Re: [IPsec] draft-pauly-ipsecme-split-dns
Tero Kivinen <kivinen@iki.fi> Wed, 20 June 2018 20:20 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EC9D130E86; Wed, 20 Jun 2018 13:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10pB5IpFBvSC; Wed, 20 Jun 2018 13:20:39 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2802F130E20; Wed, 20 Jun 2018 13:20:38 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w5KKKV3h006207 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 20 Jun 2018 23:20:31 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w5KKKVbl024517; Wed, 20 Jun 2018 23:20:31 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23338.46863.5452.257270@fireball.acr.fi>
Date: Wed, 20 Jun 2018 23:20:31 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: Eric Rescorla <ekr@rtfm.com>, Nico Williams <nico@cryptonector.com>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
In-Reply-To: <alpine.LRH.2.21.1806200002340.18235@bofh.nohats.ca>
References: <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost> <CABcZeBPh33RMWy=pWVSWPp9cDrzrRrVQXgw1BKPLy_W0_Wrdgg@mail.gmail.com> <20180619224651.GD4218@localhost> <CABcZeBObub+rYYURt9SSumYqqWGxDMqhOG64oA+979n=mduXMw@mail.gmail.com> <20180619230148.GE4218@localhost> <CABcZeBNmavpZvzNRZBdOTKQYZ=yW=y2poaoVtsOeESNyRrG15Q@mail.gmail.com> <alpine.LRH.2.21.1806200002340.18235@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 35 min
X-Total-Time: 35 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/neyIcaaOrX_3O9cud31TH6lLO6A>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 20:20:44 -0000
Paul Wouters writes: > You almost certainly will need to install some local webpki trust anchor > to make use of your internal TLS servers reachable via the IPsec VPN. > > For example, to reach any of our internal redhat servers over HTTPS, I > need to install a redhat internal CA into my system/browser. I believe > this is extremely common (although I do hope it is less common to give > these internal CA's the CN="Certificate Authority") Reading this thread now, I have few comments. 1) The current practice (before this draft) for split-dns is as follows: Forward ALL traffic to SGW when VPN is up (includes all DNS, including traffic to 8.8.8.8 etc). Forbid sending any traffic out except through VPN. Mandate that clients will install Enterprise Root CA to the trust anchor list of the client (i.e., operating system global trust anchor list). The client will have that Enterprise Root CA configured always, i.e., regardless whether VPN is up or not. Those Enterprise Root CAs do not have name constrains (as they do not work) or anything else that will limit their use for creating certificates for any domain name in world (CT might help). I.e., to be able to access enterprise https protected sites you MUST install the Enterprise Root CA, and to do anything useful you need to do that. One reason they want to do this is to limit what client can send out, for example make sure it cannot send any email out directly but all emails must go through the enterprise SMTP server which will do virus checking, add stupid disclaimers to them. They also want to do virus and malvare verification on all web traffic, thus they will want to use that Enterprise Root CA for MitM of all web traffic, or they might mandate the use of proxy that does the checking. If you want to connect your bank etc, do not use your enterprise laptop for that... 2) With this protocol, we can have Split-dns setup where the server can say that my "internal.local" domain is served by 10.0.0.1 and which has TA of XXX. This will provide much better security, as now enterprise can get rid of the Enterprise Root CA which allows MitM of whole web, and instead they can provide local TA configured DNSSEC protected TLSA records for all internal services. I.e., after this there would no longer be need to require installing of the Enterprise Root CA just to get internal services working. I.e., we want to use TLSA which is protected by local TA to protect the internal servers. This is why we do not want to filter TLSA records out. Enterprise might still want to use Enterprise Root CA to do the MitM for virus etc checking, but this is outside the scope of this protocol. 3) Usually enterprises try to configure their internal domains to only include very limited number of domains, as the more you have those, the more issues you will have with configation. Quite often they use something that does not exists at all outside the enterprise. I.e., names like .internal, .local, .enterprise, .company-name. Sometimes they use names that do exists in outside world, but which are not owned by them (yes, this can and will happen, most commonly when they start using some foo.bar domain, and then someone decides to register .bar top level domain). If they are smart they use some domain owned by them which do have external visible name servers, and use some subdomain there which might not exist outside, i.e. internal.example.com. The reason why they end up with multiple internal domains is because every acquisition, merge etc usually adds some new names, and it takes years to get rid of them all. I think in my last employer we had about 5-8 different internal domain names in total during last 20 years, but only 1-2 were in use in the end. 4) If the enterprises have very complicated network they will usually have management system (or MDM) that will automatically configure the clients for them. I.e., the device is fully configured by the management system, and they will automatically apply configuration changes when needed. I think most of those system do allow completely take the device in their control, i.e., most likely they can silently install the Enterprise Root CA there if they want, or push device updates which include any code they want... In those cases the security of the device is in the hands of the enterprise anyways, and users might not even have permissions to change anything on the devices. So I think the feature that we can use TLSA records in the split-dns is very important. I agree that it would be VERY BAD for the client to just accept whatever domains server sends, and it SHOULD always verify it against its local configuration. As I said in complicated cases the configuration itself might come from the management system, so client does not need to silently accept what server says, it can always verify it against the list it has in configuration. But as the list comes from the enterprise this does not protect the client from the malicious enterprise, but it does protect it against case where attacker manages to hack in to the SGW, but was not able to gain access to the management system. It most likely will not protect against case where the attacker hacks in to the management system, as the SGW configuration might also come from there... -- kivinen@iki.fi
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tero Kivinen
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tero Kivinen
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Benjamin Kaduk
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Nico Williams
- Re: [IPsec] draft-pauly-ipsecme-split-dns Paul Wouters
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Eric Rescorla
- Re: [IPsec] draft-pauly-ipsecme-split-dns Tommy Pauly
- Re: [IPsec] draft-pauly-ipsecme-split-dns Benjamin Kaduk