Re: [secdir] Secdir last call review of draft-ietf-add-svcb-dns-06
Ben Schwartz <bemasc@google.com> Wed, 13 July 2022 16:12 UTC
Return-Path: <bemasc@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE6D2C157B58 for <secdir@ietfa.amsl.com>; Wed, 13 Jul 2022 09:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrFEa9eHl3vb for <secdir@ietfa.amsl.com>; Wed, 13 Jul 2022 09:12:32 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D5C4C15A720 for <secdir@ietf.org>; Wed, 13 Jul 2022 09:12:32 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id 185so11174235vse.6 for <secdir@ietf.org>; Wed, 13 Jul 2022 09:12:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x5aFojJ2RE4L2VLTFg3ua/TuuOT/XL6p3ZjIIALSvuU=; b=cEYTkvs2XyMGq2y9kUF82fhSVWqhS6u343//q6/1fpIbTH5x54RFoEcfn5pH9LpUB5 Xaxe+f7wkFMsYXn/hw4iUcuUxq/ApmJoEMxGRqKUIMJZMDszZWu4/IEgCYEzj43h+9sc l0J0LDMh4XMYR08Dd/P4NmuVOJYxd0r5+cUI720khuqTXcMk4Ir8oNzB4MCwphgQoKIl eSnj83K5XfmJ9J+IedhEPKXF3IXuhCw27z6Prwv3Df0saZqFfiYTSziZmxuQ+UKILWuB RrTqOr5ZW1M8z/y4ooPZo/s+K9jp51Scml+cVXFarLlsil16l/k4Md9K2xAJC1lUT/uj 8gZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x5aFojJ2RE4L2VLTFg3ua/TuuOT/XL6p3ZjIIALSvuU=; b=G8NPfVC+JlJToYjxTtn7k32sw/OhSANC5+StB8Gd/y9K8c9VgC1yjw+4HHvwwgJi2x M8108kYdfLqXOQYvG9YyGB8GaLnO/DeZ5Yyh3F2WXJX+arvqjyGPZjeX886697YIDeLE nf+yT0ykrio8iuN0ym2qH13trS1YfUQ58fY6DxZp6+tk9NLgC46YCE/i3hpprXsSz3+s xvn+dwLNpVDhbWn51bX7zLD8Yx7oogNutd8GP181wNsLHrlK3sP350ihxXAB1xEc0gdQ CU7RtPtddZjbkKisiBfAaaTSzd6orc9oAHRHLVfVnbDS9Y5BMM3XoNgkJfg7HqPLmg+q 4sMw==
X-Gm-Message-State: AJIora8Ft26IjxF4UAf9VlgKpz31BgtnP0sAshKAIfyACewcQdQGNArV kRjzJd85EIBLxpBlpra8mZhdg85X+2kvbPMGfmuWPw==
X-Google-Smtp-Source: AGRyM1svHb57k/dRsMb1J+Sq3n+T3o9MMxyKd5lg9h2+Xya4pycb2ZiGXNza8WNT6PnZoTxUf005vd/l5bswvtACnlA=
X-Received: by 2002:a67:b749:0:b0:357:83ba:40dc with SMTP id l9-20020a67b749000000b0035783ba40dcmr1789609vsh.74.1657728751266; Wed, 13 Jul 2022 09:12:31 -0700 (PDT)
MIME-Version: 1.0
References: <165732512858.37539.14391175135822397412@ietfa.amsl.com> <CAHbrMsAYMca0pBkWoYspm4pwUrEEOb07ywjoRVFGbkBGUwiepA@mail.gmail.com> <CAOgPGoBt+3JJrxiq4AM-o9ReTvdw+bYx=yCnSA1FTj6SKWdAFA@mail.gmail.com>
In-Reply-To: <CAOgPGoBt+3JJrxiq4AM-o9ReTvdw+bYx=yCnSA1FTj6SKWdAFA@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 13 Jul 2022 12:12:20 -0400
Message-ID: <CAHbrMsB5xNC_YDC+-+UkVLpEpT7Yp4_-3VQOH+cNJnj8A3A5Lg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: secdir <secdir@ietf.org>, ADD Mailing list <add@ietf.org>, draft-ietf-add-svcb-dns.all@ietf.org, last-call@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000005faa3d05e3b20d27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/kAROHDOzw6OrlSB4wceH8U4oTTo>
Subject: Re: [secdir] Secdir last call review of draft-ietf-add-svcb-dns-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 16:12:34 -0000
On Tue, Jul 12, 2022, 12:52 AM Joseph Salowey <joe@salowey.net> wrote: > Thanks for the quick reply, comments below: > > On Sat, Jul 9, 2022 at 5:33 AM Ben Schwartz <bemasc@google.com> wrote: > >> Hi Joe, >> >> On Fri, Jul 8, 2022 at 8:05 PM Joseph Salowey via Datatracker < >> noreply@ietf.org> wrote: >> >>> - Section 8.1.2 - good description of this problem, it seems like some >>> of this >>> should have been discussed in the doh document, but I couldn't find >>> any. If >>> there is relevant considerations in the doh document then you should >>> reference >>> them here. >> >> >> This topic is not addressed in RFC 8484 because that standard assumes >> that the URI template is configured from a single source, so all its >> components are equally authentic. The strange thing here is that the >> hostname comes via a (unspecified) trusted channel, but the port and path >> do not. >> >> > > [Joe] I see, so this adds some attack vector that was not anticipated in > 8484 > > >> It seems that the recommendation "To mitigate redirection attacks, >>> a client of this SVCB mapping MUST NOT identify or authenticate itself >>> when >>> performing DNS queries, except to servers that it specifically knows are >>> not >>> vulnerable to such attacks." would be difficult to implement since its >>> not >>> clear how the client gets this information and really should be a >>> consideration >>> for the server implementations/deployments that require authentication. >> >> >> How about "... except under private arrangement with a server operator >> who has made sure that there are no such vulnerable services on $HOSTNAME"? >> >> [Joe] Could we say something like "the server operator should make sure > that there are no such vulnerable services on $HOSTNAME before publishing > an SVCB mapping" > It's not clear to me that this would help, because this attacker can forge a SVCB record even for origins that don't publish their own record. In the extreme case, the origin might not operate a DNS service at all! It seems the server should really take steps to prevent this if possible. > I can't think of a way to do this without adding a new requirement to all DNS servers that are identified by a hostname. As a practical matter I suppose that would be fine, but in principle it seems like poor form to add requirements to existing deployed systems. Having the client also verify this to the best of their ability is also a > good idea. > > > >> I'm >>> not really sure what to do about this except as a consideration for a >>> revision >>> of DoH. >>> >> >> I don't think RFC 8484 has a problem of this kind, because an adversary >> cannot alter any portion of the URI template (unless it controls the whole >> template). (There is still the ALPACA attack, but that is not specific to >> DoH.) >> > [Joe] yea, thanks for clarifying >
- [secdir] Secdir last call review of draft-ietf-ad… Joseph Salowey via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Ben Schwartz
- Re: [secdir] Secdir last call review of draft-iet… Joseph Salowey
- Re: [secdir] Secdir last call review of draft-iet… Ben Schwartz