Re: [secdir] Security review of draft-ietf-dnsop-onion-tld-00.txt

[Mark Nottingham <mnot@mnot.net>]

Attempting to address all of the outstanding feedback I've seen:

* <https://github.com/mnot/I-D/commit/b3cdbbd0964532c88fefde3786d82b8bee1c62ee> uses .onion "names" instead of "addresses" consistently.

* <https://github.com/mnot/I-D/commit/941719e8de43a642c2fab9049927b60d23b7012d> clarifies the requirements placed upon registrars, as per the IANA review.

* <https://github.com/mnot/I-D/commit/bc57060e84ea338ff107f623b9e43498ee8d8309> updates the Tor URLs, but does NOT flip the two references suggested in Gen-ART to Normative; as per subsequent discussion, they aren't necessary to register the TLD, merely informative. Please advise if I read that wrong.

* <https://github.com/mnot/I-D/commit/358186a82887ed3907537bc45bd37937b4a6a09e> moves much of the generic explanatory text from Security Considerations into the Introduction, as per the SecDir review. 

* <https://github.com/mnot/I-D/commit/ca1eaaec5129f7ce82df8a749c11eb692de1059c> notes what happens when legacy systems get DNS queries leaked to them, as per the SecDir review.

* I didn't yet do anything to address this feedback in the SecDir review:

> Then, the security section also does not discuss how malicious name resolvers could be deployed in order to attack the TOR network. For example, if TOR security relies on DNS servers “black holing” misrouted request to resolve “.onion” names, what happens if malicious servers replace the suggested black-holing with some malicious tampering?

Christian, how would that work? I don't see how this kind of attack (by having a malicious server leverage clients who erroneously forward DNS requests for .onion) is going to be qualitatively different from any other attack on the Tor network; indeed, it doesn't seem like a very effective way to attack the network itself. Now, it may be that you can trick some users into thinking they're on Tor when they're not, in the right circumstances, but that's not an attack on the network. 

Can you give some more detail here (or ideally some suggested text)?

Cheers,



> On 30 Aug 2015, at 7:16 am, joel jaeggli <joelja@bogus.com> wrote:
> 
> On 8/29/15 3:10 AM, Mark Nottingham wrote:
> 
>> If the IESG would like to set a clear, unambiguous policy about this,
>> I'm sure it would be welcomed; personally, I've heard advice both
>> ways, and have not yet figured out how to make everyone happy.
> 
> Well... you can ask me. imho the situation looks like the following to me.
> 
> I think it's fine to have the discussion, propose the updates and hold
> the draft update till the end; or to roll a new version as the product
> of the discussion. The former runs the risk of accumulating a discuss
> either from me or from another AD due to something that "really needs to
> be addressed" prior to exit from iesg review. the later that we need
> more time, if it comes shortly before thursday. ( the call is now at
> 0700 pacific) so it's extremely unlikely that I will manange to
> re-review something submitted late wednesday evening.
> 
> I'm kind of waiting on the update to the iana language I asked for on
> 8/15 and that is a barrier to publication, but I expect we know what
> it's going to say in that respect already so I'm not going to hold up
> the dicussion on that...
> 
> thanks
> joel
> 
>> Cheers,
>> 
>> -- Mark Nottingham   https://www.mnot.net/
>> 
>> 
>> 
>> 
>> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/