Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 09 October 2018 19:18 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF3512F1A2 for <tls@ietfa.amsl.com>; Tue, 9 Oct 2018 12:18:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Gvidtz5Rrvo for <tls@ietfa.amsl.com>; Tue, 9 Oct 2018 12:18:40 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB5EC12D7F8 for <tls@ietf.org>; Tue, 9 Oct 2018 12:18:39 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 4D066307228; Tue, 9 Oct 2018 15:18:38 -0400 (EDT)
Date: Tue, 09 Oct 2018 15:18:38 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20181009191837.GC3594@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OWxALokRtxNcaFdPyNiHTOt_wjQ>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2018 19:18:42 -0000
> On Oct 8, 2018, at 8:09 PM, Christopher Wood <christopherwood07@gmail.com> wrote: > > 1. What is the fundamental security issue? What is the purpose of this > extension? > 2. Under what circumstances should DNS records received in the > extension be cached and reused for future use? > 3. Is pinning required? If so, what is pinned, and at what layer(s) > should it be implemented? 1. Some applications that would take advantage of DANE cannot do so because they can't use DNSSEC directly. Either because of last-mile problems or perhaps out of latency considerations (though often the lookups can be made in parallel). 2. The stated purpose of the draft, per its introduction, is to enable such applications to obtain the requisite DNSSEC records in-band from the TLS server, thereby avoid both problems in (1). As noted by Richard Barnes, this even also resolves potential UKS attacks in some protocols, that inherent in DANE without certificate name checks, as with raw public keys, or the advice of RFC7671 Section 5.1 https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension-07#section-2 <quote> This draft describes a new TLS [RFC5246] [TLS13] extension for transport of a DNS record set serialized with the DNSSEC signatures [RFC4034] needed to authenticate that record set. The intent of this proposal is to allow TLS clients to perform DANE Authentication [RFC6698] [RFC7671] of a TLS server without performing additional DNS record lookups and incurring the associated latency penalty. It also provides the ability to avoid potential problems with TLS clients being unable to look up DANE records because of an interfering or broken middlebox on the path between the client and a DNS server [HAMPERING]. And lastly, it allows a TLS client to validate the server's DANE (TLSA) records itself without needing access to a validating DNS resolver to which it has a secure connection. This mechanism is useful for TLS applications that need to address the problems described above, typically web browsers or SIP/VoIP [RFC3261] and XMPP [RFC7590]. [...] </quote> 3. The draft's intended scope is not and should not limited to *just* "green field" applications such as DPRIVE, where use of the extension might be always mandatory, or otherwise based on static local policy for designated peers. 4. Without static client policy, existing applications (e.g. web browsers), can't know a-prior which servers are expected to support the extension and which are not. 5. Absent such knowledge, they're vulnerable to stripping of the extension on first contact, by an attacker able to provide valid WebPKI credentials (unchanged status quo ante for majority of servers). 6. Let's Encrypt certificates are both cost and hassle free. For a an existing application service (not "green field") there's no substantive disincentive to having a WebPKI certificate that ensures interoperability with a majority clients that will at least initially, and perhaps indefinitely, support only WebPKI. 7. If the WebPKI were sufficiently secure to preclude any concerns about (5), then there'd be no need to bother with DANE. Nobody would ever use a BGP MiTM attack to demonstrate domain control (run a server on port 80, respond to an intercepted email to "admin@", forge unsigned DNS replies, ...). 8. If on the other hand, back in the real world, one has legitimate concerns about the security of DV certificate issuance (knowing that compromise of the DNS registrar account used to manage DNSSEC records also necessarily compromises ACME), then one might actually want one's DANE TLSA records to securely restrict the acceptable certificate chains to match the these records in a manner that is not trivially downgraded to the ability to obtain a WebPKI certificate. 9. Not only is the extension subject to stripping by an adversary that subverts DV certificate issuance, thereby eliminating all of its benefits when not enforced by client policy (a-priori static pinning), it still carries costs in the form of needing to keep any TLSA records correct or else risk failure when clients that support the extension see non-matching certificates. The above is discussed in Ben Kaduk's proposed additions to the security considerations back on Jun 1. a. There are other gaps in the document. i. Failure to explain that when the server caches DNS data for multiple responses, it must decrement TTLs when transmitting "aged" data to clients. ii. Failure to adequately explain interactions with virtual hosting iii. Failure to mandate SNI, or to convey the server port in the client extension to deal with DNAT. iv. Pointless ordering constraints on the DNS RRsets, that don't work well when CNAME and DNAME records are involved. So before we discuss remedies, I'd like to hear whether there's substantive disagreement with the above statement of the problem. A discussion of remedies if we don't yet agree on the problem at hand would likely lead to much miscommunication. -- Viktor.
- [TLS] Interim notes and draft-ietf-tls-dnssec-cha… Christopher Wood
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Tom Ritter
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Daniel Kahn Gillmor
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… John Levine
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Sean Turner
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk