Re: [TLS] draft-ietf-tls-dnssec-chain-extensions security considerations

Allison Mankin <allison.mankin@gmail.com> Tue, 03 July 2018 14:41 UTC

Return-Path: <allison.mankin@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3239130E77 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 07:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TALQTsPiidd4 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 07:41:20 -0700 (PDT)
Received: from mail-pg0-x242.google.com (mail-pg0-x242.google.com [IPv6:2607:f8b0:400e:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C7E2130E59 for <tls@ietf.org>; Tue, 3 Jul 2018 07:41:19 -0700 (PDT)
Received: by mail-pg0-x242.google.com with SMTP id m19-v6so1085281pgv.3 for <tls@ietf.org>; Tue, 03 Jul 2018 07:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=i4QqzVfYjB0Y2lo240LBJ6NiCT+qTI3C8yRXy5IOQPY=; b=doBgce+OeGYNvYvxQx7brHKvXdhzPb9WfwHxoxvHMVyBPkFzQB69FlXQJ2Lh24IqRT zp23XHLm2YT4q27zoPBRpkUnNyoNyI2ohfOMvqs0e/2aRSZ5PSFE9WxdcBgHwBVTPeH4 Us/WOpWVrqMYqlE4BdW6NwMI1/9Gz4yap4E6x500sbC8AA8NA4oH3tqo/WUCKD4622zP 0AS86X5csZfgia+mpYgfg8pKrAJ1/Ihi/GnSTaM6DgFXM1/8u4D/R9B2BZBbiZLXKCZF fMVTwpvVNNgiyyHebHURScfuua4lDDyViEEJz7ZCx4YWHqYTYCzgfUzKJVXRfMyXRrBL du2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=i4QqzVfYjB0Y2lo240LBJ6NiCT+qTI3C8yRXy5IOQPY=; b=b9WrYSWSA/zcvdM6LzgQKrx1z/lOHNEmXivpXr2Po8Y95rzANHfnU+fGllLFxGWncF 6YCgI4z06JaoYDD1/ToHd0YnoN54laZuvmFCEyo/042Ob4vOrF5fHpeK8f7LYhu6DLgg OYxaoI1utvmRyWsynWwgkxClLhEV9ZZv5m4FY1KeHuO2Fs06t8rBc3HavtX5NdavH2Oe 343lcq8lOUrA6LItuLQy0Gii1x2EDHO4vZfZdUwFbdGNHlxKbFcaCFJdrRO0QS+wwcvg kgBVLO8M8Gyq4C2Sej5kbGNxQ5Nj8hN1SkO2kGxwmdJWLZu475ITrxgwoP4brEWbbSxl J2Wg==
X-Gm-Message-State: APt69E3GNBc0P+FoF6f0NM8qbBABJTHmkgPzD8f/JXF5uEe1njTb6RbI I8t9HcrTRKRks507ObPy5e64edjL40fZgwucmN0=
X-Google-Smtp-Source: AAOMgpe74y+UqtP9697IBKkZLVjh/kFaN1GLbZIQeAk4qfztRT2g7fx0NkKJw6lLJC/5pJbOOAZG7PYDs5FJSya+aFM=
X-Received: by 2002:a62:4b48:: with SMTP id y69-v6mr18800793pfa.93.1530628879353; Tue, 03 Jul 2018 07:41:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:ac18:0:0:0:0 with HTTP; Tue, 3 Jul 2018 07:41:18 -0700 (PDT)
From: Allison Mankin <allison.mankin@gmail.com>
Date: Tue, 3 Jul 2018 10:41:18 -0400
Message-ID: <CAP8yD=vdpdw3=_O5u_zPxVWiVTYj=CA+k-ZHNTyqkU+_KkH4CA@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: Paul Wouters <paul@nohats.ca>, "<tls@ietf.org>" <tls@ietf.org>, Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a30b1b0570194e10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7GEWugMt6ImtuE9qfVzMsrRiTAA>
Subject: Re: [TLS] draft-ietf-tls-dnssec-chain-extensions security considerations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 14:41:24 -0000

I haven't chimed in on the mailing list on this draft, but I'm one of the
people who had discussions with browserfolk in hallways, in the corners of
interim meetings for HTTP2, and other such places, in order to see what it
would take to get a start on TLSA use by browsers.  Due to the floods of
traffic that occurred in this and other chains, I almost missed Joe's call
for answers to consensus questions, but I've responded inline.

Looking forward to discussion in Montreal.

On 26 June 2018 at 00:20, Joseph Salowey <joe@salowey.net>; wrote:

> Hi Folks,
>
> There has been some discussion with a small group of folks on github -
> https://github.com/tlswg/dnssec-chain-extension/pull/19.   I want to make
> sure there is consensus in the working group to take on the pinning work
> and see if there is consensus for modifications in the revision.  Please
> respond to the following questions on the list by July 10, 2018.
>
> 1.  Do you support the working group taking on future work on a pinning
> mechanism (based on the modifications or another approach)?
>
​I support future work if there is extensive engagement and involvement by
members of the browser community who have expressed concerns about pinning.


>
> 2.  Do you support the reserved bytes in the revision for a future pinning
> mechanism?
>
​Reserving the bytes without a mechanism is not a good idea, so no.  I
think the method for modifications or another approach is something to be
worked on in future too.


> 3.  Do you support the proof of denial of existence text in the revision?
>
​Yes, this text is good.​


>
> 4.  Do you support the new and improved security considerations?
>
​This text is a good addition - but there are a few things that might be
discussed.
Generally support them.


> Thanks,
>
> Joe
>
>
>
> On Tue, Jun 5, 2018 at 6:51 AM, Paul Wouters <paul@nohats.ca>; wrote:
>
>> On Mon, 4 Jun 2018, Benjamin Kaduk wrote:
>>
>> Hi Ben,
>>
>> I've taken a stab at putting together some security considerations text
>>> for
>>> draft-ietf-tls-dnssec-chain-extension that reflects my understanding of
>>> the
>>> current state of affairs.  It's in a pull request at
>>> https://github.com/tlswg/dnssec-chain-extension/pull/19 , along with
>>> Viktor's
>>> commit to update the text about the actual DNS records involved (which as
>>> far as I can tell seems to improve the technical accuracy of the text),
>>> and
>>> also inserting a variable-length array that's reserved for future
>>> attempts
>>> to mitigate the (now-)documented security considerations.
>>>
>>
>> Thanks for writing the proposed text. The new opaque Reserved field
>> along with the denial of existence changes you propose addresses all
>> my concerns.
>>
>> One corner case that might be worth mentioning with the proposed DoE text
>> is the odd corner case of hitting a server with a Host header for which
>> it is not configured. You will hit the "default vhost" but you have no
>> appropriate extension data to populate for that hostname. So either the
>> server will return the (cached) TLSA/DoA data of the 'wrong' hostname,
>> or it could just omit the extension. I'd mostly like to say something to
>> prevent an implementation of forgetting this corner case and causing
>> some vulnerability in their code later on by pointing to bogus memory or
>> crashing on dereferencing a NULL.
>>
>> Some nits:
>>
>>         If the server supports this extension it performs the appropriate
>> DNS queries,
>>
>> In my PR I had changed this into "obtains the appropriate DNS RRsets",
>> because I envision that TLS servers might not do DNS lookups themselves,
>> but just read this via a file or other method. Eg a cron job that
>> regenerates these hourly for all the hosted domains. It also reduces
>> some fear that all TLS servers suddenly could need to link against
>> a DNSSEC library. They don't if they can just reload a blob from disk
>> regularly to serve up.
>>
>> Similarly:
>>
>>         it will need to rebuild
>>
>> is better written as "it will need rebuilt data"
>>
>>
>>         "authenticates the chain"
>>
>> That should probably be "validate the chain", but the document has more
>> mixups of validate vs authenticate. In my PR request I had not corrected
>> them in an effort to keep the diff as small as possible.
>>
>> I had modified the examples slightly, so the NSEC example would show a
>> simpler NSEC chain (from www to zzz) instead of the one wrapping around
>> from www to the zone apex. The example quoted is the wrong NSEC record
>> (the one from apex to www.example.com does not show that the
>> _443._tcp.www.example.com does not exist, you need the one from
>> www..example.com <http://www.example.com> to the apex at the end of the
>> zone)
>>
>>
>> I'm not sure what you mean with:
>>
>>         validated negative TTL
>>
>> I guess you mean to say the shortest TTL of any data in the chain? But
>> sometimes the negative cache time is larger then the TTL (eg if TTL = 0)
>> Since this is just generic DNS handling, I would probably just write
>> something like "up to the appropriate lifetime" and leave it out of
>> this document.
>>
>>         denial of existence RRset
>>
>> Technically that should be "RRsets" since you usually will need more then
>> one RRset to prove this (to disprove existence of the wildcard record)
>>
>>         -      DNSSEC authentication chain extension from a server,
>> SHOULD use this
>>         +      DNSSEC authentication chain extension from a server, uses
>> this
>>
>> I'm not sure why the SHOULD was removed here? Since it is describing TLS
>> client behaviour the "uses this" confuses me as I dont know if that
>> means MAY, SHOULD or MUST.
>>
>>         + Specifically, the relevant DANE records are included
>>         + in the TLS handshake transcript hash, so both sides
>>         + possess identical records;
>>
>> I'm not sure why you suggest to add this text. A TLS client might still
>> have cached a valid TLSA records from a previous connection 1 second
>> ago and might decide to not use this information at all. Also, it seems
>> to suggest that the transscript hash protects this data, but it is
>> "protection" using the webpki or proof of lack of MITM, but the data
>> does not need this protecting as it is protected by DNSSEC signatures.
>>
>>         + the client remains responsible
>>         + for actually performing the domain name validation of
>>         + the DANE records.
>>
>> Well, if it just fired up a previous TLS connection, perhaps it will be
>> content with the same pubkey used and skip re-validating this data? I
>> guess we sort of say the same thing due to the lack of a MUST ?
>>
>>         + The Reserved field is reserved for future updates to this
>>         + document; in particular it is hoped that the issues discussed
>>         + in <xref target="increasing-trust" /> can be addressed.
>>         + Implementations of this specification MUST send a zero-length
>> vector
>>
>> Perhaps that last line can be clarified a bit:
>>
>>         Implementation not implementing any updates to this document
>>         MUST send a zero-length vector
>>
>> This sentence does not parse:
>>
>>         "whether or not to the exclusion"
>>
>> This text is a little confusing to me:
>>
>>         + certified by the DNS key hierarchy, that the
>>         + server does not support DANE authentication
>>
>> The TLS server itself might support "DANE authentication", but there is
>> simply no data.  Perhaps say that the server's configured hostname does
>> not support DANE authentication?
>>
>> Thanks again for the write up!
>>
>> Paul
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>