IETF Logo Mail Archive

Forgery resilience: straw man proposal

Alex Bligh <alex@alex.org.uk> Wed, 30 July 2008 09:22 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 992513A6B9A; Wed, 30 Jul 2008 02:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.383
X-Spam-Level:
X-Spam-Status: No, score=-0.383 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMRPVR+q3hK3; Wed, 30 Jul 2008 02:22:33 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9FE6E3A6BC7; Wed, 30 Jul 2008 02:22:33 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KO7lP-000F8N-QD for namedroppers-data@psg.com; Wed, 30 Jul 2008 09:14:31 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KO7lL-000F7f-FO for namedroppers@ops.ietf.org; Wed, 30 Jul 2008 09:14:29 +0000
Received: from [192.168.100.3] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 93F45C2DA7; Wed, 30 Jul 2008 10:14:20 +0100 (BST)
Date: Wed, 30 Jul 2008 10:14:17 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: namedroppers@ops.ietf.org
cc: Alex Bligh <alex@alex.org.uk>
Subject: Forgery resilience: straw man proposal
Message-ID: <429776829478B32E1ED8DF85@Ximines.local>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Here's a straw man proposal for forgery resilience between stub resolvers
and recursive nameservers with minimal invention of new protocols:

1. Use IPsec AH in transport mode between the stub resolver and the
   recursive nameserver. This provides authentication of the recursive
   nameserver to the stub resolver (see below), integrity protection,
   replay protection and (as an unneeded bonus I think) non-repudiation.

2. Determine availability of, and the public key for the recursive
   nameserver the same way as its IP is obtained, IE through a BOOTP/DHCP/
   IPCP option in most cases. If it's not there, use normal IP. If it
   is there, do not fall back. Whilst DHCP options etc. can be
   spoofed, they'd have to be spoofed early, and in any case if Malory
   can spoof these options he can simply insert his own nameserver
   IP addresses anyway. The really paranoid can protect BOOTP/DHCP/IPCP
   in other ways.

3. IPsec AH in transport mode is not compatible with NAT. This is partly
   a blessing in disguise. This means that a typical middlebox in the
   form of an end user NAT box needs to act as an ALG, i.e. either
   a caching resolver or what in old DNS terminology would have been
   called a "forwarder". This has two advantages. Firstly, in this
   scenario it's the NAT box which is the recipient of the DHCP/BOOTP/IPCP
   option, so is best placed to make the IPsec queries and need not
   then distribute this information (and indeed should not if it's
   NATing). Secondly, as the NAT box originates the IPsec queries, it
   can then be optional for devices on the end-user side of the NAT to
   speak IPsec at all, as their query will simply be sent to the
   NAT box, which would forward a query for the same records on but
   wrapped up in IPsec. Of course as a forwarder the NAT box could
   advertise its own IPsec key to prevent forgery between the NAT
   box and the end user for IPsec AH aware end users. Note that NAT
   (or more accurately NAPT) seems to break other forgery resilience
   schemes (e.g. entropy increasing ones) so some degree of rewrite
   is necessary here, and this has the advantage of a rewrite only
   on middleboxen than need not extend to end user boxes (as well
   as at the caching resolver / ISP side).

4. As it is unnecessary for the query originator to be authenticated
   to the resolver (as opposed to vice versa), all query originators
   could use the same null key.

Please make allowance for lack of caffeine so far today. I don't claim
this is the best solution, merely that it should be considered amongst
others.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.45.0 | Report a Bug | By Email | System Status