Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 15:20 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773481277CC; Wed, 21 Nov 2018 07:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBoCxEC56KLi; Wed, 21 Nov 2018 07:20:56 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A872F12426E; Wed, 21 Nov 2018 07:20:55 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430R9K4b0tzLFt; Wed, 21 Nov 2018 16:20:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542813653; bh=X4IKbZ+XLi+alRf1rxTFUjnGL+TPVTlw5M8m5mi0kuw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=EukhwWMxwfKi5gOs7LwTjIGhPJmMkgHKOcYGYs1hM5sDTv8l25Zt6gHTkIm6pfPjc cG8/Dg32p/pvi8+p4hIUhbyHo0A9wyIUTMZF6NU4UO249CPKEB3xLCCt+fxOxSeSIo FYY8R7m2SYrO2uWI3+8jZxdC2dTe65gUXYjiqnWM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id m21VXlzHkg3t; Wed, 21 Nov 2018 16:20:46 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 16:20:46 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D3B3D49ED70; Wed, 21 Nov 2018 10:20:45 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D3B3D49ED70
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CABFB41C3B26; Wed, 21 Nov 2018 10:20:45 -0500 (EST)
Date: Wed, 21 Nov 2018 10:20:45 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Warren Kumari <warren@kumari.net>
cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, "Waltermire, David A." <david.waltermire@nist.gov>
In-Reply-To: <CAHw9_iKyBpOa1ktYvDDvuHnN+nLN7GnP49PwdT6-FWqNzDrUgg@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1811211012160.24767@bofh.nohats.ca>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca> <CAHw9_iKyBpOa1ktYvDDvuHnN+nLN7GnP49PwdT6-FWqNzDrUgg@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/UYz4iWI0sntiE5fmltDd0TGB-ls>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 15:20:58 -0000

On Wed, 21 Nov 2018, Warren Kumari wrote:

> Yes, I get that the *intended* audience is Enterprises, and that usage doesn't really scare me (most
> enterprise admins already have their fingers sufficiently deep inside their employees machines that they can
> do $whatever anyway).
> My concerns is that this will also be used for the "Buy our VPN for secure browsing of the torrentz - only
> $2.99 per month. Punch the monkey for a discount!!!!!!!!!!" type people -- I trust my enterprise admins to
> not DNSSEC / DANE poison me, but I don't necessarily trust (to pick  at random) CyberGhostVPN
> - https://offer.cyberghostvpn.com/en_US/trnt/rocket?aff_id=1392&coupon=FlashSale2&aff_sub4=FlashSale2&  (I
> know nothing about this org!)

These VPN services need to take ALL your network traffic. We now more
explicitly state INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA MUST be
ignored when the VPN configuration is not a split tunnel one.

This can still be abused by VPN service providers but it would require
some serious hacking since most remote access profiles will only offer
to set a source/dest IP tunnel for YourTempAssignedIP/32 <-> 0.0.0/0

That is, if you connect to vpn.nohats.ca, it will give you
193.111.157.66 as INTERNAL_IP4_ADDRESS and the IPsec policy will
cover 193.111.157.66/32 <-> 0.0.0.0/0 only. In which case our new
attributes are ignored. They could do something like:

193.111.157.66/32 <-> 0.0.0.0/128 to get their attribute accepted, but
the VPN would not work for half the internet. Of course, if their only
goal is to screw you over and get your gmail.com traffic on 172.217.1.165,
then giving you 172.217.0.0/16 would work and all your other traffic
would simply go out in the clear. And if you accept their provisioning
profile, they could also override TLSA records.

We tried to close all of this as much as possible so that you can still
use enterprise split tunnel with DNS while making it as hard as possible
for VPN services to not abuse this. But in the end, it all depends on
how badly you want your VPN service to see cute kittens.

Paul