IETF Logo Mail Archive

Re: [OPSAWG] 🔔 WG Last Call for draft-ietf-opsawg-mud-iot-dns-considerations-05

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 22 January 2023 17:17 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADA1C14CE29 for <opsawg@ietfa.amsl.com>; Sun, 22 Jan 2023 09:17:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLImJlRovDaD for <opsawg@ietfa.amsl.com>; Sun, 22 Jan 2023 09:17:08 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 953B4C14F737 for <opsawg@ietf.org>; Sun, 22 Jan 2023 09:17:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 379C13898E; Sun, 22 Jan 2023 12:46:31 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QUr1qNJ4wP7L; Sun, 22 Jan 2023 12:46:27 -0500 (EST)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id BB9743898D; Sun, 22 Jan 2023 12:46:27 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1674409587; bh=uXjTbrWxXFNEjvqUMAVvyyw0Yk3bQJpmRhx4XhtXFds=; h=From:To:Subject:In-Reply-To:References:Date:From; b=uqVpMjhz2zDTWh3A8ZVf2KG6OlWjc9AW6q5fDyZhj7p85IVzfZqIUfoa4w0rXZjAL piHYrCnmFqwJwKMXDsx3EluSYYMHtweEcGICS539UrdUnmJTs7sBCUwmRFpm2HxN1y lYPrbmzDzZJ29JqqjxDCZyn7LUr4WskN41v8qtlAtBZuzmKp3wge7cqdQabUlhTj64 vuFPl6bzb5E7OqURWmdYes0yRMSiLMbHLfTgp2Vr9TsI4r1d/lAFwYBqhYK+kZoBCP Fc2CHKZ3WM5vgFUTQT9yR6uJT5SuBs7ujocuKP8SZoB6pF9XiLF1elK+mCRG4FcOjk DzJ3OtOcHgBRg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 4A47490; Sun, 22 Jan 2023 12:17:03 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tirumal reddy <kondtir@gmail.com>, opsawg <opsawg@ietf.org>
In-Reply-To: <CAFpG3ge2-Q1=zCbJud=Xrh8UG-vvomWfid8cJRoJYANgDGAuqQ@mail.gmail.com>
References: <fb4c37ad-870f-c462-c876-e85e38892c57@sit.fraunhofer.de> <CAFpG3ge2-Q1=zCbJud=Xrh8UG-vvomWfid8cJRoJYANgDGAuqQ@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 22 Jan 2023 12:17:03 -0500
Message-ID: <26470.1674407823@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/s_dVbEqjZC_tmMxj4MYqA4fV0lA>
Subject: Re: [OPSAWG] 🔔 WG Last Call for draft-ietf-opsawg-mud-iot-dns-considerations-05
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jan 2023 17:17:13 -0000

tirumal reddy <kondtir@gmail.com> wrote:
    > I support progressing the draft and I have the following comments/nits
    > which should be straightforward to address:

    > 1.

    > It has been suggested that one answer to this problem is to provide a
    > forced
    > intermediate for the TLS connections. This could in theory be done for TLS
    > 1.2 connections.

I totally agree.  But, did you want more said here?
I think that Ben's suggestion was to do everything via SOCKSv5, which would
not have quite the same problems, but I think that is completely undeployable.

    > I would say SNI inspection is not useful in TLS 1.3 (with or without ECH).

    > 2.
    > XXX --- explain in detail how this can fail.
    > XXX --- explain N:1 vs 1:1 for virtual hosting.

Nit> You may want to remove "XXX".

I have expanded the contents.  I had feared this work would be impossible,
but with sufficient coffee on a snowy Sunday morning, I think that I
succeeded.
Please see, and comment on:
   https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/commit/6162d432cbc8395fa79b759f6ee9636a278ef800

I've also appended the text to the end of this message, after my other actions.

    > 3.
    > The third section of this document details how current trends in DNS
    > presolution
    > such as public DNS servers, DNS over TLS (DoT), and DNS over HTTPS (DoH)
    > cause
    > problems for the strategies employed. Poor interactions with
    > content-distribution
    > networks is a frequent pathology that can result.

    Comment> You may also want to refer to DoQ.

Done.

    > 4.
    > A third problem involves the use of HTTPS. IP address literals do not
    > provide enough
    > context for TLS ServerNameIndicator to be useful [RFC6066]. This limits the
    > firmware repository to be a single tenant on that IP address, and for IPv4
    > (at least),
    > this is no longer a sustainable use of IP addresses.

    tiru> You may want to look into
    tiru> https://www.rfc-editor.org/rfc/rfc8738.html, it will address the limitation
    tiru> with IP address as an identifier in certificates.

I don't think that automating IP address inclusion in certificates is useful or the point here.
During a big distribution even, a supplier might massively increase the
number of servers that serve particular content.  (Netflix among others does this)
If HTTPS is to be used, the servers need certificates, and if the servers are
referenced by IP address, then they can't do virtual hosting of any time.

This is contrasted to systems like Amazon S3, where a single *name* could be
distributed among hundreds of servers, and at the same time, those servers
(IP address end-points) could also be hosting content for hundreds of names.

    > 5. Section 6.5> I suggest replacing the references by the drafts adopted by
    > ADD WG (DNR and DDR)..

okay.

   Secure discovery of network provided DoH/DoT resolver is possible using
   the mechanisms discussed in {{?I-D.ietf-add-split-horizon-authority}}
   section-4.

Is this still the right reference?  It seems that section 4 is still correct.

===
the "it won't work" text:

The most naive method is to try to map IP addresses to names using the in-addr.arpa (IPv4), and ipv6.arpa (IPv6) mappings.

## Failing strategy

Attempts to map IP address to names in real time fails for a number of reasons:

1. it can not be done fast enough,

2. it reveals usage patterns of the devices,

3. the mapping are often incomplete,

4. even if the mapping is present, due to virtual hosting, it may not map back to the name used in the ACL.

This is not a successful strategy, its use is NOT RECOMMENDED for the reasons explained below.

### Too slow

Mapping of IP address to names requires a DNS lookup in the in-addr.arpa or ip6.arpa space.
For a cold DNS cache, this will typically require 2 to 3 NS record lookups to locate the DNS server that holds the information required.  At 20 to 100ms per round trip, this easily ads up to significant time before the packet that caused the lookup can be released.

While subsequent connections to the same site (and subsequent packets in the same flow) will not be affected if the results are cached, the effects will be felt.  The ACL results can be cached  for a period of time given by the TTL of the DNS results, but the lookup must be performed again in a number of hours to days.

### Reveals patterns of usage

By doing the DNS lookups when the traffic occurs, then a passive attacker can see when the device is active, and may be able to derive usage patterns.  They could determine when a home was occupied or not.  This does not require access to all on-path data, just to the DNS requests to the bottom level of the DNS tree.

### Mappings are often incomplete

A service provider that fails to include an A or AAAA record as part of their forward name publication will find that the new server is simply not used.
The operational feedback for that mistake is immediate.
The same is not true for reverse names: they can often be incomplete or incorrect for months or even years without visible affect on operations.

Service providers often find it difficult to update reverse maps in a timely fashion, assuming that they can do it at all.
Many cloud based solutions dynamically assign IP addresses to services, often as the service grows and shrinks, reassigning those IP addresses to other services quickly.
The use of HTTP 1.1 Virtual Hosting may allow addresses and entire front-end systems to be re-used dynamically without even reassigning the IP addresses.

In some cases there are multiple layers of CNAME between the original name and the target service name.
This is often due to a layer of load balancing in DNS, followed by a layer of load balancer at the HTTP level.

The reverse name for the IP address of the load balancer usually does not change.
If hundreds of web services are funnelled through the load balancer, it would require hundreds of PTR records to be deployed.
This would easily exceed the UDP/DNS and EDNS0 limits, and require all queries to use TCP, which would further slow down loading of the records.

The enumeration of all services/sites that have been at that load balancer might also consistitute a security concern.
To liimt churn of DNS PTR records, and reduce failures of the MUD ACLs, operators would want to  add all possible names for each reverse name, whether or not the DNS load balancing in the forward DNS space lists that end-point at that moment.

### Names can have wildcards

In some large hosting providers content is hosted under some URL that includes a wildcard.
For instance, github.io, which is used for hosted content, including the Editors' copy of internet drafts stored on github, does not actually publish any names.
Instead a wildcard exists to answer.

github would be unable to provision all infinity of possible names into the PTR records.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email