IETF Logo Mail Archive

Re: [mif] Confirm call for adoption:draft-savolainen-mif-dns-server-selection

"Laganier, Julien" <julienl@qualcomm.com> Thu, 06 January 2011 23:12 UTC

Return-Path: <julienl@qualcomm.com>
X-Original-To: mif@core3.amsl.com
Delivered-To: mif@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4BDE83A6F75 for <mif@core3.amsl.com>; Thu, 6 Jan 2011 15:12:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.023
X-Spam-Level:
X-Spam-Status: No, score=-104.023 tagged_above=-999 required=5 tests=[AWL=-2.232, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SPOOF_COM2OTH=2.536, SPOOF_COM2COM=2.272, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DkrwKbVVEQci for <mif@core3.amsl.com>; Thu, 6 Jan 2011 15:12:09 -0800 (PST)
Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) by core3.amsl.com (Postfix) with ESMTP id CD0043A6DF6 for <mif@ietf.org>; Thu, 6 Jan 2011 15:12:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1294355655; x=1325891655; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20"teemu.savolainen@nokia.com"=20<teemu.savolainen@n okia.com>,=0D=0A=09"denghui02@gmail.com"=20<denghui02@gma il.com>,=20"mif@ietf.org"=20<mif@ietf.org>,=0D=0A=09"marg aretw42@gmail.com"=20<margaretw42@gmail.com>|CC:=20"Ted.L emon@nominum.com"=20<Ted.Lemon@nominum.com>|Date:=20Thu, =206=20Jan=202011=2015:14:12=20-0800|Subject:=20RE:=20[mi f]=20Confirm=20call=09for=0D=0A=09adoption:draft-savolain en-mif-dns-server-selection|Thread-Topic:=20[mif]=20Confi rm=20call=09for=0D=0A=09adoption:draft-savolainen-mif-dns -server-selection|Thread-Index:=20AcuhhM/ZTvYdSVi0RIKwywN YPhSnVwJ/UqSQAAVYeyYAAamd4AAOvFE7AId45VA=3D|Message-ID: =20<BF345F63074F8040B58C00A186FCA57F7E273BC27A@NALASEXMB0 4.na.qualcomm.com>|References:=20<AANLkTik=3DvFTJMYG0Oo3B VCx_U-sRm6TBA77AT8BtAaik@mail.gmail.com>,<BF345F63074F804 0B58C00A186FCA57F7E273BBF62@NALASEXMB04.na.qualcomm.com> =0D=0A=20<056B511A55F8AA42A3E492B7DD19A31910B583@008-AM1M PN1-017.mgdnok.nokia.com>,<BF345F63074F8040B58C00A186FCA5 7F7E273BBFBE@NALASEXMB04.na.qualcomm.com>=0D=0A=20<056B51 1A55F8AA42A3E492B7DD19A31910B688@008-AM1MPN1-017.mgdnok.n okia.com>|In-Reply-To:=20<056B511A55F8AA42A3E492B7DD19A31 910B688@008-AM1MPN1-017.mgdnok.nokia.com> |Accept-Language:=20en-US|Content-Language:=20en-US |X-MS-Has-Attach:|X-MS-TNEF-Correlator:|acceptlanguage: =20en-US|Content-Type:=20text/plain=3B=20charset=3D"us-as cii"|Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0; bh=3uJvya6qH8ei/hcdQSLQFf09swEzuiqigv34r36z+vY=; b=sFItTkPKclNc/YZ2dT+OIOfaCJDtVSZELMKcAnUIZvwby/Y1KWjglGHL wrYqjewTAVeiWmRd1/ST5oNGawOMdPM/jYvwZjAAsRNTVXZEN4WhpDdA4 ZMxvqX3rv1JG01A7r6s9a2tDjDLDVD0iVIp9jLMCBaTX6x9ojoYYHc9eo E=;
X-IronPort-AV: E=McAfee;i="5400,1158,6218"; a="69323776"
Received: from ironmsg02-r.qualcomm.com ([172.30.46.16]) by wolverine02.qualcomm.com with ESMTP; 06 Jan 2011 15:14:15 -0800
X-IronPort-AV: E=Sophos;i="4.60,283,1291622400"; d="scan'208";a="106160340"
Received: from nasanexhub02.na.qualcomm.com ([10.46.143.120]) by ironmsg02-R.qualcomm.com with ESMTP/TLS/RC4-MD5; 06 Jan 2011 15:14:15 -0800
Received: from nasanexhc08.na.qualcomm.com (172.30.39.7) by nasanexhub02.na.qualcomm.com (10.46.143.120) with Microsoft SMTP Server (TLS) id 8.3.83.0; Thu, 6 Jan 2011 15:14:15 -0800
Received: from nalasexhc01.na.qualcomm.com (10.47.129.185) by nasanexhc08.na.qualcomm.com (172.30.39.7) with Microsoft SMTP Server (TLS) id 14.1.218.12; Thu, 6 Jan 2011 15:14:14 -0800
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhc01.na.qualcomm.com ([10.47.129.185]) with mapi; Thu, 6 Jan 2011 15:14:14 -0800
From: "Laganier, Julien" <julienl@qualcomm.com>
To: "teemu.savolainen@nokia.com" <teemu.savolainen@nokia.com>, "denghui02@gmail.com" <denghui02@gmail.com>, "mif@ietf.org" <mif@ietf.org>, "margaretw42@gmail.com" <margaretw42@gmail.com>
Date: Thu, 06 Jan 2011 15:14:12 -0800
Thread-Topic: [mif] Confirm call for adoption:draft-savolainen-mif-dns-server-selection
Thread-Index: AcuhhM/ZTvYdSVi0RIKwywNYPhSnVwJ/UqSQAAVYeyYAAamd4AAOvFE7AId45VA=
Message-ID: <BF345F63074F8040B58C00A186FCA57F7E273BC27A@NALASEXMB04.na.qualcomm.com>
References: <AANLkTik=vFTJMYG0Oo3BVCx_U-sRm6TBA77AT8BtAaik@mail.gmail.com>, <BF345F63074F8040B58C00A186FCA57F7E273BBF62@NALASEXMB04.na.qualcomm.com> <056B511A55F8AA42A3E492B7DD19A31910B583@008-AM1MPN1-017.mgdnok.nokia.com>, <BF345F63074F8040B58C00A186FCA57F7E273BBFBE@NALASEXMB04.na.qualcomm.com> <056B511A55F8AA42A3E492B7DD19A31910B688@008-AM1MPN1-017.mgdnok.nokia.com>
In-Reply-To: <056B511A55F8AA42A3E492B7DD19A31910B688@008-AM1MPN1-017.mgdnok.nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Ted.Lemon@nominum.com" <Ted.Lemon@nominum.com>
Subject: Re: [mif] Confirm call for adoption:draft-savolainen-mif-dns-server-selection
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2011 23:12:10 -0000

Hi Teemu,

> I'm not proposing we should defer the discussion of how to secure things, I'm
> saying we should not continue postpone progress of this work indefinitely
> waiting for discussion not taking place. E.g. during the past two months
> since Beijing I haven't seen any discussion on this list about this.

I don't think we're stalled: The period straight after an IETF meeting is
usually pretty quiet because everyone has to catch up with the other business
that wasn't taken care of during the meeting, and then there was the holiday
season. 

I also do not equate adoption as WG draft to progress. This work can progress
(a lot) without this specific draft being a WG draft by having the WG coming to
consensus on how to do this DHCP-based DNS server selection securely. This will
be a pre-requisite for publication anyway.

> We can discuss now for sure. 

Right, almost everybody should be back from holidays by now so let's do just
that...

> I would like to discuss the real severity of the attack vector in more depth.
> As far as I understood the concern was that the attacker selects a small
> subset of names (e.g. a single name) that it wants to give malicious DNS
> reply. As the subset of names being attacked would be small, it would be
> nontrivial to see attack is ongoing (or pending - most of the private names
> would resolve just fine). 

I am not sure the subset of names necessarily needs to be small. An attacker
could inject on the WLAN a DHCPv6 DNS selection option with .com or '.' (i.e. global)
as a prefix and declare itself as high preference and be able to divert all
of that traffic if the other interface has no DHCP server sending such a DNS selection
option.

> Now what if instead of this technology the node's implementation would be
> such that it always sends DNS queries to all DNS servers (at least one server
> per interface). In the usual case it could happen that it gets positive
> replies for questions (for *.corporate.com) sent over VPN, and NXDOMAIN when
> sent to DNS server of the visited WLAN (for example). Now couldn't the
> attacker on WLAN currently do it so that when the question to this specific
> server name comes, the visited network's DNS server would not reply NXDOMAIN,
> but positive answer instead? And as the visited networks DNS server is likely
> faster to reply than the server behind the VPN, similar redirection attack
> could be accomplished?

Right. Which is why if you have DNSSEC you'd wait for all answers from all 
interfaces first before returning to the application. Alternatively, if the
stack knew that one of the interface (WWAN) is more trusted than the other
(unauthenticated WLAN) it would wait for the answer from the more trusted
interface to return to the application.

> Or what if the attacker provides malicious RFC3646 search list option having
> "attacker.com" and reply NXDOMAIN until host asks for
> "targeted.server.corporate.com.attacker.com" and reply that with positive
> answer and hence take the traffic? (This is explained in section 6 of
> RFC3646). In that case even DNSSEC does not help.

RFC3646 specically says: 

   2. Resolve a name that contains any dots by first trying it as an
      FQDN and if that fails, with the names in the searchlist appended.

If there are indeed multiple alternative DNS servers on different network
interfaces providing multiple search lists, I would interpret the above
"resolve a name that contains any dots by first trying it as an FQDN on all
interfaces, and if that fails, with the names in the search list for the
respective interface appended." That seems to be to be the sensible way to
extend the 3646 provision to a multi-interfaced host.

> If the DNSSEC is the only concern you have, can't we just make a call to WG
> on who thinks it should be MUST and who thinks it should be SHOULD? But in
> presence of other DNS attacks, couldn't you separate DNSSEC requirement from
> individual tools, and just mandate DNSSEC implementation to cover all kinds
> of threats?

No offense but in the end, whatever the WG rough consensus is, if it does
introduce security vulnerabilities the draft is going to held on by the SEC AD. 

DNSSEC is not the only concern I have, I have actually outline another way to use that option in a less problematic manner than currently proposed: 

> > As to DNSSEC being a MUST or not in the tightly controlled environment you
> > evocate, I feel it might be OK to not require DNSSEC in those insofar an
> > implementation (S/W stack) can securely determine if it is in such an
> > environment.  

So maybe we ought to say that when receiving a DNS server selection option
from an untrusted network interface (e.g., unauthenticated WLAN, as opposed
to corporate WLAN or WWAN), the node MUST tries to resolve FQDN through DNS
servers on each of the interface to try to obtain DNSSEC protected DNS replies. 

This way DNSSEC isn't a MUST, but if it is deployed, the node is in a position
to avoid the DNS redirection attack that Ted originally outlined.

What do you think?

--julien

v2.23.0 | Report a Bug | By Email