IETF Logo Mail Archive

Re: New drafts: draft-kuehlewind-quic-manageability-00 and draft-kuehlewind-quic-applicability-00

Christian Huitema <huitema@huitema.net> Tue, 21 March 2017 23:30 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 021D2129496 for <quic@ietfa.amsl.com>; Tue, 21 Mar 2017 16:30:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kr0EBltADG0n for <quic@ietfa.amsl.com>; Tue, 21 Mar 2017 16:30:40 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CCC7129409 for <quic@ietf.org>; Tue, 21 Mar 2017 16:30:40 -0700 (PDT)
Received: from xsmtp02.mail2web.com ([168.144.250.215]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cqTEb-0004pI-KJ for quic@ietf.org; Wed, 22 Mar 2017 00:30:38 +0100
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp02.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1cqTE4-0005wA-Vq for quic@ietf.org; Tue, 21 Mar 2017 19:30:35 -0400
Received: (qmail 1610 invoked from network); 21 Mar 2017 23:30:04 -0000
Received: from unknown (HELO [192.168.1.100]) (Authenticated-user:_huitema@huitema.net@[172.56.42.235]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 21 Mar 2017 23:30:03 -0000
To: quic@ietf.org
References: <8F3C60B8-BB54-422A-8E48-747CE3F43CC0@tik.ee.ethz.ch> <CABkgnnVN9fddRpVCu0EPtA1aFED0wMDP0oFC78VPcCgQSv5K5w@mail.gmail.com> <58b235ad-a9bb-d453-0157-f874687ae241@tik.ee.ethz.ch> <CABkgnnWm5scJHEc4wv_Yj3WosJibXnc+PvyaiY_hrVLkMzFb6Q@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <771e4500-02bc-53cc-fb3c-543c9ebc39e2@huitema.net>
Date: Tue, 21 Mar 2017 16:30:01 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnWm5scJHEc4wv_Yj3WosJibXnc+PvyaiY_hrVLkMzFb6Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: New drafts: draft-kuehlewind-quic-manageability-00 and draft-kuehlewind-quic-applicability-00
X-Originating-IP: 168.144.250.215
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.08)
X-Recommended-Action: accept
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49MJIIgmXWciG0xIgIHG/MnhTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXr44GwFVGcx9BqCV4Q6kRHXRcOb18WfxGyg6Om6u4YYmzGZgTQ10P29i8Cq ZqbAVNg5hjoyEb9Oq0NWpyO3vrfYKtU04a0dsdHkKEFmS31kUD3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSBkye6uEH7Y2FUSOL4rzI+g3TFgIfDMShmlQFqCr5hA8xAXSGwpLGc/Znuh3MoIpK0ZSkvDaOo Sn0wW/3waLzzVbbRF0J+AL6gRRwFcty0/RGJ+cv73CChOPjKA0/DVd83mzKXD5o/Ia+BqyQ7Q0nt IZ2PVtMHd8bHCmdzlxzVIEgwyGTHIAoNFX+jcW7DGmdE6eBVl9/A6GtGi+mfMSANmgQ9/T0zHbtC pLbhgZ6Z/Qhqxiuap5uKiBpffUsHYsfmkrboF55pyqAvfOP9PRiFk64VFGHGL6a4Aiv0Hpn+svlW gWWsfzmdEBxk/w4+z2XWJKyg1OJH8aak+/hDMnS4uzLQQGIH13szEQZ25LjADnMNKE9KHxubof09 beZcyamvcqiSoo7BxyxRryqmiHuCdUetTZ/25DKDZC7RirBgbePcy8BFh+JufJrwsKmKW6bHd9QD sMspn/O/edVkHySM+CDVwFjZwEavmmk7Tr9uJ5mso9iv7kZ9azJt3DY/E7nm
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/z6Q2oXsrb1CqXlYa_I-3-AwUfUI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 23:30:42 -0000


On 3/19/2017 4:09 PM, Martin Thomson wrote:
> In HTTP, when you can't get TLS, you can't resolve an https:// URI.
> We have a very clear rule that says that you prefer to fail than to
> accept the risk of compromise.  This is critical to the functioning of
> the protocol.
>
> That might not be true for DNS over QUIC where the expectations for
> security are - shall we say - lower.  But all this needs to say is
> that if you have some security expectations and you find that fallback
> would lead to them being in some way compromised, you fail.

I am not sure that security expectations for DNS over QUIC should be
lower. I would expect DNS over QUIC to match the security of DNS over
TLS (RFC 7858).

We need consider the "game theory" aspects of any downgrade. If we allow
fall back to a non encrypted alternative, then we reward the attackers.
They block QUIC, observe the protocol silently switching to clear text,
get access to the data that they are seeking, and all that without
causing too many customer complaints. On the other hand, if blocking
QUIC just blocks the service, customers will complain, to the service
providers of course, but also very quickly to the intermediaries that
set the block. For these blockers, the support cost will be much higher.
And that means they will be less likely to block random services.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email