Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
Erik Nygren <erik+ietf@nygren.org> Sat, 30 March 2024 17:47 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1E5C14F5ED; Sat, 30 Mar 2024 10:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLWVf--xI-KI; Sat, 30 Mar 2024 10:47:20 -0700 (PDT)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 120D8C14F5E6; Sat, 30 Mar 2024 10:47:20 -0700 (PDT)
Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-41544aef01aso18025525e9.1; Sat, 30 Mar 2024 10:47:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711820838; x=1712425638; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mmY/i9hon0PgzpKqQ6np6eMJ+KLs1PQnquQt6UNNKFk=; b=UO9oakyIwgMksTGys3n3yJLZk8qI5rm4XQoJrOFToxq+J2RB6bCYFAI+XJRHPG/aF7 zs0U7ZYHHOmo4N6/X7dmx3wfjrIXr6Ks8SkZvL4D7No1SjQ1NVeC3FzIMjQGc9QNgtHt aGG1gxvbCBUn7VIOTRteSoFvZiWG/8QcFyhhzyJBD3JAf9T5c4IdV1vSqcoYO5Vj8MWM kYmOfO7WlOJj9EhO7D0+SKj//sbAvN2VU4pGIItWAUQBA5/J3DO7/Sg0XH3FSTpvSc9u 0QgQFnUeEZwOXCRxblipnHnTHwmJt9/kqjSApOeQrMJOFlUUuKydCjD1ltB3hddhVknZ +cAg==
X-Forwarded-Encrypted: i=1; AJvYcCXtJtXlNQaugRgLTyotAs4cy2X5CAYyJJBTEIpq8nsWcyazhfq0H99BxcxUWO6qKa7LmT2rUrxB+LnRl8nzVACiq/eW9ozHUxTAVcSFDTJ5bKPbP74IWgpCoW/uPcKPf76Vsi8FjUG6OZoypl48aQhveAiH
X-Gm-Message-State: AOJu0YzvxuZSSiCFJzPlkDuzVNPiZpHv0CkhZ4KICZqYEs5290Tbvg0x yRbYJ9ZRYrbm+AN2y2tbRs5GKtxvIj9jlrFUnKzROyC7+FM7t+p8+npr0HSccwHncOsruLKlTg4 itNtesYsXBku6kFZ7jbJzQhvGuZk=
X-Google-Smtp-Source: AGHT+IEeweQnxHsEY/477Ajz4krIBEYan0aDSy9uJHtf7i7+eXmegZjFBMY4Br6mo3HZdfmkVdIJ8mXBvFA7qcphMPI=
X-Received: by 2002:adf:f9d0:0:b0:341:90ec:c317 with SMTP id w16-20020adff9d0000000b0034190ecc317mr3197016wrr.63.1711820838099; Sat, 30 Mar 2024 10:47:18 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com> <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com> <CAChr6SxKA7YidnYWW=6DOWeQo+_CKNaWNOQL9JQnJUB3thgBhw@mail.gmail.com> <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com> <CAChr6Sx0WX-X3dWjkwMJAa4Rz3BhnUdYMFwWgLkorm6d-16g1w@mail.gmail.com> <CAPt1N1=LzjPMfADvdTdt_kCZ3XTznKs4p4_FYAH_RDb6WVcv7w@mail.gmail.com> <CABcZeBMVbi2_0yaTTe+-U2cBWqscXAdhcrwPufKNg0a-8U292A@mail.gmail.com> <CAPt1N1kEVk6MEHqnXAPenRp057eTDhptxsstcxyEkXqWBdyHQA@mail.gmail.com> <CAKC-DJiEWYDmz3EdPq2hjpR6kGPAnRPTA9H1HAwo4BR-1XG=mQ@mail.gmail.com> <CAPt1N1kNCr+khExy8ajksPakgsQtnPWC4ckmwB9kZDhQk4Cywg@mail.gmail.com> <CAChr6SwMVuCT7trjZVdG-zhGX21vMK9iu_th+Pc7_94s9hZ8bg@mail.gmail.com>
In-Reply-To: <CAChr6SwMVuCT7trjZVdG-zhGX21vMK9iu_th+Pc7_94s9hZ8bg@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Sat, 30 Mar 2024 13:47:06 -0400
Message-ID: <CAKC-DJi2NqpRfxb3cHbvdK+cSLBkSP7XkH4oqEQ3CxkSvRq8Kg@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Ted Lemon <mellon@fugue.com>, Eric Rescorla <ekr@rtfm.com>, dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f964c70614e45843"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7z_nWSNXgA_zLTXK6XmYCGXYEP4>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 17:47:24 -0000
I pulled some text directly over from the 9460 security considerations with
some minor tweaks:
https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/1/files
An attacker who can prevent SVCB resolution can deny clients any associated
security benefits. A hostile recursive resolver can always deny service to
SVCB queries, but network intermediaries can often prevent resolution as
well, even when the client and recursive resolver validate DNSSEC and use a
secure transport. These downgrade attacks can prevent a client from being
aware that "ech" is configured which would result in the client sending the
ClientHello in cleartext. To prevent downgrades, {{Section 3.1 of !SVCB}}
recommends that clients abandon the connection attempt when such an attack
is detected.
On Sat, Mar 30, 2024 at 1:43 PM Rob Sayre <sayrer@gmail.com> wrote:
> Yeah, that sounds fine. I think 9460 is pretty good in that it covers
> both DNSSEC and encrypted transports for DNS.
>
> thanks,
> Rob
>
>
> On Sat, Mar 30, 2024 at 10:27 AM Ted Lemon <mellon@fugue.com> wrote:
>
>> I think that would make sense, yes.
>>
>> On Sat, Mar 30, 2024 at 10:58 AM Erik Nygren <erik+ietf@nygren.org>
>> wrote:
>>
>>> Do we want a few sentences in Security Considerations that references
>>> https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1 to call this
>>> out?
>>>
>>> This seems like something that became less clear when we split these two
>>> docs apart.
>>> Most of draft-ietf-tls-svcb-ech used to be a section of what is now
>>> rfc9460 but got split out
>>> due to publication timelines. It may be that some non-normative
>>> references back to rfc9460
>>> might help readers not miss things like this which might have been more
>>> clear when they
>>> were a single document.
>>>
>>> Erik
>>>
>>>
>>>
>>>
>>> On Fri, Mar 29, 2024 at 11:31 PM Ted Lemon <mellon@fugue.com> wrote:
>>>
>>>> Yes, that fully addresses my concern. Thanks!
>>>>
>>>> Op vr 29 mrt 2024 om 22:54 schreef Eric Rescorla <ekr@rtfm.com>
>>>>
>>>>>
>>>>> Hi Ted,
>>>>>
>>>>> Doesn't this section of RFC 9460 address this case and say what you
>>>>> are recommending:
>>>>>
>>>>> https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1
>>>>>
>>>>> -Ekr
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Mar 29, 2024 at 6:49 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>>
>>>>>> Okay, I think I see the disconnect, maybe. The issue I'm pointing to
>>>>>> is that you may or may not be doing DNSSEC validation. And you may or may
>>>>>> not be /able/ to do DNSSEC validation if the infrastructure breaks it
>>>>>> accidentally or deliberately.
>>>>>>
>>>>>> The document says: "The SVCB-optional client behavior specified in
>>>>>> (Section 3 of [SVCB]) permits clients to fall back to a direct connection
>>>>>> if all SVCB options fail. This behavior is not suitable for ECH, because
>>>>>> fallback would negate the privacy benefits of ECH."
>>>>>>
>>>>>> So it's saying that the default handling of SVCB is incorrect and
>>>>>> would fail open, and overriding that behavior. Given that this is the case,
>>>>>> that implies that it matters whether the data has been validated, but
>>>>>> nowhere in the document, certainly not in Security Considerations, is any
>>>>>> mention made of this issue. So that's what I'm pointing out.
>>>>>>
>>>>>> It is absolutely not the case in practice that all stub resolvers do
>>>>>> validation. You are making a security decision about trust based on data
>>>>>> the trustworthiness of which you've not discussed, in a situation where the
>>>>>> implementor has meaningful choices to make with respect to validating that
>>>>>> trustworthiness. So it's worth mentioning that if the policy is not to
>>>>>> validate, this vulnerability exists.
>>>>>>
>>>>>> I'm a DNS guy, not a TLS guy, so I don't know the history of this
>>>>>> work—I'm just making this observation about the document I was asked to
>>>>>> review. The fact that (apparently) no DNSDIR review ever raised this issue
>>>>>> about the other documents you mentioned is of no interest to me—I'm not
>>>>>> reviewing those documents.Whether you take this advice is between you and
>>>>>> the IESG. I'm not even claiming to be right—just pointing out the issue I
>>>>>> see.
>>>>>>
>>>>>> On Fri, Mar 29, 2024 at 7:21 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>>>
>>>>>>> I don't think it relates to DNSSEC. You can fail at DNS (DNSSEC
>>>>>>> failure) or you can fail during ECH (unless you want to use non-ECH, which
>>>>>>> is not ECH, and not part of this draft).
>>>>>>>
>>>>>>> It makes sense to me: one can reject a request unless the
>>>>>>> requirements embedded in the SVCB are met (the server chooses those, which
>>>>>>> can include many aspects of the request). I don't understand why one would
>>>>>>> insert DNSSEC here. That seems to be the whole point--it works without it.
>>>>>>>
>>>>>>> thanks,
>>>>>>> Rob
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 29, 2024 at 3:57 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>>>>
>>>>>>>> I'm not telling you that you have to require DNSSEC. I'm saying the
>>>>>>>> document is incomplete if you don't talk about how it relates to DNSSEC. I
>>>>>>>> think EKR got the point, so maybe go with his approach?
>>>>>>>>
>>>>>>>> On Fri, Mar 29, 2024 at 6:27 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> It's a policy choice, though, right? I think ekr hinted at this
>>>>>>>>> issue as well.
>>>>>>>>>
>>>>>>>>> It's that one might also view requests that reveal the SNI as
>>>>>>>>> insecure. If that's the case, DNSSEC doesn't help. There will certainly be
>>>>>>>>> a transition period where that will be impractical for many servers. I
>>>>>>>>> think these are separate problems, though.
>>>>>>>>>
>>>>>>>>> thanks,
>>>>>>>>> Rob
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Mar 29, 2024 at 3:10 PM Ted Lemon <mellon@fugue.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> It looks like if you can't get the SCVB you're going to fail
>>>>>>>>>> insecure, so being able to use DNSSEC to prevent that for signed domains
>>>>>>>>>> seems worthwhile.
>>>>>>>>>>
>>>>>>>>>> On Fri, Mar 29, 2024 at 4:41 PM Rob Sayre <sayrer@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker <
>>>>>>>>>>> noreply@ietf.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I don't think it's reasonable to specify the privacy properties
>>>>>>>>>>>> of SVCB and
>>>>>>>>>>>> /not/ talk about DNSSEC validation.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Could you explain more about this part? I think DNSSEC doesn't
>>>>>>>>>>> add much here, unless you want to accept non-ECH traffic. For example, many
>>>>>>>>>>> of the test servers will bounce you to some other site if you don't send
>>>>>>>>>>> ECH or screw it up in some way (speaking as someone who has screwed it up
>>>>>>>>>>> many times...).
>>>>>>>>>>>
>>>>>>>>>>> I think there might be a DoS attack here, where someone messes
>>>>>>>>>>> with the response, but they can also turn off the DNSSEC bit unless it's
>>>>>>>>>>> DoT/DoH/DoQ etc. So, if using those, it's just the trustworthiness of the
>>>>>>>>>>> DNS server itself, right? Sorry if I'm missing something.
>>>>>>>>>>>
>>>>>>>>>>> thanks,
>>>>>>>>>>> Rob
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>> TLS mailing list
>>>>>> TLS@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>>>
>>>>>
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- [TLS] Dnsdir early review of draft-ietf-tls-svcb-… Ted Lemon via Datatracker
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] [dnsdir] Dnsdir early review of draft-i… Tim Wicinski
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Sean Turner