IETF Logo Mail Archive

[TLS] Secdir last call review of draft-ietf-tls-svcb-ech

tirumal reddy <kondtir@gmail.com> Tue, 10 December 2024 06:40 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3FBEC1CAE68; Mon, 9 Dec 2024 22:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBSLsXZyvcNP; Mon, 9 Dec 2024 22:40:04 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F923C151079; Mon, 9 Dec 2024 22:40:01 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5d3d143376dso4753484a12.3; Mon, 09 Dec 2024 22:40:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733812799; x=1734417599; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=+/DagHQJec8v5RxeHeTzzVVCZWiGb6n2myJ1o28L14w=; b=ddGkhkrgoBiam0iQKOJv70CQuXhzoiUDYglQK7LeOUUTgin3bNu0xsEeaEnWyTRKbo VQzuSuySU4NGD1VVflk6zknWoOIjt5JDMFZntVa4Qtgqn3jt2x6Wl1dFhUSMhb6epUQb mu2Or92Wd5mRG/BCVz2DSc9So05vz5nW1DHJ4tIYG7wzfCqP8c9Yl2kPvS0YziYi0zwv gZhpbhhYZAYVNGWLBEHnV6pKZeVYHZEV9Ozt+xFdxMhu718Gv2oNl8ha4ZJpZqMWqaBn gJQGCig0KRjFxlJIob7V4gpP8b2vr/MLxh2M2xLtp9IAT1BlzsErC+pd4N3EtP7c+ETY Qx0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733812799; x=1734417599; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+/DagHQJec8v5RxeHeTzzVVCZWiGb6n2myJ1o28L14w=; b=vN/M7tLHmNV2nv1bGglTruHLGQcKHM1Fm5cLLOqCfQhKIWM/nH74ZNnjVq1Qc+zO9b GIc9aEBNpSv+vdhn97O5Kon4eCHjGsq2mkmTphFuO6tu1kwuPiJFsCZIAElLDJuYiba6 yEmFn92O1vcchRa5kol+jdoHAwAMzwylyPw37c0gy7cR1p0BVq0/AgtDhJTFrOsTQOsd 2MDTgkb3Rt4Fj13QtOliWI9PXWphk1yqCi8wyMweQNphIeGYR6Vz0e88KiOf08Dgku27 HuTNR9H1CvpXlkPJer5U2VQFz9Y8Ix9hJjgCZB0VE4sLJ3WB6oUm/8Xi0ViJwzBVf04M RT9g==
X-Forwarded-Encrypted: i=1; AJvYcCUe0vqnfjQa0SnN2CVr0qK9iRONOnYIGtGiJXxCaG5E/nB0PCRzLwFXaxQ/R2yBo7PUB8svoxE6V3c=@ietf.org, AJvYcCVdoA1R9dLSm/5/fqOhJYkI+bF4jFZifW9NZSockA2sXKhGbrcy5n7rRLHM5/CKq7pOR2bn@ietf.org
X-Gm-Message-State: AOJu0YynwLjrt6dwkgvZufaWYbeXQYUrLElWFG6MfRZsXKFU1T27QTEi Azl6HUyVH4rV4+UliSKLjl3o5mefM9vHx+u05M2eh5WFdn4DU76GHpuqR9NbYQmrSrUrtZp2JlL qC07/ZAh75wzU5hVRf7gFGzFxzwS8hRxM23w=
X-Gm-Gg: ASbGncvLZqttv3x/vXX50OD2dtr45xAQef85BC6FEsyiNVMlyhrJlJMHhOQV5lvXL9j JbruUYouD0G9wojI2tHAG1DDg1FRxm1iLU7WN
X-Google-Smtp-Source: AGHT+IGtSD/4Oey5urqZjifPlUnGpuW6IffL/E+COIbq7LDix+vpymogMvpF15ljb7LCbZUshWl9rlGM7zC1y1nDQck=
X-Received: by 2002:a05:6402:278f:b0:5d0:cea1:931e with SMTP id 4fb4d7f45d1cf-5d418612f63mr3714628a12.23.1733812798998; Mon, 09 Dec 2024 22:39:58 -0800 (PST)
MIME-Version: 1.0
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 10 Dec 2024 12:09:22 +0530
Message-ID: <CAFpG3gcnihrZ_kuJ5+LYg7iy2YyyDAtCOaBRSPkKZRjPJ0Rq-g@mail.gmail.com>
To: draft-ietf-tls-svcb-ech.all@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, Last Call <last-call@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fdd0f10628e4bff3"
Message-ID-Hash: COFS4GW7NIR2ZGFPMYAIN2GJXC47LG4Q
X-Message-ID-Hash: COFS4GW7NIR2ZGFPMYAIN2GJXC47LG4Q
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Secdir last call review of draft-ietf-tls-svcb-ech
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Zc-P-CVlVYHZPlaSWx27YgmpLs8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Reviewer: Tirumaleswar Reddy K
Review result: Ready with issues

I have reviewed this document as part of the SEC area directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security area
directors.
Document editors and WG chairs should treat these comments just like any
other
last-call comments.

1. A SVCB RRSet containing some RRs with "ech" and some without is
   vulnerable to a downgrade attack: a network intermediary can block
   connections to the endpoints that support ECH, causing the client to
   fall back to a non-ECH endpoint.  This configuration is NOT
   RECOMMENDED.

Comment> Please mention scenarios where such mixed behavior may be
acceptable. Highlighting the exceptions would be helpful.

2. ECH ensures that TLS does not disclose the SNI, but the same
   information is also present in the DNS queries used to resolve the
   server's hostname.  This specification does not conceal the server
   name from the DNS resolver.  If DNS messages are sent between the
   client and resolver without authenticated encryption, an attacker on
   this path can also learn the destination server name.  A similar
   attack applies if the client can be linked to a request from the
   resolver to a DNS authority.

Comment> While authenticated encryption provides protection against active
attackers, the privacy benefits are negated if the DNS resolver itself is
malicious. It may be useful to recommend using trusted DNS resolvers.

3. It will be helpful to provide recommendations to endpoint
implementations not to mislead end-users that "ECH" would provide the same
level of security fully anonymizing solutions like Tor,      "ECH" may not
provide any privacy because of the reasons discussed in 2nd paragraph of
Security Considerations Section.

4. The discussion on the anonymity set could benefit from examples or
references that illustrate how traffic analysis might narrow it.

5. The behaviour recommendation for middleboxes acting as a TLS proxy
should be discussed.

Cheers,
-Tiru

v2.31.3 | Report a Bug | By Email | System Status