Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

[Paul Wouters <paul@nohats.ca>]

On Tue, 20 Nov 2018, Warren Kumari wrote:

> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I hope I'm just missing something obvious here, but this seems like it may
> cause a significant security issue.

No, you missed something subtle that clearly needs to stand out more :)

> What is to stop one of these VPN providers setting:
> INTERNAL_DNS_DOMAIN(www.paypal.com)
> INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
>
> or, better yet:
> INTERNAL_DNS_DOMAIN(com)

This sentence:

    When only a subset of traffic is routed into a private network using
    an IPsec SA, these Configuration Payload options can be used to
    define which private domains are intended to be resolved through the
    IPsec connection without affecting the client's global DNS
    resolution.

I think we had more explicit text in earlier versions that didn't make
the cut on future revisions. I will re-add proper text in Section 4 and
the Security Section.

> and so being able to spoof DNSSEC for paypal.com / all of .com?
> This is especially worrying if something like DANE is ever deployed...

There is a whole section on that.

https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-14#section-5

Specifically:

    IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use
    a whitelist of one or more domains that can be updated out of band.
    IKE clients with an empty whitelist MUST NOT use any
    INTERNAL_DNSSEC_TA attributes received over IKE.  Such clients MAY
    interpret receiving an INTERNAL_DNSSEC_TA attribute for a non-
    whitelisted domain as an indication that their local configuration
    may need to be updated out of band.

We basically said this is too dangerous to only authenticate via IKE. So
now, you need to _also_ do a (remote) configuration update, which
presumbly involves some Enterprise management system or humans.

> The draft *does* says:
> "Other generic or public domains, such as top-level domains, similarly SHOULD
> NOT be whitelisted." - this doesn't really answer the above. 1: It is
> increasingly hard to know what is a "real" TLD (.internal? .bank? .home?) 2:
> How do I programatically tell if www.foo.net is a "public domain"? What is a
> public domain anyway? How is an implementer supposed to address this?

What we tried to say was that any generic domain open for any registrant
for registration should never be accepted. While if you are Red Hat,
maybe te TLD .redhat would be okay. (brand TLD vs generic TLD). I agree
that it is difficult to determine this. The idea of the whitelist is
that VPN clients will show/confirm/enable the listed DNS domains, so
that if Honest Paul's VPN service includes "gmail.com", the enduser can
freak out properly.

> It also says:
> "Any updates to this whitelist of domain names MUST happen via explicit human
> interaction to prevent invisible installation of trust anchors." Is my auntie
> really expected (or competent) to understand what "Your VPN provider, TrustVPN
> wants to whitelist com. Do you want to allow this? [Y/N]" means?

Split-DNS is meant for Enterprise use of actual domains. If your auntie
works for Foo Inc., hopefully she can either have Foo's sysadmin
configure and install her VPN, or if the admin gives her some kind of
profile, auntie will be okay seeing "Your VPN provider Foo Inc. wants to
whitelist internal.foo.com" and she would be familiar with using the
internal.foo.com domain from the office.

Note that our text basically meant to say the IKE software should
probably never allow com/net/org/CCtld ever, but that would be difficult
to hardcode because we _still_ haven't fixed the PublicSuffix issue :/

> Also, some of the DNS behavior is handwavey - I think that the document really
> should be reviewed by DNSOP, but will leave it to Eric to make that call.

What is wavey?

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> This section: " The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
>   passed to another (DNS) program for processing.  As with any network
>   input, the content SHOULD be considered untrusted and handled
>   accordingly." feels a bit handwavey. Are there currently any DNSSEC
>   validating clients which can easily take a targeted TA for a specific domain
>   / set of domains?
>
> I’m also not quite sure how this interacts with delegations. E.g:
>
> example.com   600 IN NS ns01.internal.example
> And then INTERNAL_DNS_DOMAIN(internal.example) — if the client runs a local
> recursive, does it need to send the query to ns01 though the VPN or not?

It should not think about "through the VPN or not". We had that text
originally, but Tero pointed out a lot of Enterprise VPN's can come up
on demand. So the initial IKE negotiation could be for 10.1.2.3/32, and
include the DNS configuration for the internal auth servers on
192.168.1.1. It needs to configure the DNS so a packet for 192.1.1:53
triggers another IPsec tunnel to be setup.

So to use an unbound example, you only need to drop in the internal DS
record, and the "unbound-control forward example.com ip1 ip2"
configuration pointing to the internal auth servers for example.com.

Paul