Re: [secdir] Security review of draft-ietf-dprive-dtls-and-tls-profiles-09
Sara Dickinson <sara@sinodun.com> Mon, 08 May 2017 07:44 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86234120724; Mon, 8 May 2017 00:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2COJOi9Brh3e; Mon, 8 May 2017 00:44:53 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [46.235.227.24]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C6861243FE; Mon, 8 May 2017 00:44:53 -0700 (PDT)
Received: from [2a02:8010:6126:0:a50b:3fa2:10d3:edf3] (port=50834) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <sara@sinodun.com>) id 1d7dLe-0004Tk-UN; Mon, 08 May 2017 08:44:51 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <CABrd9SQhAwDHXs86pOgFUdKagEEe7DC0YJ6UnZNgFv95bWAD6A@mail.gmail.com>
Date: Mon, 08 May 2017 08:44:46 +0100
Cc: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1909E19-B338-4B0F-853A-4E101CEF7379@sinodun.com>
References: <CABrd9SQhAwDHXs86pOgFUdKagEEe7DC0YJ6UnZNgFv95bWAD6A@mail.gmail.com>
To: Ben Laurie <benl@google.com>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: -28
X-Mythic-Debug: State = no_sa; Score =
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/sEm5hMXT4c9vnI3ozQOHnKY8p6A>
Subject: Re: [secdir] Security review of draft-ietf-dprive-dtls-and-tls-profiles-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 07:44:55 -0000
> On 4 May 2017, at 12:11, Ben Laurie <benl@google.com> wrote: > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > Hi Ben, Thanks for the review. > Status: not ready. > > I am a little puzzled by this I-D. The title is "Authentication and > (D)TLS Profile for DNS-over-(D)TLS" and the intro says it specifies > profiles which "which define the security properties a user should > expect when using that profile to connect to the available DNS > servers", however, as far as I can see, no properties other than > server authentication are defined. Section 5 is really the part of the draft intended to address this by outlining in detail the security properties a user should expect when using either a Strict or Opportunistic Profile to connect to the available DNS servers. So by security properties we really mean mitigation against passive attack (via encryption alone) or active attack (by using encryption in combination with authentication). In developing the draft we found widespread uncertainly among the DNS community as to precisely what Opportunistic Security was and how it differed from Strict. For example it became apparent that many DNS folks didn’t realise that Opportunistic could include falling back to clear text thus providing no security guarentees. That is why the table in Section 5 is provided to (hopefully) clarify these concepts and expectations. It might seem overkill to those with a strong security background but we had enough iterations on this during working group review that it really did seem necessary. Would re-wording the introduction text to say something like “This document specifies two Usage Profiles (Strict and Opportunistic) for DTLS [RFC6347] and TLS [RFC5246] which provide different levels of attack mitigation over using only clear text DNS.” be a start in addressing this? > > The document also appears to claim that a connection that is > authenticated and encrypted is "private" - that seems to stretch the > meaning of "private" quite considerably. It wasn’t the intent to claim complete privacy via these Profiles. I _thought_ we had been quite careful in always using a phrase such as “This profile provides strong privacy guarantees to the client.” rather than saying ’This provides a private connection” but perhaps I missed something? This seems to go back to the same issue of wording and so I wonder that if we had used a phrase like ‘attack mitigation’ throughout instead of 'privacy guarantees’ it would read more clearly? > > Other considerations surely exist, such as resistance against traffic > analysis, key sizes, algorithm choice. We do attempt to address these issues separately in later sections, specifically: - Section 11 ‘Counter measures to DNS Traffic Analysis’ recommending padding SHOULD be done by both client and server and - Section 9 '(D)TLS Protocol Profile' where rather than making specific recommendations for DNS we state that client and servers MUST adhere to RFC7275 and MUST use TLS 1.2 or later, etc. > > As a result, claims like "Strict Privacy provides the strongest > privacy guarantees" are just plain wrong. Better written as “Strict Privacy provides the strongest privacy guarantees of the two Profiles described here”? Again, the intention isn’t to portray Strict Privacy as some sort of ‘perfect privacy’ just as the ‘best privacy available’. I’m hoping this is a general problem generated by the use of a handful of phrases in the document that I now realise could be read with a different context. If you also think this is the fundamental issue then I would suggest the authors take a pass over the document to try to address this by either changing this wording or carefully defining what these terms mean in the context of this document. Regards Sara.
- [secdir] Security review of draft-ietf-dprive-dtl… Ben Laurie
- Re: [secdir] Security review of draft-ietf-dprive… Sara Dickinson
- Re: [secdir] Security review of draft-ietf-dprive… Ben Laurie