IETF Logo Mail Archive

Re: [IPsec] Paul Wouters' Discuss on draft-ietf-ipsecme-add-ike-11: (with DISCUSS and COMMENT)

Valery Smyslov <svan@elvis.ru> Tue, 25 April 2023 05:27 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 191BFC14CF0D; Mon, 24 Apr 2023 22:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pN5167u72A29; Mon, 24 Apr 2023 22:27:01 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 796ECC14F5E0; Mon, 24 Apr 2023 22:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Cgm5kJ0uq8uVb2TW5gdGbENJlroAL5BZUPYlQuc0Q80=; b=uFpwPoDo+YzS9RXk/cKPCYiiUT KgxzF2zKJbSLHxv36yWK+iKheDunnvM6Qyt1dvKdKzFMTi3hpDCH7pEWTxgLx/tb9RTEJsYF3zBeh qXqoUEt++XUKNssnJnBa6BnMrnoe9o7YJt2Nm1vluBDcrBFgi4nD5mWYL/OU3LJtJDJ4=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1prBCW-0002kH-JB; Tue, 25 Apr 2023 08:26:52 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1prBCW-0001eX-DV; Tue, 25 Apr 2023 08:26:52 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 25 Apr 2023 08:26:52 +0300
Received: from svannotebook (10.102.102.1) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Tue, 25 Apr 2023 08:26:51 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Paul Wouters' <paul.wouters@aiven.io>, 'The IESG' <iesg@ietf.org>
CC: draft-ietf-ipsecme-add-ike@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
References: <168237846356.6004.18418564180515702317@ietfa.amsl.com>
In-Reply-To: <168237846356.6004.18418564180515702317@ietfa.amsl.com>
Date: Tue, 25 Apr 2023 08:26:50 +0300
Message-ID: <00cf01d97736$899fa260$9cdee720$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFlU/kMXTqbcph/WlXYyiKNQ/qgILAjupaA
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2023/02/21 22:47:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/21 21:02:00 #20887462
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7cVvfQSbhGh9i1b9WxhCMRxQ5pI>
Subject: Re: [IPsec] Paul Wouters' Discuss on draft-ietf-ipsecme-add-ike-11: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2023 05:27:07 -0000

Hi Paul,

thank you for your comments, please see inline.

> Paul Wouters has entered the following ballot position for
> draft-ietf-ipsecme-add-ike-11: Discuss
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> I have a few important items I believe needs fixing, but I believe those are
> still fairly easy to address.
> 
> #1 payload format of ENCDNS_DIGEST_INFO
> 
> I believe the proposed syntax for ENCDNS_DIGEST_INFO in this document
> should not be specified this way. Depending on the use of this payload,
> it has a different field construction. That is, we have two different
> kinds of ENCDNS_DIGEST_INFO, which would make defining this field (eg in
> C headers or in a class object) impossible without splitting it into two
> different names and definitions. Either all the fields must be identical,
> with optional 0 lengths field omitted, or the draft should define
> ENCDNS_DIGEST_INFO_REQUEST and ENCDNS_DIGEST_INFO_RESPONSE with
> their different
> field types. This can be further seen by the difficulty to read the examples
> in the appendici with the ENCDNS_DIGEST_INFO() syntax.
> 
> If one ENCDNS_DIGEST_INFO type is used, I think the syntax for both request
> and response should be:
> 
>  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-----------------------------+-------------------------------+
> |R|         Attribute Type      |            Length             |
> +-+-----------------------------+---------------+---------------+
> | Num Hash Algs |  ADN Length   |                               |
> +---------------+---------------+                               +
> ~                Authentication Domain Name                     ~
> +-------------------------------+-------------------------------+
> | Digest Hash Alg Identifier    |                               ~
> +-------------------------------+                               +
> ~                     Certificate Digest                        ~
> +-------------------------------+-------------------------------+
> 
> (eg as the current "response" version)

Actually, the format is the same for both request and response,
but depending on Num Hash Algs and AND Length and also on Length,
some fields may be omitted.

The most generic format is:

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+
|R|         Attribute Type      |            Length             |
+-+-----------------------------+---------------+---------------+
| Num Hash Algs |  ADN Length   |                               |
+---------------+---------------+                               +
~                Authentication Domain Name                     ~
+---------------------------------------------------------------+
~               Digest Hash Alg Identifiers        ~
+---------------------------------------------------------------+
~                     Certificate Digest                        ~
+-------------------------------+-------------------------------+

Figures 2 and 3 just show how this attribute
looks when Num Hash Algs, AND Length and Length 
have specific values, which make sense for the request and response.

> And Num Hash Algs, ADN Length and Digest Hash Alg Identifier
> are mandatory fields in both the request and the response. I would
> also always list these 3 fields in the presentation format of
> ENCDNS_DIGEST_INFO() as used in the appendici examples.
> 
> I would rename "Hash Alg Identifier" to "Digest Hash Alg Identifier"
> to make it more obvious that is what the hash algorithm is for.
> 
> #2 Updates RFC 8598
> 
>         Note: [RFC8598] requires INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS)
>         attribute to be mandatory present when INTERNAL_DNS_DOMAIN is
>         included. This specification relaxes that constraint
> 
> This clearly updates RFC8598, but the document is lacking an Update: clause.
> Please add the Update clause and mention the update in the
> abstract/introduction.

It was discussed in the ipsecme WG. The conclusion is that the "Update"
clause is only needed if a new specification changes the behavior of 
legacy implementations. In other words, if you need to fix old implementations
even if they don't support new specification - then you should mark
this new specification as "Update" for an old. This is not the case,
the specified behavior is only relevant to implementations supporting
encrypted DNS. If they don't - they follow RFC 8598.

This is a long time approach in ipsecme WG, otherwise every new
extension to IKEv2 would update RFC 7296  (which is not the case). 

> #3 Security Considerations
> 
>         The initiator may trust the encrypted DNS resolvers supplied by
>         means of IKEv2 from a trusted responder more than the locally
>         provided DNS resolvers, especially in the case of connecting
>         to unknown or untrusted networks (e.g., coffee shops or hotel
>         networks).
> 
> This does not seem to be a "Security Consideration".
> Also, before this draft, receiving an (unencrypted) DNS server supplied
> by IKEv2 would also be more trusted. In general, VPN clients trust the
> "VPN provided nameserver" more than the local network one, irrespective
> of transport encryption. Perhaps this sentence can just be deleted?

Perhaps, but I would like to hear from my co-authors.

> #4 Appendix A.2 and A.3
> 
>         Legacy VPN service providers usually preserve end-users' data
>         confidentiality by sending all communication traffic through an
>         encrypted tunnel.
> 
> What is "legacy" about this? I do not understand the point that A.2 is
> trying to make?

As far as I remember, the point is that modern browsers rely on encrypted
DNS resolvers, and currently there is no way to configure such rresolvers
in case DNS servers are supplied by VPN provider (via IKEv2).

My co-authors, who wrote this text, perhaps will further clarify its meaning.

> Similarly, I don't understand Appendix A.3. The VPN service is not involved
> in "allowing" an application to send traffic through the tunnel. It is the
> VPN client that decided whether or not to send its traffic through the tunnel
> or not. Also VPNs typically are configured to be either split-tunnel or not.
> This can be, be hardly ever is, dynamic. I don't understand what A.3 is trying
> to convey as example use related to the encrypted dns capability of the
> document.

I think my co-authors will clarify this.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Appendix A and B are marked as "example". This is confusing. I would rename
> Appendix B to "Configuration Payload examples".
> 
> The Figure 5 text should add the line:
> 
>         * Its Service Priority is 1
> 
> Which explains one of the number "1"s in the Figure which is otherwise
> unreferenced.
> 
> The placement of "AliasMode" confuses me. It appears as part of the
> Service Priority as a field name, but it is not a mode or value of
> that. Perhaps the text should be moved somewhat down, after the
> listing od fields? (It is also somewhat confusing in the reference
> document I-D.ietf-dnsop-svcb-https.
> 
> 
>         Note that, for many years, typical designs have often considered
>         that the DNS resolver was usually located inside the protected
>         domain, but could be located outside of it. With encrypted DNS,
>         the latter option becomes plausible.
> 
> Note that, VPN clients might have code that specifically prohibits the
> use of DNS servers on IP addresses that are not covered by the VPN tunnel.
> 
> I also have some concern with the word plausible, as that seems to only take
> encryption into account and not redirection or privacy concerns towards
> the encrypted DNS server, or what could be monitored from an adversary
> seeing the encrypted DNS stream not protected by the VPN to a DNS server.
> (eg an adversay sees an encrypted DNS packet to 192.1.2.1, and then sees
> a plaintext query to the root server for ohnoos.org from IP 192.1.2.1).
> Note that based on this reasoning, perhaps a consideration for this should
> be added to the Privacy Considerations section.
> 
> I would remove this note or rewrite it as a caution note instead, eg:
> 
>         Note that existing VPN client implementations might not expect
>         the new use case of an obtained DNS server IP being outside of
>         the covered IP ranges of the VPN tunnel.
> 
> 
> 
> This example does not make it clear if the encrypted DNS resolver can be
> used for all DNS or not. It appears to say there is a limitation to only
> use it for internal-only domain names. I do not think such a protocol
> limitation should be implied by this example?
> 
>         Enterprise networks are susceptible to internal and external
>         attacks. To minimize that risk all enterprise traffic is encrypted
>         (Section 2.1 of [I-D.arkko-farrell-arch-model-t]).
> 
> I'm not sure if this sentence is relevant to the document in question? Or
> actually, if all enterprise network is encrypted anyway, why cant one just
> send "unencrypted DNS", encrypted over the VPN to the VPN server? The VPN
> server would then encrypt that traffic to the target internal DNS server
> using its regular "all enterprise traffic is encrypted" model. I suggest
> to just remove this sentence.
> 
> 
>         Hosting encrypted DNS resolvers even in case of split-VPN
>         configuration minimizes the attack vector (e.g., a compromised
>         network device cannot monitor/modify DNS traffic).
> 
> I think "minimizes" should be changed to "can minimize". For example, if the
> encrypted DNS is hosted on the VPN server itself, the above claim is not true.
> 
> 
>         In this example, the initiator uses the ENCDNS_DIGEST_INFO
>         attribute to indicate that the encrypted DNS client supports
>         SHA2-256 (2), SHA2-384 (3), and SHA2-512 (4) hash algorithms.
> 
> Can we add "for certificate digests" to this sentence. I was a bit confused
> when I read this and saw support for hash algorithms and wondered what
> the list of hash algorithms was for again.
> 
> 
>         In this example, no ADN is included ...
> 
> Because this sentence is between two examples, it is really confusing as to
> which
> example it belongs to. how about:
> 
>         In the following example, no ADN is included ...
> 
> 

Your comments look reasonable, but I'd like to hear from my co-authors.

Regards,
Valery.

v2.23.0 | Report a Bug | By Email