-faux service.

DNSSEC: it's not just for breakfast anymore.

Eliot

v2.23.0 | Report a Bug | By Email