Re: [IPsec] Terry Manderson's No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 05:41 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73DB6130EE2; Tue, 20 Nov 2018 21:41:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBYRmY_GQt3j; Tue, 20 Nov 2018 21:41:36 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C5D124C04; Tue, 20 Nov 2018 21:41:35 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430BJt0TKGzLDb; Wed, 21 Nov 2018 06:41:34 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542778894; bh=8mpKmM6Aou6Ji+DgJwL/R6QT3wHRCWaoT529pGGGSZY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=hmE7BZ8v6NZsthOU0Xl1YDLWTgQjtKqr1fDloTf79c241IAU3gJ1qMhui7MhmGD+t lV4UQOGcxT90hEfSboTmXK/XlQr9qKGeUcKP5aMzR+UNbEyU+rx0bRpIzpUaqEyuSK wf0AuXA8vSEMOinKjSi1+0L41lOKnuH1RZmnuRTw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id l_dsxj0XOl9z; Wed, 21 Nov 2018 06:41:32 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 06:41:32 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 228063797AD; Wed, 21 Nov 2018 00:41:31 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 228063797AD
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 150DC41C3B2E; Wed, 21 Nov 2018 00:41:31 -0500 (EST)
Date: Wed, 21 Nov 2018 00:41:31 -0500
From: Paul Wouters <paul@nohats.ca>
To: Terry Manderson <terry.manderson@icann.org>
cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, david.waltermire@nist.gov
In-Reply-To: <154277279083.29769.12251386687781208754.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LRH.2.21.1811210033200.29140@bofh.nohats.ca>
References: <154277279083.29769.12251386687781208754.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/2a8LGMNnxDg2vqhALoIKxPAKcvs>
Subject: Re: [IPsec] Terry Manderson's No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 05:41:37 -0000
On Tue, 20 Nov 2018, Terry Manderson wrote:
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks for the time and effort invested in this document. I'm also very
> interested to see the resolution to Warren's DISCUSS regarding
> ipsecme-split-dns being used as an easy tool to over-claim entire sections of
> the DNS hierarchy. Perhaps specifying that the DOMAIN and TA sent to the client
> MUST be in the administrative control of the VPN provider (I'm not sure I read
> that in the draft) might be one way out, yet I wonder if this is a case of
> simply having to trust that the VPN provider does the right thing (as cold as
> that leaves me) regardless of the words in the document.
The defense mechanisms against that are (and I will clarify the text for
that):
1) If there is no split-tunnel, then split-DNS payloads MUST be ignored.
(this covers the third party VPN providers, but note those services
can also specify INTERNAL_IPV4_DNS to take all your queries. Of
course, they can see /modify all your packets that have no
cryptogrpahic protection beyond the IPsec layer)
2) Don't accept TLDs (and/or wellknown SLDs)
This might be easy for com/net/org, but harder for facebook.com or
gmail.com)
3) Any DNSSEC trust anchor overrides MUST come in via the provisioning
proces and NOT via the IKE protocol.
It is step 2) that might require user interaction and is hard to do, but
I do not think it is a solvable problem, and note that split-tunnel
setups that require split-dns are typically enterprise deployments where
you must trust the enterprise. There is some question about 1) being
abused, eg offer 0.0.0.0/1 and 128.0.0.0/1 to trick the client into
believing it is on split-tunnel even though it is not, but we feel any
VPN actor being that malicious can do more evil things secretly after
decrypting your traffic anyway, such as a transparent proxy for port 53.
That is why we allow INTERNAL_DNS_DOMAIN without the provisioning step,
but do not allow INTERNAL_DNSSEC_TA without it being provisioned outside
of IKE.
Paul
Paul
- [IPsec] Terry Manderson's No Objection on draft-i… Terry Manderson
- Re: [IPsec] Terry Manderson's No Objection on dra… Paul Wouters