IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-add-svcb-dns-06

Ben Schwartz <bemasc@google.com> Sat, 09 July 2022 12:33 UTC

Return-Path: <bemasc@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 497EDC15AB45 for <secdir@ietfa.amsl.com>; Sat, 9 Jul 2022 05:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7274pwF1XRM for <secdir@ietfa.amsl.com>; Sat, 9 Jul 2022 05:33:45 -0700 (PDT)
Received: from mail-vk1-xa2d.google.com (mail-vk1-xa2d.google.com [IPv6:2607:f8b0:4864:20::a2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A361C157B48 for <secdir@ietf.org>; Sat, 9 Jul 2022 05:33:45 -0700 (PDT)
Received: by mail-vk1-xa2d.google.com with SMTP id y129so540174vkg.5 for <secdir@ietf.org>; Sat, 09 Jul 2022 05:33:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Awd4ijOCiP7prY+/Le2VipN6wz7/bGM7tpcj/R62aoc=; b=mkBE9eXmIyf9EyKYFW9F9dLk9jaJxk4A+w00ELtp3MpUEumtG+wBQVdFCJAs5ov6rL MmfJ2z0Fc/SwdzgskCJLCRZShFdJby4wV9M8RU003nLo7O7Il8mqS7Qjb/NSbRthgn9z Ek5VK1X+vMnTH2sCFduSoMvWbEl/UM+fYshuaJF2yHUJzTahtLyr/kO+G+kdSX/KNP5w 1tonztSxov4AZ5aNjGiqWTNEwlOQANWLirm5RR6eir6mTA2pl+tW6LdmWKjHIBEegMyL PRHT4TthQv4fP+57RexBlJ1lFjXv/vFhlUZcLGNgGAnsl0mSx8q09q9zxc3OdDwIR2AT W32Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Awd4ijOCiP7prY+/Le2VipN6wz7/bGM7tpcj/R62aoc=; b=MHhG4xGV2blpl2eP6DRX4fIcpq9KrVLTIlOMMnYht362D3dJUWcGrCLkpsXg03t7yB Usw8S0lJ37YqJBz125k/R5Gl7QUd20bguXVdLiLj2OTHiXbHBAmG7cHcsymuNGHt42jv vCef+hXt61gc9gFtO7DN/bpuzCdefsKt2ikA1QlJ/U/1MaPKkNqPjJJGLZE4upoysjHS 5Lt2qpgLgmbHwOIND3kejcsP3oovHMGGE1s0nL9XGK8zUBYgyGCCsQ2/EjeF2iwdpE1o Fc5O/P+4vp8+GG+hOVYQcGTkff0akNhK/DVDFrSc9TegdauSjZkHzMKRipA7Ux8KXG3u QE0Q==
X-Gm-Message-State: AJIora8ZKDLVYZ4ILxMqXLagvOr40tSG/hebqTBZfJqIteYy/h/03bcq ifiit5ZDK6JL3s3zsmUKd70KjEHv9jnXrGyytZXE0Q==
X-Google-Smtp-Source: AGRyM1sZFBjqAGbwRr2vca26Ox/Ie//lZyijyAICYZWdXkAefk0o8We74HRs9PFYG9AmW6cVLWu8qjoRBZhdc1WOgIE=
X-Received: by 2002:a05:6122:1884:b0:36b:f9a0:477e with SMTP id bi4-20020a056122188400b0036bf9a0477emr3348476vkb.17.1657370024120; Sat, 09 Jul 2022 05:33:44 -0700 (PDT)
MIME-Version: 1.0
References: <165732512858.37539.14391175135822397412@ietfa.amsl.com>
In-Reply-To: <165732512858.37539.14391175135822397412@ietfa.amsl.com>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 09 Jul 2022 08:33:33 -0400
Message-ID: <CAHbrMsAYMca0pBkWoYspm4pwUrEEOb07ywjoRVFGbkBGUwiepA@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: secdir@ietf.org, ADD Mailing list <add@ietf.org>, draft-ietf-add-svcb-dns.all@ietf.org, last-call@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000092ae4205e35e877c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/kpqucIMv2LCibuUqoK42LhJKyKM>
Subject: Re: [secdir] Secdir last call review of draft-ietf-add-svcb-dns-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jul 2022 12:33:46 -0000

Hi Joe,

On Fri, Jul 8, 2022 at 8:05 PM Joseph Salowey via Datatracker <
noreply@ietf.org> wrote:

> - Section 8.1.2 - good description of this problem, it seems like some of
> this
> should have been discussed in the doh document, but I couldn't find any.
> If
> there is relevant considerations in the doh document then you should
> reference
> them here.


This topic is not addressed in RFC 8484 because that standard assumes that
the URI template is configured from a single source, so all its components
are equally authentic.  The strange thing here is that the hostname comes
via a (unspecified) trusted channel, but the port and path do not.


>   It seems that the recommendation "To mitigate redirection attacks,
> a client of this SVCB mapping MUST NOT identify or authenticate itself when
> performing DNS queries, except to servers that it specifically knows are
> not
> vulnerable to such attacks." would be difficult to implement since its not
> clear how the client gets this information and really should be a
> consideration
> for the server implementations/deployments that require authentication.


How about "... except under private arrangement with a server operator who
has made sure that there are no such vulnerable services on $HOSTNAME"?

  I'm
> not really sure what to do about this except as a consideration for a
> revision
> of DoH.
>

I don't think RFC 8484 has a problem of this kind, because an adversary
cannot alter any portion of the URI template (unless it controls the whole
template).  (There is still the ALPACA attack, but that is not specific to
DoH.)

v2.23.0 | Report a Bug | By Email