Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
John Bashinski <jbash@cisco.com> Fri, 28 January 2011 17:49 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76C043A6921; Fri, 28 Jan 2011 09:49:39 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 112143A6921 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.509
X-Spam-Level:
X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFaf0K7SSW1Y for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:49:37 -0800 (PST)
Received: from vps1.velvet.com (vps1.velvet.com [66.249.7.50]) by core3.amsl.com (Postfix) with ESMTP id CE0E93A68CB for <dnsext@ietf.org>; Fri, 28 Jan 2011 09:49:36 -0800 (PST)
Received: from candyfloss.jbash.velvet.com (206-248-144-221.dsl.teksavvy.com [206.248.144.221]) by vps1.velvet.com (Postfix) with ESMTPSA id B0E9E1A530B; Fri, 28 Jan 2011 12:52:38 -0500 (EST)
Received: from candyfloss.jbash.velvet.com (candyfloss.jbash.velvet.com [127.0.0.1]) by candyfloss.jbash.velvet.com (Postfix) with ESMTP id BA1B56726; Fri, 28 Jan 2011 12:52:37 -0500 (EST)
Message-ID: <4D430265.8020100@cisco.com>
Date: Fri, 28 Jan 2011 12:52:37 -0500
From: John Bashinski <jbash@cisco.com>
Organization: Cisco Systems, Inc.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Lightning/1.0b3pre Thunderbird/3.1.7
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca> <4D42ED13.5030000@cisco.com> <562C7583-B719-482F-B201-EFB54138BAF1@icsi.berkeley.edu> <E4865E48-383B-4591-AF27-34571C4AA367@nominum.com>
In-Reply-To: <E4865E48-383B-4591-AF27-34571C4AA367@nominum.com>
X-Enigmail-Version: 1.1.2
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsext List <dnsext@ietf.org>, george.barwood@plueyonder.co.uk
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0848698499=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On 2011-01-28 12:32, Ted Lemon wrote: > On Jan 28, 2011, at 12:12 PM, Nicholas Weaver wrote: >> As long as all the historical data is available someplace that the >> device knows about >> (eg. http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history-02 >> . Or pick whatever...), there is no excuse for not using this style >> of mechanism. > There's no way to validate this, so you might was well be trusting > instructions written on a bathroom wall. You validate it by tracing the signature chain from whatever key you start with through the first one. That does mean trusting the whole chain, but it's definitely validation. > This suggests another knob to tweak. Firmware in self-updating > devices should have a manufacturer-configured key, but the > manufacturer should use that key in no more than N devices, for some > TBD value of N. This reduces the value of the firmware key, more > substantially the smaller N is, to a limit of N=1. There are tradeoffs there, and they're not just cost tradeoffs. A system for managing a whole bunch of keys is necessarily more complex than a system for managing just one. It handles higher volumes of data. It updates things more frequently (which means updates can't be scrutinized as hard). It has more parts that have to be kept online or near-line. Those all hurt the security. >> Anything else MUST either add additional keys to the trusted root, >> and/or becomes the trusted root instead. In the former you're >> weakening the system (you now trust both the . KSK AND some 'random' >> PKI certificate, as a compromise of EITHER is sufficient to break >> your security), in the latter you're just replacing one key roll >> problem with a second (how do you roll the PKI certificate?). > I think it's important to realize that any device that auto-updates > already has one of these keys in it, and that key can be used to > update the root zone key on the device, if the device even has a root > zone key on it. So it's not the case that this mechanism makes things > less secure. Not all devices auto-update. In Cisco's case, I don't think we have ANY pro gear that auto-updates, and most of our consumer gear doesn't auto-update, either. What you're talking about is one of the reasons for that, and we probably won't have widespread auto-update until we have better answers. Of course, it's also true that it's probably pretty easy to trick most people into manually installing bogus software (or DNSSEC roots) on their devices, but we'd rather not make that an automated thing... > We can certainly have a debate about which sort of compromise is more > or less likely, but I find the idea of a "limited leap of faith" sort > of like the idea of a "limited leap off a cliff." Unless the cliff is > only a few feet high, the absolute height of the cliff is immaterial. That's a deeply misleading analogy, because the effects aren't similar at all. Temporal extent of exposure matters. You can: 1. Not validate at all. This makes you pretty easy to spoof, at any time anybody decides to spoof you. 2. Learn the root key by "pure faith" at initial installation. This is a very significant improvement; it means that anybody who wants to spoof you has to be prepared to do it at a specific time (which may be hard to predict). They have to plan in advance to target you specifically. And they have to get you on the first try. 3. Learn the root key by "limited faith". This is another siginificant improvement; it means that somebody has to keep a DoS or something running continuously from the moment you're installed up through the moment they want to feed you bad data. Which could be months. If they slip up at any time, you learn a good key and they lose the ability to hurt you. And they're very likely to be detected. 4. Learn the root key using a bootstrap key and never rely on "faith". Nobody can ever spoof you, although you still have exposures from key compromise or people leading the legitimate key holder to sign something it shouldn't. Those aren't remotely equivalent exposures. -- jbash
_______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson