IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Nico Williams <nico@cryptonector.com> Tue, 19 June 2018 22:46 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB9A130FCD; Tue, 19 Jun 2018 15:46:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z1nXdLCRsg1y; Tue, 19 Jun 2018 15:46:56 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 000F4130FD4; Tue, 19 Jun 2018 15:46:55 -0700 (PDT)
Received: from homiemail-a132.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTP id 44C9130002BA9; Tue, 19 Jun 2018 15:46:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=EZTl1MWU58qO4u vAYIrBGFmY2u4=; b=rZU4oQiCA15lR/VvuRAnS7D+vnh9Zr2vnApIz1EcNdX2jf y0gzZW3xVm94PfF2YNAwFi/ol3vn4CJsxBobqorowkYrXXRPV4l5VUKn7QrSSeLP F6F6cZUQbNpQcIamCrWi3KQIb9PRazrBer+AjjOgT7Oj6WzqOLXlnjLMZzT04=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a132.g.dreamhost.com (Postfix) with ESMTPSA id B1C9A30002BA8; Tue, 19 Jun 2018 15:46:54 -0700 (PDT)
Date: Tue, 19 Jun 2018 17:46:52 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
Message-ID: <20180619224651.GD4218@localhost>
References: <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/1v09xSpOrW0xrmR_xXzFy7bh4aw>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 22:46:58 -0000

On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote:
> On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams <nico@cryptonector.com>
> wrote:
> > The I-D should say that clients MUST allow local configuration of what
> > domains to accept trust anchors for, and SHOULD allow local policy to
> > list . as a domain for which to accept trust anchors.
> >
> > This local configuration should be per-SG.
> >
> 
> The ID can say that, but as a practical matter, any enterprise that has
> a reasonable number of internal domains is just going to tell people
> to configure their client to accept any domain name.

And what's the problem with that?

If it's your own device you might balk, so get your employer to provide
you with theirs.  Or just accept it as part of the employment deal.

The I-D should have Security Considerations text about it and that's
that.

> > 2. Because the current design also allows those trust anchors to sign TLSA
> > > records, any TLS client which accepts those TLSA records is
> > > subject to MITM by the VPN server
> >
> > And SSHFP.  And anything else that might be security-relevent (all
> > of DNS, really).
> 
> Well, different parts of DNS are differently security relevant. For
> instance, the IP-address mapping usually isn't that big a deal because
> the network attacker can reroute you anyway.  This definitely merits a
> Security Considerations note even if this

> > property were actually the point of this protocol.

Yes, a Security Considerations note should be a) required, b)
sufficient.

> > > 3. Even if enterprise doesn't intend to run a MITM proxy, this means that
> > > any compromise of the VPN server automatically makes it an MITM proxy for
> > > the Internet as a whole, because the person who compromises it can simply
> > > reconfigure it to advertise any domain of its choice as internal, as well
> > > as the corresponding keys and TLSA records.
> >
> > Sure, but it's not like clients will be choosing to connect to any VPN
> > servers.  Generally the client must already have a trust anchor for the
> > SG to begin with.
> 
> Why? That trust anchor doesn't need to allow the creation of arbitrary
> WebPKI certs. All that is needed is to be able to authenticate the
> VPN server itself.

Why on Earth would I connect to some random SG I don't know?

> > Painting this as a security threat to the entire
> > Internet is going a bit too far.
> 
> Why?

Because my VPN clients don't connect promiscuously.  I can't say no
promiscuous VPN clients exist, but I imagine that none do.  And any
promiscuous VPN clients get what they deserve.

Nico
--

v2.23.0 | Report a Bug | By Email