IETF Logo Mail Archive

Re: [perpass] DNS confidentiality

"Hosnieh Rafiee" <ietf@rozanak.com> Wed, 25 September 2013 20:08 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F1921F9F40 for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 13:08:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ahyzHn944z6v for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 13:08:50 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8D821F9F6F for <perpass@ietf.org>; Wed, 25 Sep 2013 13:08:35 -0700 (PDT)
Received: from kopoli (g226057076.adsl.alicedsl.de [92.226.57.76]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0MXZCY-1VL3m60pi2-00W2gy; Wed, 25 Sep 2013 16:08:18 -0400
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Karl Malbrain' <malbrain@yahoo.com>
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <006a01ceb96a$335c1df0$9a1459d0$@rozanak.com> <1380137874.48631.YahooMailNeo@web125502.mail.ne1.yahoo.com>
In-Reply-To: <1380137874.48631.YahooMailNeo@web125502.mail.ne1.yahoo.com>
Date: Wed, 25 Sep 2013 22:08:06 +0200
Message-ID: <005901ceba2a$f854c1a0$e8fe44e0$@rozanak.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_005A_01CEBA3B.BBE580E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJOGj5UkWbfuDhxpmMKtaAoIXGv7QHKq7oDAZ0lsZ0CNxrNyJirKMmQ
Content-Language: en-us
X-Provags-ID: V02:K0:rcC3WNKDZCIccP6gj5Hh3fbAbthr405fI9dV2ka/aL6 jtTXq5YW0H5SnAnuqHU61hTgnQa/u6X3E3ZjtofpG751oOeD/K h8aMn/uS1UNJcFsLJVcTOh368W6g/XjCLCraBJRLWMWrLhnJBh ujPaNuW8NrjJZ7m9xlX3bfzd90I2oLAlMckVA8ZXm4bryFbZTr CPjTXd4ErrUjmHMYvkTYbkTBb2kMP+T2Cvy83PkyMh2U3UdRiD cRgVdxRAY/ynvz1UW0RBStMrn9TTiS1AE7QP0De7iOZbsCJcuR c1Pt8sJxwhWF+rW55Vi0dlu7hl4duOGvICJ+qxnY3JdvHymdfC ItQOXMRcoFSYpOJqCZsE=
Cc: 'perpass' <perpass@ietf.org>, 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 20:08:55 -0000

Not if you use another approach as well as a signature. This means that if
the two nodes know the IP address of each other, then nobody can play a role
of MITM if they are using CGA-TSIG
(http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig) as a means of DNS
authentication.

 

 

Hosnieh

 

From: perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf
Of Karl Malbrain
Sent: Wednesday, September 25, 2013 9:38 PM
To: Hosnieh Rafiee
Cc: 'perpass'; 'Stephen Farrell'
Subject: Re: [perpass] DNS confidentiality

 

Yes, MITM can be prevented if you have a copy of the public certificate
obtained through exteriour means to check the signature over the data.  If
your certificate is provided by MITM you naturally lose that signature
protection.

 

From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Karl Malbrain' <malbrain@yahoo.com> 
Cc: 'perpass' <perpass@ietf.org>; 'Stephen Farrell'
<stephen.farrell@cs.tcd.ie> 
Sent: Tuesday, September 24, 2013 2:08 PM
Subject: Re: [perpass] DNS confidentiality

 

MITM attack can be prevented by signing the data. Please check cga-tsig
draft.

 

 

Hosnieh

 

 

From: perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf
Of Karl Malbrain
Sent: Tuesday, September 24, 2013 10:31 PM
To: Stephen Farrell; perpass
Subject: Re: [perpass] DNS confidentiality

 

To obviate the harvesting of meta-data, we do need a secure interface to
DNS.

 

MITM resistance (authentication) is also going to be required in DNS server
connections. Maybe well known certificates for DNS servers incorporated into
browser software

 

Given the reluctance of browser writers to implement DANE,  we're going to
need something like encrypted QUIC available as a transport first.

 

Karl Malbrain  

 

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: perpass <perpass@ietf.org> 
Sent: Tuesday, September 24, 2013 1:43 AM
Subject: [perpass] DNS confidentiality



Hiya,

I've not seen mention of this so far here that I recall.

Even as we improve the security of loads of protocols, there
will still be issues with meta-data monitoring based on
DNS queries for example. This point was sort of raised on
the IETF list e.g. in [1].

DNSSEC doesn't provide any confidentiality. There are
proposals that do try do that.

Do we think this is worth looking at?
If so, anyone up for doing some work on that?
If so, how, or starting from what?

S.

[1] http://www.ietf.org/mail-archive/web/ietf/current/msg82696.html
_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass


_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass

v2.23.0 | Report a Bug | By Email