Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

[Warren Kumari <warren@kumari.net>]

On Wed, Nov 21, 2018 at 12:22 AM Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 20 Nov 2018, Warren Kumari wrote:
>
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > I hope I'm just missing something obvious here, but this seems like it
> may
> > cause a significant security issue.
>
> No, you missed something subtle that clearly needs to stand out more :)
>
> > What is to stop one of these VPN providers setting:
> > INTERNAL_DNS_DOMAIN(www.paypal.com)
> > INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
> >
> > or, better yet:
> > INTERNAL_DNS_DOMAIN(com)
>
> This sentence:
>
>     When only a subset of traffic is routed into a private network using
>     an IPsec SA, these Configuration Payload options can be used to
>     define which private domains are intended to be resolved through the
>     IPsec connection without affecting the client's global DNS
>     resolution.
>
> I think we had more explicit text in earlier versions that didn't make
> the cut on future revisions. I will re-add proper text in Section 4 and
> the Security Section.
>
> > and so being able to spoof DNSSEC for paypal.com / all of .com?
> > This is especially worrying if something like DANE is ever deployed...
>
> There is a whole section on that.
>
> https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-14#section-5
>
> Specifically:
>
>     IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use
>     a whitelist of one or more domains that can be updated out of band.
>     IKE clients with an empty whitelist MUST NOT use any
>     INTERNAL_DNSSEC_TA attributes received over IKE.  Such clients MAY
>     interpret receiving an INTERNAL_DNSSEC_TA attribute for a non-
>     whitelisted domain as an indication that their local configuration
>     may need to be updated out of band.
>
> We basically said this is too dangerous to only authenticate via IKE. So
> now, you need to _also_ do a (remote) configuration update, which
> presumbly involves some Enterprise management system or humans.
>
> > The draft *does* says:
> > "Other generic or public domains, such as top-level domains, similarly
> SHOULD
> > NOT be whitelisted." - this doesn't really answer the above. 1: It is
> > increasingly hard to know what is a "real" TLD (.internal? .bank?
> .home?) 2:
> > How do I programatically tell if www.foo.net is a "public domain"? What
> is a
> > public domain anyway? How is an implementer supposed to address this?
>
> What we tried to say was that any generic domain open for any registrant
> for registration should never be accepted. While if you are Red Hat,
> maybe te TLD .redhat would be okay. (brand TLD vs generic TLD). I agree
> that it is difficult to determine this. The idea of the whitelist is
> that VPN clients will show/confirm/enable the listed DNS domains, so
> that if Honest Paul's VPN service includes "gmail.com", the enduser can
> freak out properly.
>
> > It also says:
> > "Any updates to this whitelist of domain names MUST happen via explicit
> human
> > interaction to prevent invisible installation of trust anchors." Is my
> auntie
> > really expected (or competent) to understand what "Your VPN provider,
> TrustVPN
> > wants to whitelist com. Do you want to allow this? [Y/N]" means?
>
> Split-DNS is meant for Enterprise use of actual domains.

If your auntie
> works for Foo Inc., hopefully she can either have Foo's sysadmin
> configure and install her VPN, or if the admin gives her some kind of
> profile, auntie will be okay seeing "Your VPN provider Foo Inc. wants to
> whitelist internal.foo.com" and she would be familiar with using the
> internal.foo.com domain from the office.
>

Yes, I get that the *intended* audience is Enterprises, and that usage
doesn't really scare me (most enterprise admins already have their fingers
sufficiently deep inside their employees machines that they can do
$whatever anyway).
My concerns is that this will also be used for the "Buy our VPN for secure
browsing of the torrentz - only $2.99 per month. Punch the monkey for a
discount!!!!!!!!!!" type people -- I trust my enterprise admins to not
DNSSEC / DANE poison me, but I don't necessarily trust (to pick  at random)
CyberGhostVPN -
https://offer.cyberghostvpn.com/en_US/trnt/rocket?aff_id=1392&coupon=FlashSale2&aff_sub4=FlashSale2&
(I know nothing about this org!)

W



>
> Note that our text basically meant to say the IKE software should
> probably never allow com/net/org/CCtld ever, but that would be difficult
> to hardcode because we _still_ haven't fixed the PublicSuffix issue :/
>
> > Also, some of the DNS behavior is handwavey - I think that the document
> really
> > should be reviewed by DNSOP, but will leave it to Eric to make that call.
>
> What is wavey?
>
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > This section: " The content of INTERNAL_DNS_DOMAIN and
> INTERNAL_DNSSEC_TA may be
> >   passed to another (DNS) program for processing.  As with any network
> >   input, the content SHOULD be considered untrusted and handled
> >   accordingly." feels a bit handwavey. Are there currently any DNSSEC
> >   validating clients which can easily take a targeted TA for a specific
> domain
> >   / set of domains?
> >
> > I’m also not quite sure how this interacts with delegations. E.g:
> >
> > example.com   600 IN NS ns01.internal.example
> > And then INTERNAL_DNS_DOMAIN(internal.example) — if the client runs a
> local
> > recursive, does it need to send the query to ns01 though the VPN or not?
>
> It should not think about "through the VPN or not". We had that text
> originally, but Tero pointed out a lot of Enterprise VPN's can come up
> on demand. So the initial IKE negotiation could be for 10.1.2.3/32, and
> include the DNS configuration for the internal auth servers on
> 192.168.1.1. It needs to configure the DNS so a packet for 192.1.1:53
> triggers another IPsec tunnel to be setup.
>
> So to use an unbound example, you only need to drop in the internal DS
> record, and the "unbound-control forward example.com ip1 ip2"
> configuration pointing to the internal auth servers for example.com.
>
> Paul
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf