Re: [perpass] DNS confidentiality
Karl Malbrain <malbrain@yahoo.com> Thu, 26 September 2013 18:09 UTC
Return-Path: <malbrain@yahoo.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85D9121F9702 for <perpass@ietfa.amsl.com>; Thu, 26 Sep 2013 11:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.476
X-Spam-Level:
X-Spam-Status: No, score=-2.476 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sPuABxKrpUs2 for <perpass@ietfa.amsl.com>; Thu, 26 Sep 2013 11:09:22 -0700 (PDT)
Received: from nm16.bullet.mail.bf1.yahoo.com (nm16.bullet.mail.bf1.yahoo.com [98.139.212.175]) by ietfa.amsl.com (Postfix) with ESMTP id 64E8721F8B35 for <perpass@ietf.org>; Thu, 26 Sep 2013 11:08:38 -0700 (PDT)
Received: from [98.139.215.141] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 26 Sep 2013 18:08:35 -0000
Received: from [98.139.212.200] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 26 Sep 2013 18:08:35 -0000
Received: from [127.0.0.1] by omp1009.mail.bf1.yahoo.com with NNFMP; 26 Sep 2013 18:08:35 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 123555.1109.bm@omp1009.mail.bf1.yahoo.com
Received: (qmail 2241 invoked by uid 60001); 26 Sep 2013 18:08:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1380218914; bh=sZTMW3YJMjnMiVmXIcN1HcfCWxkEGYlebB2Ekk5Ot/k=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Iq4+19Y9K6nrECu49gXCGSrG1EeLM/6TT0zMp0mDd51pcy3Eg7h5M4G3MsDpYAHPm2ArpNVsFHWeidakTOJSOx15WJ4q3W3RXW4jJ69Lt+HgTBBReVf+xP5VrYYJmVrJL755brfqFjhjntR0XEqhpQ6G6HBvziZk8m3MQrPJ/9I=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=UAdFEc3az4+yYpOeAKiCCg5R2vZdNIGUujYRLwZ7gkrNlw3dUFq2Mw/XvTB7rTHv9SUewKMiXlCmXeV+UUnsM6C/CKDZl1oIdRC/0zUT+bp9WXax10VZCE26+4ideZ526gazbrE7YcZ1XfpNG7i09t1Qml5FxrDWZkFFSpRgGb0=;
X-YMail-OSG: MfTOuoAVM1kEZPnB.UL8aZPRHmrXxakk46HduOu727fvqPZ kAyv_La5PzQEjzd2Tlc5sJMwrSnZufAIjCU7xFeFkTtD2h21ye8vpXIF5Qps rYIDlbmbpMM2q67iJ1z1eP.OJOnEK2YBEbvK4JvQ4aIeLR.vgAwNPuQ7VWyH CS5LyekH7hfK32c8Nz8S4B0oz9wKvldR_K.TI8ppzVj4E4Q8TT99JOkF0SLG gTrzQz.70uP8lBENTc50sxzx1Y3ORZEuQC9vEwCWftTJRJdps.lAXNiZrywT P3lTbPk82earwKX37WFpNOrIJdYWtNOjytf3VfPkfswbwWhg659185o05179 nolw8uFBedj5y7Tt9iHTSGHXfyd5X42pYKHyBmWvgses5ouLyGaPZe92LULa 8BXgHe6lWPrxFBKpgQgePDRUkeMF_x2K3Sn265ybKfnFW3Liw3xlw4Fpr4RU iUs38bSqcL4vmVV7GBLQK5eMiXSgKerMzYMUPKqxrbIgZS2vtyd5od.I8att YYe5dFM4cXZtGWJLoSIeaQByJdZtH5hWnc4fbEsdom4YhVBUAnI5eaUtNptV gT4l1ZtzanaiCDRjw3_P.Q8SCUrM4BXhWxgwnOQ--
Received: from [50.201.233.2] by web125502.mail.ne1.yahoo.com via HTTP; Thu, 26 Sep 2013 11:08:34 PDT
X-Rocket-MIMEInfo: 002.001, Q0dBLVRTSUcgc2VlbXMgdG8gYmUgYSB0cnVzdCBvbiBmaXJzdCB1c2UgcHJvdG9jb2wgZm9yIHN1YnNlcXVlbnRseSB1cGRhdGluZyByZWNvcmRzIHdpdGhpbiBETlMuwqAgSXQgZG9lc24ndCBzZWVtIHRvIGFkZHJlc3MgdGhlIHByb2JsZW0gb2YgYW4gYXJiaXRyYXJ5wqBjbGllbnQgc2VjdXJlbHkgb2J0YWluaW5nIHRoZSBJUC9QdWJsaWMgS2V5IGZvciBhbiBhcmJpdHJhcnkgaG9zdCBmcm9tIEROUyB3aXRob3V0IHRoZSBwb3NzaWJsaXR5IG9mIE1JVE0uwqAgUGVyaGFwcyB5b3UgY291bGQgZXhwbGFpbiABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.160.587
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <006a01ceb96a$335c1df0$9a1459d0$@rozanak.com> <1380137874.48631.YahooMailNeo@web125502.mail.ne1.yahoo.com> <005901ceba2a$f854c1a0$e8fe44e0$@rozanak.com>
Message-ID: <1380218914.85280.YahooMailNeo@web125502.mail.ne1.yahoo.com>
Date: Thu, 26 Sep 2013 11:08:34 -0700
From: Karl Malbrain <malbrain@yahoo.com>
To: Hosnieh Rafiee <ietf@rozanak.com>
In-Reply-To: <005901ceba2a$f854c1a0$e8fe44e0$@rozanak.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1546730761-1864678133-1380218914=:85280"
Cc: 'perpass' <perpass@ietf.org>, 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Karl Malbrain <malbrain@yahoo.com>
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 18:09:32 -0000
CGA-TSIG seems to be a trust on first use protocol for subsequently updating records within DNS. It doesn't seem to address the problem of an arbitrary client securely obtaining the IP/Public Key for an arbitrary host from DNS without the possiblity of MITM. Perhaps you could explain further. Karl Malbrain ________________________________ From: Hosnieh Rafiee <ietf@rozanak.com> To: 'Karl Malbrain' <malbrain@yahoo.com> Cc: 'perpass' <perpass@ietf.org>; 'Stephen Farrell' <stephen.farrell@cs.tcd.ie> Sent: Wednesday, September 25, 2013 1:08 PM Subject: Re: [perpass] DNS confidentiality Not if you use another approach as well as a signature. This means that if the two nodes know the IP address of each other, then nobody can play a role of MITM if they are using CGA-TSIG (http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig)as a means of DNS authentication. Hosnieh From:perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf Of Karl Malbrain Sent: Wednesday, September 25, 2013 9:38 PM To: Hosnieh Rafiee Cc: 'perpass'; 'Stephen Farrell' Subject: Re: [perpass] DNS confidentiality Yes, MITM can be prevented if you have a copy of the public certificate obtained through exteriour means to check the signature over the data. If your certificate is provided by MITM you naturally lose that signature protection. From:Hosnieh Rafiee <ietf@rozanak.com> To: 'Karl Malbrain' <malbrain@yahoo.com> Cc: 'perpass' <perpass@ietf.org>; 'Stephen Farrell' <stephen.farrell@cs.tcd.ie> Sent: Tuesday, September 24, 2013 2:08 PM Subject: Re: [perpass] DNS confidentiality MITM attack can be prevented by signing the data. Please check cga-tsig draft. Hosnieh From:perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf Of Karl Malbrain Sent: Tuesday, September 24, 2013 10:31 PM To: Stephen Farrell; perpass Subject: Re: [perpass] DNS confidentiality To obviate the harvesting of meta-data, we do need a secure interface to DNS. MITM resistance (authentication) is also going to be required in DNS server connections. Maybe well known certificates for DNS servers incorporated into browser software Given the reluctance of browser writers to implement DANE, we're going to need something like encrypted QUIC available as a transport first. Karl Malbrain From:Stephen Farrell <stephen.farrell@cs.tcd.ie> To: perpass <perpass@ietf.org> Sent: Tuesday, September 24, 2013 1:43 AM Subject: [perpass] DNS confidentiality Hiya, I've not seen mention of this so far here that I recall. Even as we improve the security of loads of protocols, there will still be issues with meta-data monitoring based on DNS queries for example. This point was sort of raised on the IETF list e.g. in [1]. DNSSEC doesn't provide any confidentiality. There are proposals that do try do that. Do we think this is worth looking at? If so, anyone up for doing some work on that? If so, how, or starting from what? S. [1] http://www.ietf.org/mail-archive/web/ietf/current/msg82696.html _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell