IETF Logo Mail Archive

Re: [saag] Gen-art LC review of draft-ietf-dane-ops-12

Elwyn Davies <elwynd@dial.pipex.com> Tue, 23 June 2015 12:41 UTC

Return-Path: <elwynd@dial.pipex.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3AF1A00B1; Tue, 23 Jun 2015 05:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYJWuk5t-7yu; Tue, 23 Jun 2015 05:41:24 -0700 (PDT)
Received: from b.painless.aa.net.uk (b.painless.aa.net.uk [IPv6:2001:8b0:0:30::51bb:1e34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7DB1A0039; Tue, 23 Jun 2015 05:41:24 -0700 (PDT)
Received: from 4.6.9.9.c.3.f.6.1.7.6.6.5.a.4.d.1.0.0.0.f.b.0.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:bf:1:d4a5:6671:6f3c:9964]) by b.painless.aa.net.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77) (envelope-from <elwynd@dial.pipex.com>) id 1Z7NVt-0002vP-FP; Tue, 23 Jun 2015 13:41:17 +0100
Message-ID: <558953F3.5040503@dial.pipex.com>
Date: Tue, 23 Jun 2015 13:41:23 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
References: <558851A5.20803@dial.pipex.com> <20150622185239.GU14121@mournblade.imrryr.org>
In-Reply-To: <20150622185239.GU14121@mournblade.imrryr.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/yjGHlmEEpRpOl7EYhS4wvC2FjgY>
X-Mailman-Approved-At: Sun, 28 Jun 2015 08:41:29 -0700
Cc: draft-ietf-dane-ops.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, saag@ietf.org, dane@ietf.org
Subject: Re: [saag] Gen-art LC review of draft-ietf-dane-ops-12
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 12:41:27 -0000

Hi, Viktor.

Thanks for the quick response.  I'll wait for the revised draft to 
revisit the RFC 2118 stuff.

I think the TLS1.2 point and the reference to RFC6781 probably need to 
be discussed with Stephen as your AD.  I can't see that you can operate 
DANE without a good understanding of how to operate DNSSEC (particularly 
on the rekeying aspects) and you explicitly call out timeout issues 
discussed in RFC6781.  Whether this needs to administrative hassle of 
the downref is another matter.

There is a bit about the OS issue in line below.

Cheers,
Elwyn

On 22/06/2015 19:52, Viktor Dukhovni wrote:
> On Mon, Jun 22, 2015 at 07:19:17PM +0100, Elwyn Davies wrote:
>
>> Summary: Almost ready.  There are a couple of minor issues, and I think
>> the authors need to reassess whether all the cases where RFC 2119 keyworrds
>> are actually protocol requirements as opposed to operation best practice
>> recommendations.
> Thanks, will double-check the SHOULDS/MUSTS/...
>
>> s3: I am not a security expert, but I suspect you may get some pushback on
>> not making TLS 1.2 mandatory.
> We'll see what happens.  The most widely deployed use of DANE is
> with opportunistic TLS in SMTP, and requiring TLS 1.2 seems like
> an unnecessary restriction for an opportunistic protocol.  However,
> non-support of TLS 1.2 is getting increasingly less common, so if
> push comes to shove, we can "require" TLS 1.2.  Of course with no
> Internet Police to enforce this, the requirement will likely make
> little difference in practice.
>
>>> TLS clients and servers using DANE SHOULD support the
>>> "Server Name Indication" (SNI) extension of TLS.
>> Under what circumstances would it be reasonable for a DANE/TLSA server not
>> to support SNI?   Maybe I could see that a single domain server could do
>> without it.
> That's the primary use case, a server with a single certificate,
> and a "3 1 1" TLSA record has no need to support SNI.  It can just
> respond with the same default certificate, regardless of the SNI
> extension value sent by the client.
>
>> I think this needs to be spelt out - earlier text seems to
>> indicate that SNI support was pretty much mandatory.... Ah! Later I see that
>> s5.1 gives a case where SNI is not mandatory - a forward pointer would help.
> Thanks, will try to make the text more consistent throughout.
>
>> s4.1:  I am not clear that this section adds any value to the discussion in
>> s4.  Why should the protocol designer be less inclined to use PKIX-xx rather
>> than DANE-xx when the protocol supports an OS mode as opposed to just fully
>> authenticated or fully authenticated plus cleartext modes?
> The basic principle is based on RFC7435.  The issue is that PKIX
> is more brittle, the client and server must happen to agree on a
> mutually trusted CA, but with OS the client is just trying to
> protect the communication at the request of the server, and would
> otherwise be willing to use cleartext or unauthenticated TLS.  Use
> of fragile mechanisms (like public CA authentication for some
> unspecified set of trusted CAs) is not sufficiently reliable.
>
> Since the OS client is basing the decision to employ DANE on the
> presence of TLSA RRs in DNS, no additional security is gained via
> the PKIX usages unless they are the only ones supported by the
> application protocol (the attacker who compromises DNS can just
> inject "3 1 1" records instead).  So DANE-xx is more reliable
> at no security loss.  Thus PKIX-xx is just a needless opportunity
> to fail that should be avoided.
Maybe I have misunderstood how OS is intended to behave.  I thought I 
understood that if the client was able to handle OS and it was not able 
to authenticate the server then it would potentially try for encryption 
only.  Is the problem that there is a difference between there being no 
authentication available for a domain and an attempted authentication 
failing (aside from any explicit policy declared by server or client) 
when using OS?  Otherwise I can't see that there is a difference between 
OS and the general case - in either case, using PKIX-xx is reckoned to 
be fragile and the process takes more resources without gaining 
anything.  I can see the downside, but it appears to be general - is 
there an upside for OS in positively going for DANE-xx or is the 
downside further down in the case of OS? Otherwise there doesn't seem to 
be a lot of point in being more damning for the OS case (apart from it 
being a current topic of development :-) ).
>
>> Nits/editorial comments:
>> =====================
> Will review those... thanks.
>
>> s17.2: I can't decide whether I would like RFC6781 to be normative. It would
>> of course be a downref.  This is always going to be a problem since the
>> draft is combining operational considerations and protocol updates.   The
>> one explicit reference indicates you have to know something about how to run
>> DNSSEC to run DANE - in practice I think you have to know a great deal about
>> how to run DNSSEC if you are going to run DANE so I would be inclined to
>> make this normative (and maybe refer to it in the introduction as well).
> Not sure what if anything to do about that.
>

v2.23.0 | Report a Bug | By Email