[Mud] more from the ADD debate
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 26 July 2019 23:31 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74ED21201CF for <mud@ietfa.amsl.com>; Fri, 26 Jul 2019 16:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZzI9r_HAOs4V for <mud@ietfa.amsl.com>; Fri, 26 Jul 2019 16:31:54 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82010120181 for <mud@ietf.org>; Fri, 26 Jul 2019 16:31:54 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [75.98.19.134]) by relay.sandelman.ca (Postfix) with ESMTPS id C4C8A1F44B for <mud@ietf.org>; Fri, 26 Jul 2019 23:31:52 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 1743B1A97; Fri, 26 Jul 2019 19:31:54 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Fri, 26 Jul 2019 19:31:54 -0400
Message-ID: <27593.1564183914@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/Z8hHETiS5KBiEeeJ398h7zYrab8>
Subject: [Mud] more from the ADD debate
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 23:31:57 -0000
In case you missed this long tussle.
--- Begin Message ---On Fri, Jul 26, 2019 at 11:06 AM Ted Lemon <mellon@fugue.com> wrote: > > > On Jul 26, 2019, at 10:50 AM, Brian Dickson <brian.peter.dickson@gmail.com> > wrote: > > > - One approach to enforcing the policy has a larger scope than the OS. > It is to view DoH itself as the problem, and ask, how can we put the DoH > genie (djinn) back in the bottle? > > The djinn was never in the bottle in the first place. If this discussion > is going to continue to entertain the fantasy that malware isn’t already > doing this, it’s not likely to be very useful. > One important distinction about malware "doing this": prior to the scenario where DoH (to an independently-operated resolver) was used, it was possible to detect this malware activity by correlation between DNS queries and TLS connections. In order to establish a TLS connection, the client app needs to do a DNS query to identify the IP address of the server to which it plans to connect.. A hypothetical anti-malware system with integration to the DNS query feed, would be aware of specific clients requesting specific DNS records, and the TTLs of the responses. Connections not conforming to tuples of (current time, client IP, server IP, TTL expiry time) would be detectable and alert-able. (Additional information on connections' SNI and servers' names allows much greater accuracy, but if/when ESNI happens, this signal goes away.) In an environment where DNS resolver choice cannot be detected or enforced, negates this model, particularly if all DNS query traffic becomes unobservable to the hypothetical anti-malware system. This is a change to the threat detection and blocking environment, and exists only when encrypted DNS is commingled with HTTPS traffic. Brian-- Add mailing list Add@ietf.org https://www.ietf.org/mailman/listinfo/add--- End Message ---
-- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Mud] more from the ADD debate Michael Richardson