Re: [secdir] Secdir last call review of draft-ietf-add-svcb-dns-06
Joseph Salowey <joe@salowey.net> Tue, 12 July 2022 04:52 UTC
Return-Path: <joe@salowey.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6B6C1A5D08 for <secdir@ietfa.amsl.com>; Mon, 11 Jul 2022 21:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6GzKyy6U3og for <secdir@ietfa.amsl.com>; Mon, 11 Jul 2022 21:52:39 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11A70C159529 for <secdir@ietf.org>; Mon, 11 Jul 2022 21:52:39 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id r9so8554300ljp.9 for <secdir@ietf.org>; Mon, 11 Jul 2022 21:52:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8vp+bJzmrlw+URj3/A3+yUrTxwtnph8PxWxOdh2eyYw=; b=VfVfvwbQWyQVgQXdjxRyeaqB6be+pdkTwmNlF+37kqaSuQLS0O5C0ToP+t97XIry7O TV4GdZvYkoXuP8hhYr+no5xqkpG5xPaLqGw1Bk+pD18MUMre/vKS0aveJQmd6FXHWFDh xmT/QUxpxe2g4jXz43ANA6Gw3NqCon5Lrz5P8xG6F5mybrs9H+Nn9nfKld4ypagCnFuD znwxJhMsg6UkQ4pdoUQDFqfqq+PVPdpBKfndiGSD89HcoYAEWZ2wPZfK9vrrklhMCXuH Ih5y/I1AFPAgt5xVeQjoibogKAc0cNEKhQPR5awBBRsQjUb5egHEOldwbQXoEWXWEe6r RKQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8vp+bJzmrlw+URj3/A3+yUrTxwtnph8PxWxOdh2eyYw=; b=pEEcIlYLNPsoOgIj1VRmaACF0jdzhTBGBqH+3no7Emy/m14RioxK9pS0rjsMMYSa1A 4yIu0rSgz2r6igV2IfG5nPedtGAGjac/EUbVXXE155d84GkKENcXAjlB8kKrvEIN1Mvo l9Y+rfPzv5eptuSHr8XxfwKfu+/wXbQxKEO3KM3iWD8OkJ7dwOzB1vKwK4lWR9YsEfO7 M/SBeo4U8oRuCNb6lWDK4KBrkUpIXPD2M9oUxfJqFBJSwFO8K/WM4gztVGr47xDTCtX8 dmdZY+n4L/8e2fAhnGTmI6FC1w4YmmFZCM0Rzihz36d4+giRCdkBW7NeNkWaZIvsVjZ1 GvLA==
X-Gm-Message-State: AJIora+hXz1YjkcuBQHZ3oKxOVGEZC8jAvgnNlbM+ZIeJGKtAlHoJkCO dcG7UYelE+OZ4AowgVJRMZxvMHFXKyQS8tIMa1XjYw==
X-Google-Smtp-Source: AGRyM1uMiI+pfFmJT6csmFvqAdpia+FoMVcEj+GcPIpZFQlIlU36GLmIl5WesCMoUhHGOcKman6CQ8asJGcLkQAhGHs=
X-Received: by 2002:a2e:9787:0:b0:25d:6d00:eef4 with SMTP id y7-20020a2e9787000000b0025d6d00eef4mr4127525lji.14.1657601556373; Mon, 11 Jul 2022 21:52:36 -0700 (PDT)
MIME-Version: 1.0
References: <165732512858.37539.14391175135822397412@ietfa.amsl.com> <CAHbrMsAYMca0pBkWoYspm4pwUrEEOb07ywjoRVFGbkBGUwiepA@mail.gmail.com>
In-Reply-To: <CAHbrMsAYMca0pBkWoYspm4pwUrEEOb07ywjoRVFGbkBGUwiepA@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 11 Jul 2022 21:52:25 -0700
Message-ID: <CAOgPGoBt+3JJrxiq4AM-o9ReTvdw+bYx=yCnSA1FTj6SKWdAFA@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: secdir <secdir@ietf.org>, ADD Mailing list <add@ietf.org>, draft-ietf-add-svcb-dns.all@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f27abb05e3946f33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Gs5w6laIC2e9HxIDtovEHDgWjJU>
Subject: Re: [secdir] Secdir last call review of draft-ietf-add-svcb-dns-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 04:52:39 -0000
Thanks for the quick reply, comments below: On Sat, Jul 9, 2022 at 5:33 AM Ben Schwartz <bemasc@google.com> wrote: > Hi Joe, > > On Fri, Jul 8, 2022 at 8:05 PM Joseph Salowey via Datatracker < > noreply@ietf.org> wrote: > >> - Section 8.1.2 - good description of this problem, it seems like some of >> this >> should have been discussed in the doh document, but I couldn't find any. >> If >> there is relevant considerations in the doh document then you should >> reference >> them here. > > > This topic is not addressed in RFC 8484 because that standard assumes that > the URI template is configured from a single source, so all its components > are equally authentic. The strange thing here is that the hostname comes > via a (unspecified) trusted channel, but the port and path do not. > > [Joe] I see, so this adds some attack vector that was not anticipated in 8484 > It seems that the recommendation "To mitigate redirection attacks, >> a client of this SVCB mapping MUST NOT identify or authenticate itself >> when >> performing DNS queries, except to servers that it specifically knows are >> not >> vulnerable to such attacks." would be difficult to implement since its not >> clear how the client gets this information and really should be a >> consideration >> for the server implementations/deployments that require authentication. > > > How about "... except under private arrangement with a server operator who > has made sure that there are no such vulnerable services on $HOSTNAME"? > > [Joe] Could we say something like "the server operator should make sure that there are no such vulnerable services on $HOSTNAME before publishing an SVCB mapping" It seems the server should really take steps to prevent this if possible. Having the client also verify this to the best of their ability is also a good idea. > I'm >> not really sure what to do about this except as a consideration for a >> revision >> of DoH. >> > > I don't think RFC 8484 has a problem of this kind, because an adversary > cannot alter any portion of the URI template (unless it controls the whole > template). (There is still the ALPACA attack, but that is not specific to > DoH.) > [Joe] yea, thanks for clarifying
- [secdir] Secdir last call review of draft-ietf-ad… Joseph Salowey via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Ben Schwartz
- Re: [secdir] Secdir last call review of draft-iet… Joseph Salowey
- Re: [secdir] Secdir last call review of draft-iet… Ben Schwartz