IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Eric Rescorla <ekr@rtfm.com> Tue, 19 June 2018 15:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB87130F56 for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 08:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNvh-zQk6Hhm for <ipsec@ietfa.amsl.com>; Tue, 19 Jun 2018 08:45:17 -0700 (PDT)
Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7DC130DC0 for <ipsec@ietf.org>; Tue, 19 Jun 2018 08:45:16 -0700 (PDT)
Received: by mail-ot0-x22f.google.com with SMTP id d19-v6so164257oti.8 for <ipsec@ietf.org>; Tue, 19 Jun 2018 08:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kZ1RxOebE2HbQkvbqUVrm+0Hk6SlnSWClRdABfs58NE=; b=fZ+qDYQs3QwSlx+NKQf5WDVGtd16XHfe58A3XXiER+OHIo4hiVa2DsJTEim0erWU+J uVohF+5MIpNjdjm4c41LiI594RSQ+4eOjEYyeOsYV0hcBePqFXyvE1VMFZkdhKmRHhtp 0wK5eSSp8W/gybUJC3RD7Jj6kBVHHZX1i4ROt6LSuvzFtqghZFHI7KDa8tL7P5sHjK7h VI9VBYgvXud4Nnq2Lnsl89sbnuymCUTNeH38fVBNYl3D9Ku3oWgwwJu5oqOv9Dpo9Ghl Khumhsgo5cnZPGEUZ5dRPjY2wT+jJP8kkptPdILnX6aEDxyDqCvUtICsLodkXMjIXzjv Al6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kZ1RxOebE2HbQkvbqUVrm+0Hk6SlnSWClRdABfs58NE=; b=sG0brMbb1d1DNnX6MpgP29Ni0QakRZmjy4briSI0b2WICXTomOrmFx5NnUxlwoPTjm JV9IXgHJIy4CI8V31mQkFlysHFe8Muwiz9VL8wI1FaX9egTUBR3rWahoKEtBVtlKBS2f VMcGFwpQvKIlpWsS6F6o+k3EAvCy1nY35RE3yWnFG4syCJF1ffX7PV5QXDFcg5qvhuYf lcRLBNlD9Fbd6v/v97ZBS+IbCwnpALj/Jq92LAj+PfVZCoe0RtNxF6fnZV85+tIpcT8s VPFnLa1MKkhkpmQ/1lRmTqKD5KkE0xk/LIMmnKGr6zGvytxqT+kpnceKcHgRyp9kJL71 b1HQ==
X-Gm-Message-State: APt69E1A14HUJdYClxmatALovVxYghEuPwJj2kiOU9p8SO4sals8gVlA DkXbESengWyx3gNsSO5DNAfGCc+sgGyPFKUVbpyf0Q==
X-Google-Smtp-Source: ADUXVKJ4DCPFGJ2kHrbfwk+X0GkUt/1X0C7ez+W3qkHIWqW2iqNKR6O/32bwpouBZL3ZXk7XWILrx4unQe2i4CYKFls=
X-Received: by 2002:a9d:2f45:: with SMTP id h63-v6mr11477215otb.371.1529423116164; Tue, 19 Jun 2018 08:45:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:3a8a:0:0:0:0:0 with HTTP; Tue, 19 Jun 2018 08:44:35 -0700 (PDT)
In-Reply-To: <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca>
References: <BL0PR0901MB23061A8F0712B88D36CB05B4F0710@BL0PR0901MB2306.namprd09.prod.outlook.com> <BL0PR0901MB23068BA2032457DC76CE70E2F0710@BL0PR0901MB2306.namprd09.prod.outlook.com> <CABcZeBOi6BoBFdkq9iz6GPLR+f5SJ8uR68GFS0Lsd+1UvHcCvQ@mail.gmail.com> <alpine.LRH.2.21.1806181637240.22748@bofh.nohats.ca> <CABcZeBPZFswnn6zoK6h-Oiy8P1o5u-BVVExQSO48fxGWy1cwXQ@mail.gmail.com> <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 19 Jun 2018 08:44:35 -0700
Message-ID: <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>, IPsecME WG <ipsec@ietf.org>
Cc: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008cf42a056f0091df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/U6KvU2iWJ-X-zvVoRv0x6MqAMNc>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 15:45:20 -0000

On Tue, Jun 19, 2018 at 8:26 AM, Paul Wouters <paul@nohats.ca> wrote:

> On Mon, 18 Jun 2018, Eric Rescorla wrote:
>
> Right but the problem is that accepting the TA for a given domain allows
>> the IPsec endpoint to act as a TLS endpoint for that domain
>> (assuming that the TLS client supports DANE).
>>
>
> Yes. You are the Enterprise customer. It's a feature.


Not all enterprises who use VPNs want to run a MITM proxy.

The basic problem here is that the security properties of DNS are
radically different from those of the WebPKI (which is why we
routinely rely on HTTPS in cases where DNS is untrustworthy).
So, it's totally unexpected that allowing the VPN operator to
inject a new DNS trust anchor would allow them to attack HTTPS
connections. The problem with this design is that it ties those
properties together. This is a problem for the users but also for
the enterprise because it takes something which might have
been offline signed and makes it online.


Client
> implementations can limit these domains, eg using VPN profiles
> that the user has to agree to. There is not much more we can do
> at the protocol leven, than say the two things we already say:
>



> 1) If not split-view, do not accept any DNS trust anchors
>
> This prevents third party VPN providers from injecting rogue trust
> anchors. Note that in this case you already _are_ giving all your
> traffic including DNS to the VPN server. (but hey, we have DOH)
>
> 2) Don't accept trust anchors for anything not specifically
>    split-redirected into the VPN infrastructure
>
> So in my redhat case, I would either allow "redhat.com" or
> "internal.redhat.com" to be redirected through my VPN profile
> and not anything else. (well, actually some reverse zone parts too)
>

There are actually a number of oither things you could do:

- Totally forbid the use of TLSA signed by non-default trust anchors
- Make the use of TLSA signed by non-default trust anchors a separate
protocol option with those trust anchors defined separately.

I imagine there are other choices.



> Yes, but it's not clear to me that clients can adequately determine which
>> domains
>> are internal -- they just get that information with some VPN config they
>> got
>> from their VPN provider. The text in the document says as much:
>>
>
> Yes. And that is the same DNS problem in general when connecting to a
> network and running your own recursive server. You usually get only one
> domain via DHCP, but universities tend to have dozens, and they demand
> you give them all your DNS queries so they can screw with internal only
> domains for you on the fly. You just have to drop DNSSEC to let them do
> that. That is a situation that needs fixing, and at least if you connec
> to those networks using a VPN, this document is that fix. It allows the
> network to send more than one DNS domain, and let's the client decide
> whether or not to accept it. Where yes, most clients will do this based
> on trusting their administrator of the VPN they are connecting to. Others
> could have VPN software that lets them (de)select the ones they would
> not accept.
>

Trust isn't a monolithic thing. It's one thing to trust the administrator
to route
your packets and quite another to trust them to MITM TLS. Again, this is
why it's mostly safe to use HTTPS on networks owned by other people.


Note that without this document, the only way for VPN clients to get
> functional DNS beyond the 1 hardcoded domain, is to give the VPN all
> your DNS queries, which allows even more manipulation (especially with
> an installed Enterprise CA cert, now they can override gmail.com)
>

I'm not saying this document is bad. I'm saying it should exclude TLSA.


> So it seems to me that the likely consequence of this function is that a
>> lot of
>> clients will be accepting what amounts to MITM certificates (again,
>> assuming
>> that they support DANE) as part of their VPN config.
>>
>
> Not doing this makes the situation even worse. Do you have a proposal
> that would make it better? I cannot think of one.
>

Why does it make the situation worse? Again, what's the use case why
it's needed to have the VPN install a new WebPKI trust anchor.


>
> Also, part of your concerns could be mitigated by CT as well for the
> TLS cases. I assume if browsers require CT, that internal-only domains
> also need to get some kind of CT logging (redacted or not) and that
> would also prevent a rogue gmail.com TLSA from being accidentally
> accepted by the user at the IKE/VPN first as 'internal domain' and
> then additionally at the TLS/TLSA layer?
>

Well, the semantics of CT+DANE are totally undefined, but generally,
no, I wouldn't expect things that were TLSA-authorized to be CTed.
If anything, I would expect them to use some sort of CT-for-DNS, but
of course that doesn't exist. And of course, with raw public keys
that's not even possible.


Paul
> ps. I'd really prefer this discussion to be in public on the list.
> Please do any replies to this to the ipsecme list. You have my
> permission to quote anything I wrote in this offlist mail thread.
>

Sure. We really need aliases that do the right thing here.

-Ekr

v2.23.0 | Report a Bug | By Email