IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

John Bashinski <jbash@cisco.com> Fri, 28 January 2011 17:49 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76C043A6921; Fri, 28 Jan 2011 09:49:39 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 112143A6921 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.509
X-Spam-Level:
X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFaf0K7SSW1Y for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:49:37 -0800 (PST)
Received: from vps1.velvet.com (vps1.velvet.com [66.249.7.50]) by core3.amsl.com (Postfix) with ESMTP id CE0E93A68CB for <dnsext@ietf.org>; Fri, 28 Jan 2011 09:49:36 -0800 (PST)
Received: from candyfloss.jbash.velvet.com (206-248-144-221.dsl.teksavvy.com [206.248.144.221]) by vps1.velvet.com (Postfix) with ESMTPSA id B0E9E1A530B; Fri, 28 Jan 2011 12:52:38 -0500 (EST)
Received: from candyfloss.jbash.velvet.com (candyfloss.jbash.velvet.com [127.0.0.1]) by candyfloss.jbash.velvet.com (Postfix) with ESMTP id BA1B56726; Fri, 28 Jan 2011 12:52:37 -0500 (EST)
Message-ID: <4D430265.8020100@cisco.com>
Date: Fri, 28 Jan 2011 12:52:37 -0500
From: John Bashinski <jbash@cisco.com>
Organization: Cisco Systems, Inc.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Lightning/1.0b3pre Thunderbird/3.1.7
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca> <4D42ED13.5030000@cisco.com> <562C7583-B719-482F-B201-EFB54138BAF1@icsi.berkeley.edu> <E4865E48-383B-4591-AF27-34571C4AA367@nominum.com>
In-Reply-To: <E4865E48-383B-4591-AF27-34571C4AA367@nominum.com>
X-Enigmail-Version: 1.1.2
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsext List <dnsext@ietf.org>, george.barwood@plueyonder.co.uk
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0848698499=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 2011-01-28 12:32, Ted Lemon wrote:
> On Jan 28, 2011, at 12:12 PM, Nicholas Weaver wrote:

>> As long as all the historical data is available someplace that the
>> device knows about
>> (eg. http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history-02
>> .  Or pick whatever...), there is no excuse for not using this style
>> of mechanism.

> There's no way to validate this, so you might was well be trusting
> instructions written on a bathroom wall.

You validate it by tracing the signature chain from whatever key you
start with through the first one. That does mean trusting the whole
chain, but it's definitely validation.

> This suggests another knob to tweak.  Firmware in self-updating
> devices should have a manufacturer-configured key, but the
> manufacturer should use that key in no more than N devices, for some
> TBD value of N.  This reduces the value of the firmware key, more
> substantially the smaller N is, to a limit of N=1.

There are tradeoffs there, and they're not just cost tradeoffs.  A
system for managing a whole bunch of keys is necessarily more complex
than a system for managing just one. It handles higher volumes of
data. It updates things more frequently (which means updates can't be
scrutinized as hard). It has more parts that have to be kept online or
near-line. Those all hurt the security.

>> Anything else MUST either add additional keys to the trusted root,
>> and/or becomes the trusted root instead.  In the former you're
>> weakening the system (you now trust both the . KSK AND some 'random'
>> PKI certificate, as a compromise of EITHER is sufficient to break
>> your security), in the latter you're just replacing one key roll
>> problem with a second (how do you roll the PKI certificate?).

> I think it's important to realize that any device that auto-updates
> already has one of these keys in it, and that key can be used to
> update the root zone key on the device, if the device even has a root
> zone key on it.  So it's not the case that this mechanism makes things
> less secure.

Not all devices auto-update. In Cisco's case, I don't think we have
ANY pro gear that auto-updates, and most of our consumer gear
doesn't auto-update, either. What you're talking about is one
of the reasons for that, and we probably won't have widespread
auto-update until we have better answers.

Of course, it's also true that it's probably pretty easy to trick most
people into manually installing bogus software (or DNSSEC roots) on
their devices, but we'd rather not make that an automated thing...

> We can certainly have a debate about which sort of compromise is more
> or less likely, but I find the idea of a "limited leap of faith" sort
> of like the idea of a "limited leap off a cliff."  Unless the cliff is
> only a few feet high, the absolute height of the cliff is immaterial.

That's a deeply misleading analogy, because the effects aren't
similar at all. Temporal extent of exposure matters.

You can:

1. Not validate at all. This makes you pretty easy to spoof,
   at any time anybody decides to spoof you.

2. Learn the root key by "pure faith" at initial installation. This
   is a very significant improvement; it means that anybody
   who wants to spoof you has to be prepared to do it at
   a specific time (which may be hard to predict). They have
   to plan in advance to target you specifically. And they have to get
   you on the first try.

3. Learn the root key by "limited faith". This is another siginificant
   improvement; it means that somebody has to keep a DoS or something
   running continuously from the moment you're installed up through
   the moment they want to feed you bad data. Which could be
   months. If they slip up at any time, you learn a good key and they
   lose the ability to hurt you. And they're very likely to be
   detected.

4. Learn the root key using a bootstrap key and never rely on "faith".
   Nobody can ever spoof you, although you still have exposures
   from key compromise or people leading the legitimate key holder
   to sign something it shouldn't.

Those aren't remotely equivalent exposures.

						-- jbash



_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email