IETF Logo Mail Archive

Re: [nfsv4] Roman Danyliw's No Objection on draft-ietf-nfsv4-rfc5661sesqui-msns-03: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Sat, 04 January 2020 07:02 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E42E120288; Fri, 3 Jan 2020 23:02:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avTToqMInC0i; Fri, 3 Jan 2020 23:02:38 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9EE12011F; Fri, 3 Jan 2020 23:02:37 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00472Nj7025523 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 4 Jan 2020 02:02:31 -0500
Date: Fri, 03 Jan 2020 23:02:23 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: David Noveck <davenoveck@gmail.com>
Cc: Roman Danyliw <rdd@cert.org>, draft-ietf-nfsv4-rfc5661sesqui-msns@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Message-ID: <20200104070223.GM57294@kduck.mit.edu>
References: <157663474296.5117.5297432225833522411.idtracker@ietfa.amsl.com> <CADaq8jc5QdZ2sQ=buSH4dJFYdE0sMcFU-2sQMU6VtvM0ae5vRA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADaq8jc5QdZ2sQ=buSH4dJFYdE0sMcFU-2sQMU6VtvM0ae5vRA@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/yjTK4KQQV9s7A61GPM0l_EOfDG8>
Subject: Re: [nfsv4] Roman Danyliw's No Objection on draft-ietf-nfsv4-rfc5661sesqui-msns-03: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jan 2020 07:02:40 -0000

On Thu, Jan 02, 2020 at 10:29:06AM -0500, David Noveck wrote:
> On Tue, Dec 17, 2019 at 9:05 PM Roman Danyliw via Datatracker <
> noreply@ietf.org> wrote:
> 
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-nfsv4-rfc5661sesqui-msns-03: No Objection
> >
[...]
> >
> > ** Section 21, Per “When DNS is used to convert server names to addresses
> > and
> > DNSSEC [29] is not available, the validity of the network addresses
> > returned
> > cannot be relied upon.”, this concern about the fidelity of the DNS
> > information
> > is a helpful consideration.  It would be worth mentioning/recommending the
> > use
> > of other DNS technologies such as DNS over TLS [RFC7858] and DNS over HTTPS
> > [RFC8484] that could provide additional/alternatives confidence mechanisms
> > in
> > the DNS data.
> >
> > Will add.
> 
> Could revise that bullet to read as follows:
> 
>    o  When DNS is used to convert server names to addresses and none of
>       DNSSEC [30], DNS over TLS [31], and DNS over HTTPS [35] are
>       available, the validity of the network addresses returned cannot
>       be relied upon.  However, when the client uses RPCSEC_GSS to
>       access the designated server, it is possible for mutual
>       authentication to discover invalid server addresses provided, as
>       long as the RPCSEC_GSS implementation used does not use insecure
>       DNS queries to canonicalize the hostname components of the service
>       principal names, as explained in [29].

This is a fairly subtle area, and it's pretty hard to write something
that's 100% accurate.  Specifically, it's still possible for the returned
network addresses to still be unreliable even when DoT or DoH are used
(though they do provide significant protection over traditional
DNS-on-port-53).  This all comes back to DNS resolution (generally) being a
multi-stage process, with stub resolver talking to recursive talking to
authority.  Only the authority is, well, authoritative for the returned
results (addresses), and the only end-to-end way to provide authentication
for the results is DNSSEC.  But, DoT and DoH provide integrity protection
for the stub-to-recursive leg (in current usage; in theory they can also be
used from recursive to authority), and when the recursive is trusted, that
combines to provide trust in the returned addresses even if there is not
necessarily cryptographic protection between recursive and authority. [more
discussion of various attacks and the subtle differences in provided
protection elilded].

So, my suggestion would be a different approach, along the lines of:

%  o  When DNS is used to convert server names to addresses and DNSSEC
%     [29] is not available, the validity of the network addresses
%     returned generally cannot be relied upon, though when combined with a
%     trusted resolver, DNS over TLS [31] and DNS over HTTPS [35] can also
%     provide resolved addresses in a reliable manner.  However, when the
%     [...]

-Ben

v2.23.0 | Report a Bug | By Email