Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 21 November 2018 17:04 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1873F123FFD for <ipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 09:04:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.459
X-Spam-Level:
X-Spam-Status: No, score=-1.459 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-KhlUrRU_i5 for <ipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 09:04:23 -0800 (PST)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E47D9130DF1 for <ipsec@ietf.org>; Wed, 21 Nov 2018 09:04:22 -0800 (PST)
Received: by mail-wm1-x32f.google.com with SMTP id c126so6485032wmh.0 for <ipsec@ietf.org>; Wed, 21 Nov 2018 09:04:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kInffnsq33msklFEyMufTafTxg/iD/og/Cwmsx4LeSw=; b=ctiXW8VMx/5N0LHzuqlqjD2eK7OVAgdiY7uVljqKM6nSFQ6SA1MPkqRYBqCU1vG/Q7 Hlif7EkAAxHlS73cMNfqY+tI5g9YUcft/UumQ+9XIO5bcoa2bnITE/JeI9E0v2lJM1Q0 cEpFACbcAZ4dSfaAZffFS6NI1u0PXFAffRcOs9/IrAB5+om9QmNt4lI6LnL8AKjVlclh Z2/oUeiAXur3Vgfavyy+0SIl2X9KcS8MAidPY/Feeku5Y5bb54g3JiU7uOSDWFM3qd+3 R656lMFB6updArzDAeREB2ZuwOQyfOt/f3PAo5PiA1rkB9Ns0jc/x5VSvNpMd0kUzNgN GWcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kInffnsq33msklFEyMufTafTxg/iD/og/Cwmsx4LeSw=; b=GfmdwL6UISep71uCtdvS3A80zRp2xX1pRKdKyeH9Ysx01K0qWmhcwKumpfhgYMDwcE MPhnWM9cKh6dUV2H0ST7BfEFi9dvFt+wNo7re3sV1sOuz9Jr1DyVo8wM+upoHier7SWX fbGpyXz6vhtq0F1YDbk2jJPXMyYh1bf9+s0gqMYmX9xdN9k3MOMHQGrH4bfwIFlMui92 Yklc+YiwqqH7y5xL4U5GV3kbT7v/T0K8SRvRL1Em0us+3ZL4CPqs4eq0rFhVzTH4bSci tYLSSPscjknzzuB+BTHz0IQBdHEJUrwsT+DGPxh3FQmbupJCHJalC20nMnCOzMlU5QMR dHwQ==
X-Gm-Message-State: AA+aEWZD+kNxvvrioGPATtdvZuSUM4Qk3dTYi+hhCGmSDgi7G3TZoTgb TAHlNe6zYc1ZhCqtCDlXPuv9w7y8qUcGTd9k68aoHQ==
X-Google-Smtp-Source: AFSGD/XtbwqO+SB00YrRhVAsMiB5IvHIe87uZXsTCUpSAKRT3JFdn5doOompfFTiaaO9klOsE9tG3+kWKr94q1GIE3w=
X-Received: by 2002:a1c:184:: with SMTP id 126mr2842745wmb.24.1542819860890; Wed, 21 Nov 2018 09:04:20 -0800 (PST)
MIME-Version: 1.0
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca> <CAHw9_iKyBpOa1ktYvDDvuHnN+nLN7GnP49PwdT6-FWqNzDrUgg@mail.gmail.com> <alpine.LRH.2.21.1811211012160.24767@bofh.nohats.ca> <CAHw9_i+j92j4-DZHrL21CNkUFdheOO6z5+wfsG8Lrq1WorwnCw@mail.gmail.com> <3734030E-4394-4C1A-9FE7-493FF5EC7FED@nohats.ca>
In-Reply-To: <3734030E-4394-4C1A-9FE7-493FF5EC7FED@nohats.ca>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 21 Nov 2018 12:03:44 -0500
Message-ID: <CAHw9_iLv=f7Z0m6Fa_XfcPF26ia-NTSoaCqOJLN3E1Y1jYu=hg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, "Waltermire, David A." <david.waltermire@nist.gov>
Content-Type: multipart/alternative; boundary="000000000000c2e170057b2fbdf8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GE0s3LHLaP5CMkm224meMttXV_U>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 17:04:25 -0000

So, I'm still fairly uncomfortable - having a VPN provider able to override
my DNSSEC configuration worries me, especially if things like TLSA / DNSSEC
Chain Extension / similar are used.
I was starting to come to terms with this, as I'd assumed that the common
deployment scenario was "Install (as root / admin) this binary package
containing a VPN client.", in which case a malicious VPN provider already
has the ability to do, well, basically anything (and doesn't need this
method to be malicious), but if this isn't the universal case, I'm
concerned again...

A number of other IESG folk were also concerned - as a compromise, I'm
going to ask DNSOP to have a look at the document (it is, after all, quite
DNS related) and get their feedback.
I am sympathetic to the general use case, but really don't want this to
open scary security holes / decrease "trust" in DNSSEC.

W


On Wed, Nov 21, 2018 at 11:42 AM Paul Wouters <paul@nohats.ca>; wrote:

> On Nov 21, 2018, at 23:04, Warren Kumari <warren@kumari.net>; wrote:
>
>
> Well, if you removed the DNSSEC_TA bit, and expected enterprise tools to
> do this through "normal" enterprise tools methods this would work.
>
>
> That is basically what we did with the mandatory white list, except now
> the internal zones can still do rollovers without locking out all VPN
> clients that haven’t recently done some (automatic or manual) provisioning
> update that isn’t standardized.
>
> And in the end, if a user treats/trusts a generic VPN service provider the
> same as an enterprise provisioning system, then we cannot define them to be
> different. That is, whatever you define as out of band, non-ike enterprise
> provisioning with be equally weak to this attack if provided by the generic
> VPN provider. Kittens all the way down.
>
> Paul
>
>
>
> (It started writing that the zone could also be unsigned, but that
> obviously doesn't work in the case of non-delegated "TLDs"...)
>
> W
>
>
>
>> But in the end, it all depends on
>> how badly you want your VPN service to see cute kittens.
>>
>> Paul
>>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>    ---maf
>
>

-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf