IETF Logo Mail Archive

Re: [IPsec] Paul Wouters' Discuss on draft-ietf-ipsecme-add-ike-11: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Sun, 07 May 2023 19:43 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95286C151525; Sun, 7 May 2023 12:43:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id preHMzAuyMG4; Sun, 7 May 2023 12:43:37 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 282AEC14CF15; Sun, 7 May 2023 12:43:36 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4QDvx23yrYz38F; Sun, 7 May 2023 21:43:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1683488614; bh=dhAJ6jIL4mJL3J8k+Uh/talXdkuGfQq4EYhUC//ooCQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=igWa5weiTUxWludmA0ZbDHGnPbbe78VkL4f3DzeNJyQdtnSEAdaUr7itsZzwdQEZG ELUoaSXv+d83Zme0qGsITedMfbKDTs/Pvx21qqfojrxTeROjg0cIIH+r0MbH22cLqv OoMvPEBNile5ds7tqXNNgPr9fBxbztNi+1ddqIKo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id gmKy-d-Tglj8; Sun, 7 May 2023 21:43:33 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 7 May 2023 21:43:33 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 59FEACC48BA; Sun, 7 May 2023 15:43:32 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 54602CC48B9; Sun, 7 May 2023 15:43:32 -0400 (EDT)
Date: Sun, 07 May 2023 15:43:32 -0400
From: Paul Wouters <paul@nohats.ca>
To: mohamed.boucadair@orange.com
cc: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, "draft-ietf-ipsecme-add-ike@ietf.org" <draft-ietf-ipsecme-add-ike@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "kivinen@iki.fi" <kivinen@iki.fi>
In-Reply-To: <9682_1682414484_64479B94_9682_249_1_PAVPR02MB9673A0A0B8D302A2B2A0354088649@PAVPR02MB9673.eurprd02.prod.outlook.com>
Message-ID: <e1165220-3ed2-74bb-50bb-65c560d08646@nohats.ca>
References: <168237846356.6004.18418564180515702317@ietfa.amsl.com> <9682_1682414484_64479B94_9682_249_1_PAVPR02MB9673A0A0B8D302A2B2A0354088649@PAVPR02MB9673.eurprd02.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/bsXDLsYy4bHQS-ATtrrZhhklxh0>
Subject: Re: [IPsec] Paul Wouters' Discuss on draft-ietf-ipsecme-add-ike-11: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2023 19:43:42 -0000

On Tue, 25 Apr 2023, mohamed.boucadair@orange.com wrote:

>> #2 Updates RFC 8598
>>
>>         Note: [RFC8598] requires INTERNAL_IP6_DNS (or
>> INTERNAL_IP4_DNS)
>>         attribute to be mandatory present when INTERNAL_DNS_DOMAIN
>> is
>>         included. This specification relaxes that constraint
>>
>> This clearly updates RFC8598, but the document is lacking an
>> Update: clause.
>> Please add the Update clause and mention the update in the
>> abstract/introduction.
>>
>
> [Med] Please refer to this thread: https://mailarchive.ietf.org/arch/msg/ipsec/1Mi1_ygETzgA4t1OGbArbn9eqBk/

Ok, thanks. I will leave this decision to the responsible AD / IESG.

>> #3 Security Considerations
>>
>>         The initiator may trust the encrypted DNS resolvers
>> supplied by
>>         means of IKEv2 from a trusted responder more than the
>> locally
>>         provided DNS resolvers, especially in the case of
>> connecting
>>         to unknown or untrusted networks (e.g., coffee shops or
>> hotel
>>         networks).
>>
>> This does not seem to be a "Security Consideration".
>> Also, before this draft, receiving an (unencrypted) DNS server
>> supplied
>> by IKEv2 would also be more trusted. In general, VPN clients trust
>> the
>> "VPN provided nameserver" more than the local network one,
>> irrespective
>> of transport encryption. Perhaps this sentence can just be
>> deleted?
>>
>
> [Med] The intent of the text is to remind the precedence of IKE supplied data over local supplied resolvers (even if those are encrypted resolvers).

Nothing this draft does changs that from before. I still don't think
it adds anything and in the case of split vpn is not entirely true
either. But it is not my hill to die on.

> I do not understand the point that
>> A.2 is
>> trying to make?
>>
>
> [Med] In addition to the answer from Valery, another point of this appendix is that some app may not fall back to Do53.

I still do not understand. I doubt you can talk about what VPN providers
"expect".


>> Similarly, I don't understand Appendix A.3. The VPN service is not
>> involved
>> in "allowing" an application to send traffic through the tunnel.
>
> [Med] This is not what the text says.


>> It is the
>> VPN client that decided whether or not to send its traffic through
>> the tunnel
>> or not. Also VPNs typically are configured to be either split-
>> tunnel or not.
>
> [Med] The text focuses on the case of split-tunnel VPN configuration.
>
>> This can be, be hardly ever is, dynamic.
>
> [Med] The text does not say that.
>
> I don't understand what
>> A.3 is trying
>> to convey as example use related to the encrypted dns capability
>> of the
>> document.
>>
>
> [Med] This is to provide some background to motivate the discussion about INTERNAL_DNS_DOMAIN in Section 4.

If the section is about setting or not setting INTERNAL_DNS_DOMAIN to
certain values, then it should do so.

I still don't think A2 or A3 provides anything useful to the document.

>> Which explains one of the number "1"s in the Figure which is
>> otherwise
>> unreferenced.

The idea here is that the other "1" should also be described here.

>> The placement of "AliasMode" confuses me. It appears as part of
>> the
>> Service Priority as a field name, but it is not a mode or value of
>> that. Perhaps the text should be moved somewhat down, after the
>> listing od fields? (It is also somewhat confusing in the reference
>> document I-D.ietf-dnsop-svcb-https.
>>
>
> [Med] svcb says "SvcPriority is a number in the range 0-65535". We have that text there to explain why 0 is not allowed. I suggest to leave the text there. Thanks.

Then make it part of the previous paragraph so it is clear what value
is talked about, eg:

CURRENT:

 	Service Priority (2 octets) - The priority of this attribute
 	compared to other ENCDNS_IP* instances. This 16-bit unsigned
 	integer is interpreted following the rules specified in Section
 	2.4.1 of [I-D.ietf-dnsop-svcb-https].

 	AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not
 	supported because such a mode will trigger additional Do53 queries
 	while the data can be supplied directly in the IKE response. As
 	such, this field MUST NOT be set to 0.

NEW:

 	Service Priority (2 octets) - The priority of this attribute
 	compared to other ENCDNS_IP* instances. This 16-bit unsigned
 	integer is interpreted following the rules specified in Section
 	2.4.1 of [I-D.ietf-dnsop-svcb-https]. As AliasMode (Section 2.4.2
 	of [I-D.ietf-dnsop-svcb-https]) is not supported, this field
 	MUST NOT be set to 0.



>> Note that, VPN clients might have code that specifically prohibits
>> the
>> use of DNS servers on IP addresses that are not covered by the VPN
>> tunnel.

Thanks for adding a warning note about this.

>> I also have some concern with the word plausible, as that seems to
>> only take
>> encryption into account and not redirection or privacy concerns
>> towards
>> the encrypted DNS server, or what could be monitored from an
>> adversary
>> seeing the encrypted DNS stream not protected by the VPN to a DNS
>> server.
>
> [Med] These privacy concerns fall under this part of the security considerations "the use of encrypted DNS does not reduce the data available in the DNS resolver".

That's not entirely true as there is a connection between what to
trust more, the local network or the VPN. You always seem to assume
the VPN is more trustworthy (from an encryption and privacy point of
view) which does not take into account other views. Again, this is
not my hill to die on, but I find the text punting to a non-VPN
encrypted DNS case not really matching what is required in this
document's security and privacy considerations.

>> This example does not make it clear if the encrypted DNS resolver
>> can be
>> used for all DNS or not.
>
> [Med] I guess you are referring to the example in A.1. Isn't this explicit in this text right before the one you quoted: " For both split- and non-split-tunnel configurations, the use of encrypted DNS instead of Do53 provides privacy and integrity protection ..."?

No it does not. In a split-tunnel, it could be that only DNS lookups for
the internal domains are allowed. Or it could be that ALL DNS lookups
are allowed, even for non-enterprise use cases. But this is not signaled
in any way AFAIK. The extreme case is a VPN service whose only supported
traffic is DNS (eg think ExpressVPN SmartDNS). It is a "split tunnel"
but it is meant to get all DNS traffic.


> It appears to say there is a limitation
>> to only
>> use it for internal-only domain names. I do not think such a
>> protocol
>> limitation should be implied by this example?

So the problem is your clarifying text in split/no-split implies a
protocol feature that is not actually part of the defined protocol.
("split tunnel means only send DNS for INTERNAL_DNS_DOMAINS")

Is "." a valid INTERNAL_DNS_DOMAINS ?

Paul

v2.23.0 | Report a Bug | By Email