Re: [secdir] Security review of draft-ietf-dprive-dtls-and-tls-profiles-09
Ben Laurie <benl@google.com> Fri, 12 May 2017 19:47 UTC
Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752FD12EB55 for <secdir@ietfa.amsl.com>; Fri, 12 May 2017 12:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Q64bFFOiXLJ for <secdir@ietfa.amsl.com>; Fri, 12 May 2017 12:47:16 -0700 (PDT)
Received: from mail-ua0-x22a.google.com (mail-ua0-x22a.google.com [IPv6:2607:f8b0:400c:c08::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E19F12EC0E for <secdir@ietf.org>; Fri, 12 May 2017 12:42:51 -0700 (PDT)
Received: by mail-ua0-x22a.google.com with SMTP id j17so52470920uag.3 for <secdir@ietf.org>; Fri, 12 May 2017 12:42:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Q0u54JhcezyvtG+8A/gDTM3J0AF9AEqYNSRSRAEjC08=; b=QaOHecRP+3DzYnOQYMPhtDabWVr5H8hgDauA4JZhOpDGAfhxI8rPiGtoDJ+XGgl/Op aimD8Im9ECWv7dYomE//QfSUYWqRA6zUFmH+PpoyCD/nz5PB/dgXz/p24aFUKZctqJTs cVC6o9zf81q/pkOksjMuHtGcC0ejA7y/9DLdaEbzg3V1ny5qfmfo3zMTj8COfTZsN3N9 0HySeaSDlYPhic6T69Kw4RcCmhVVFELqMK/PY1uIzyNr8mnGEgvoDypE6WCidJsg2jWo +j/Ur/4+3xS4kOPEA9sB8BOyKtUgtB8E/mDqXxSrkgZ/omSZJ604ZE41VUpcOrRJRZUz XFJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Q0u54JhcezyvtG+8A/gDTM3J0AF9AEqYNSRSRAEjC08=; b=s/A7Ty1G1lxME2D/uuJvsQ0fr4rq2VVpzwbkX2Sh/KaUgSmvmcf3sLrJAvGu0DLlGY uNpYcDsPZrjcQNoEHcS5+nVEJTH/9B2ik7fJjG/WUmRj1x3ySsbcmN03AmLXzmoVQH55 Z6W+kABFRuYxN7N3Y2UpQD7/TTefh9+qHQyrSid/VAvc4aYxP9s+udJjRm9utVBBAisV hvFUovFSFemIuuqfFyu+XFCNs4ADlQ8+dy+nDVrB0DP/at6vuVsPS/w3/TpTI/FaPaqE eOnYkXTN3D9PrXajcakhhHaa43MT3UMUH8K1mChyjJ8O6q5Vm4iNcxp7+TwkJqlfp4QP J1Lw==
X-Gm-Message-State: AODbwcDwztRM9CwwqJjODP2KUnk1Cb3I67fnpUwWAWnemnmeyh5k5glC IQf8mW2mpNVgl/fsK8giJ+PcbSg+AU5B
X-Received: by 10.176.85.145 with SMTP id v17mr3046197uaa.148.1494618168626; Fri, 12 May 2017 12:42:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.167.21 with HTTP; Fri, 12 May 2017 12:42:47 -0700 (PDT)
In-Reply-To: <D1909E19-B338-4B0F-853A-4E101CEF7379@sinodun.com>
References: <CABrd9SQhAwDHXs86pOgFUdKagEEe7DC0YJ6UnZNgFv95bWAD6A@mail.gmail.com> <D1909E19-B338-4B0F-853A-4E101CEF7379@sinodun.com>
From: Ben Laurie <benl@google.com>
Date: Fri, 12 May 2017 20:42:47 +0100
Message-ID: <CABrd9SQLs5NTdPWPNG8h3R+fQBofRAWN_j0TZG+xhv1OuYWnbw@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/QGaxbaUDYMD-svthNYgvh49dujs>
Subject: Re: [secdir] Security review of draft-ietf-dprive-dtls-and-tls-profiles-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 19:47:19 -0000
On 8 May 2017 at 08:44, Sara Dickinson <sara@sinodun.com> wrote: > >> On 4 May 2017, at 12:11, Ben Laurie <benl@google.com> wrote: >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> > > Hi Ben, > > Thanks for the review. > >> Status: not ready. >> >> I am a little puzzled by this I-D. The title is "Authentication and >> (D)TLS Profile for DNS-over-(D)TLS" and the intro says it specifies >> profiles which "which define the security properties a user should >> expect when using that profile to connect to the available DNS >> servers", however, as far as I can see, no properties other than >> server authentication are defined. > > Section 5 is really the part of the draft intended to address this by outlining in detail the security properties a user should expect when using either a Strict or Opportunistic Profile to connect to the available DNS servers. So by security properties we really mean mitigation against passive attack (via encryption alone) or active attack (by using encryption in combination with authentication). OK, so what you're really aiming at is mitigation of trivial MitM attacks on the underlying crypto. So how about making the title (and summary) be "Avoiding Trivial MitM Attacks on DNS-over-(D)TLS"? > > In developing the draft we found widespread uncertainly among the DNS community as to precisely what Opportunistic Security was and how it differed from Strict. For example it became apparent that many DNS folks didn’t realise that Opportunistic could include falling back to clear text thus providing no security guarentees. That is why the table in Section 5 is provided to (hopefully) clarify these concepts and expectations. It might seem overkill to those with a strong security background but we had enough iterations on this during working group review that it really did seem necessary. > > Would re-wording the introduction text to say something like > > “This document specifies two Usage Profiles (Strict and Opportunistic) for DTLS [RFC6347] and TLS [RFC5246] which provide different levels of attack mitigation over using only clear text DNS.” > > be a start in addressing this? A start, but it leaves entirely vague what attack you might be mitigating. I guess the core problem is I don't see a clear articulation of the threat model. I'd hazard a guess from the above that it's essentially: "there should be no man in the middle who can trivially get plaintext". If the claim is you mitigate that threat with "Strict" then I would then only have to argue about how authentication occurs, rather than how all "security properties" occur. >> The document also appears to claim that a connection that is >> authenticated and encrypted is "private" - that seems to stretch the >> meaning of "private" quite considerably. > > It wasn’t the intent to claim complete privacy via these Profiles. I _thought_ we had been quite careful in always using a phrase such as “This profile provides strong privacy guarantees to the client.” rather than saying ’This provides a private connection” but perhaps I missed something? I think that most users have no idea what the difference is between those two statements. > This seems to go back to the same issue of wording and so I wonder that if we had used a phrase like ‘attack mitigation’ throughout instead of 'privacy guarantees’ it would read more clearly? Yes. And you need to say what attack you mitigate. :-) >> Other considerations surely exist, such as resistance against traffic >> analysis, key sizes, algorithm choice. > > We do attempt to address these issues separately in later sections, specifically: > - Section 11 ‘Counter measures to DNS Traffic Analysis’ recommending padding SHOULD be done by both client and server and > - Section 9 '(D)TLS Protocol Profile' where rather than making specific recommendations for DNS we state that client and servers MUST adhere to RFC7275 and MUST use TLS 1.2 or later, etc. > >> >> As a result, claims like "Strict Privacy provides the strongest >> privacy guarantees" are just plain wrong. > > Better written as “Strict Privacy provides the strongest privacy guarantees of the two Profiles described here”? Technically, I think you can only claim it is at least as strong. Unless you have a magic authentication story. :-) > Again, the intention isn’t to portray Strict Privacy as some sort of ‘perfect privacy’ just as the ‘best privacy available’. > > I’m hoping this is a general problem generated by the use of a handful of phrases in the document that I now realise could be read with a different context. If you also think this is the fundamental issue then I would suggest the authors take a pass over the document to try to address this by either changing this wording or carefully defining what these terms mean in the context of this document. > > Regards > > Sara. >
- [secdir] Security review of draft-ietf-dprive-dtl… Ben Laurie
- Re: [secdir] Security review of draft-ietf-dprive… Sara Dickinson
- Re: [secdir] Security review of draft-ietf-dprive… Ben Laurie