Re: [secdir] Security review of draft-ietf-dnsop-onion-tld-00.txt

"Christian Huitema" <huitema@huitema.net> Tue, 01 September 2015 17:25 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9801A1B4A2D for <secdir@ietfa.amsl.com>; Tue, 1 Sep 2015 10:25:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_75=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQ-_SY12OtpV for <secdir@ietfa.amsl.com>; Tue, 1 Sep 2015 10:25:31 -0700 (PDT)
Received: from xsmtp05.mail2web.com (xsmtp05.mail2web.com [168.144.250.245]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0B671B5679 for <secdir@ietf.org>; Tue, 1 Sep 2015 10:25:07 -0700 (PDT)
Received: from [10.5.2.11] (helo=xmail01.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1ZWpIv-0005hj-KL for secdir@ietf.org; Tue, 01 Sep 2015 13:25:06 -0400
Received: (qmail 17575 invoked from network); 1 Sep 2015 17:25:04 -0000
Received: from unknown (HELO huitema1) (Authenticated-user:_huitema@huitema.net@[131.107.192.88]) (envelope-sender <huitema@huitema.net>) by xmail01.myhosting.com (qmail-ldap-1.03) with ESMTPA for <alecm@fb.com>; 1 Sep 2015 17:25:03 -0000
From: "Christian Huitema" <huitema@huitema.net>
To: "'Kathleen Moriarty'" <kathleen.moriarty.ietf@gmail.com>, "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>
References: <007601d0c2c3$7615b610$62412230$@huitema.net> <CAHbuEH7RSdDmJK3i0e0W+kW0TSsbCNqQx7S+ZKp1Zx+7-uRjhw@mail.gmail.com> <841F8AF6-D800-4232-A900-7FB3872DE1D7@fb.com> <CAHbuEH66yK9JqnnK4UnoC1wtkL1d6S-JeL5twx6izM9o-R_BNg@mail.gmail.com> <CALaySJLD7WQG_2Zj2bU1_1TvTOVtVnw+YdirupFX5eAYu4CVOA@mail.gmail.com> <E178C22F-11F1-4FD7-89CC-5B2F8D1F3C44@mnot.net> <55E22119.9080106@bogus.com> <E8D38479-5B77-4D60-9D19-5F697A2DFC89@mnot.net> <55E414D7.3070600@cs.tcd.ie> <371BFDC3-19C6-4B5F-AA49-525DBA26EA67@mnot.net> <55E570E6.4090603@cs.tcd.ie> <05AC4751-6317-4EB6-BFF7-1C822B8D44BB@gmail.com> <00be01d0e4be$50fcac40$f2f604c0$@huitema.net>
In-Reply-To: <00be01d0e4be$50fcac40$f2f604c0$@huitema.net>
Date: Tue, 1 Sep 2015 10:25:07 -0700
Message-ID: <00f601d0e4db$26c4b220$744e1660$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQI50R8PuDN5FgYzzyJG3m5SgMEMYAJVzMtaAgL9VGEBO6r6yQGDmJGEAalbUnsCAexJawG5pZLqAhMpnEQCU8+F4QJR/RDBAqv/AJ0CWLLcdJyUOwNw
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/5IDd5oM-Ekps9y7eUusO_yX3zd8>
Cc: 'secdir' <secdir@ietf.org>, 'Alec Muffett' <alecm@fb.com>, 'joel jaeggli' <joelja@bogus.com>, 'Mark Nottingham' <mnot@mnot.net>, draft-ietf-dnsop-onion-tld.all@tools.ietf.org, 'Brad Hill' <hillbrad@fb.com>, 'The IESG' <iesg@ietf.org>, 'Barry Leiba' <barryleiba@computer.org>
Subject: Re: [secdir] Security review of draft-ietf-dnsop-onion-tld-00.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 17:25:32 -0000

On Tuesday, September 1, 2015 6:59 AM, Christian Huitema wrote:
> 
> On Tuesday, September 1, 2015 4:37 AM, Kathleen Moriarty wrote:
> >
> > I still have the outstanding question on security properties that may be
> buried
> > in this thread.
> 
> The question was, how could malicious DNS agents trick TOR clients into
> disclosing their presence. The recent exchange with Mark was about such
> agents passively listening for clients' mistakes. Is there a way to
actively
> trigger such mistakes?
> 
> Such attacks would require actively sending information to clients, such
as "if
> you have a request for example.onion, send it to me." The way to do that
in
> the DNS is through NS records. Malicious agents could send an NS record
for
> ".onion" as additional record in a response, asking resolvers to send them
such
> traffic. This might trick legacy clients. Maybe.

Thinking about this a bit more -- this is the general problem of cache
poisoning. The additional section could also include A or AAAA records for
.onion domains. This could fool a caching resolver -- receive a request for
a name, check first if there is an exact match in the cache, and only
attempt to forward the request if there is no hit in the cache. The checks
in the draft are only considering request forwarding, not cache operation.

What about adding this text to cover the malicious server attack -- coming
after the paragraph on leaks by the legacy clients:
>>>
Malicious DNS agents could insert records for ".onion" names in the
additional section of DNS responses, with the intent of poisoning the cache
of DNS resolvers. These resolvers could then be tricked into serving the
record from their cache, bypassing the checks described in section 2. To
mitigate such attacks, it is important that caching resolvers prevent the
insertion in their caches of records for ".onion" names.
<<<
You may actually want to add part of that text in section 2.

-- Christian Huitema