From mellon@fugue.com Fri Mar 29 20:31:37 2024 Return-Path: X-Original-To: tls@ietfa.amsl.com Delivered-To: tls@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C939AC14F71B for ; Fri, 29 Mar 2024 20:31:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.895 X-Spam-Level: X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZTSPPEQc3ND for ; Fri, 29 Mar 2024 20:31:34 -0700 (PDT) Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165EAC14F5FB for ; Fri, 29 Mar 2024 20:31:33 -0700 (PDT) Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-696a7f533aeso13748876d6.1 for ; Fri, 29 Mar 2024 20:31:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1711769492; x=1712374292; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hu8D1/xIAsPl+D78jVOOM8LtQ9uTEAGIdoB6yoqzFEE=; b=KJuo8XHCUrPxwJEJMAzXRvKLWRYzzV8Sm98obfr/hYiV7F1R/52Xl+m0tlwXVOJ0la MKeMFqpdZxIazeQemIOBe708WU4hMER7QHptA04oYoPkakFF733NWp7BcSbrcqi9CeC2 lZvDXIjLj9GqxdEI3zjhbLbX+PKjbx4Ep9DWFcX60u0t644xcCEXC2Lpp1tAz5mS1G+F xqf6jxvdNrhnXZWDCVNsrAOLlM4OHso2G/4eAyZF8NZ+mrPkV+973Ha6MkHNoXN9ta2O arrwKpL+PqUfD7IkAHF87QgBiH0CsvQ2wQBps0kbGj5CME16Ow6F7kqkSsJndTr3uZkG UT0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711769492; x=1712374292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hu8D1/xIAsPl+D78jVOOM8LtQ9uTEAGIdoB6yoqzFEE=; b=mQ7GupB92fNbKJ3fmWpwwmIHUD3KAQwRheox6ipe1eoBECRtOkP63GJK4+nnGYc+X1 pd85HfUTAqJVmDWaALhXfguKR4QlA1Qoq4akQCRyiHof6XOFC2BBPrhRGgYiQjKYXtb8 mH02WJ6v/DHjHyjxqUHFugYawUodTVN+CmQs62AWO5PxNRaa1BkDpOxAyigrr2wN/7v9 qxiicW/YX6fYS7Y+WV+e5HFIhVq3XBinXra1fBQhSzQVI7D8rzvnq8drz/PycO2MkLv9 7RQoE6dLQWw4AoScvtnSAjF+z5ZYvYX/0jVOkcdwKSEqOlNckPmkUv6yVfXr6r+RKXWf yYmw== X-Forwarded-Encrypted: i=1; AJvYcCWT7UTmc8eGvSEhsN5JvtrVAVHG+P6LvjDpMRcUXfdUI6AClLlT5EIVG4uw3HnAsTQqmAdfgaprTYCMTuI= X-Gm-Message-State: AOJu0YzP6JfpEQTCUcULFmpiknTBPDftq4GTtfpA+y20stSvchx3plNN +UQHwShuwczE2FABHYJuQXSkzzqzOSSznjwTu6reuNh8R1qtNvG7wYPQH8aFStmndsO7o9wWW+a lOsptKnlhZHPT83X5VLO7y0WfvTC9fLqBAYsGdA== X-Google-Smtp-Source: AGHT+IE8hWJ0cMjmTEM2eIqc8TY3cG9XSV1n25cu+tMQefaiM41cPCMLtluCzdKt+WX7AUmjPjF2hh2tFUJlWLkD7+c= X-Received: by 2002:a0c:c484:0:b0:696:b196:c182 with SMTP id u4-20020a0cc484000000b00696b196c182mr3453553qvi.65.1711769492530; Fri, 29 Mar 2024 20:31:32 -0700 (PDT) MIME-Version: 1.0 References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> In-Reply-To: From: Ted Lemon Date: Fri, 29 Mar 2024 23:31:21 -0400 Message-ID: To: Eric Rescorla Cc: Rob Sayre , dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org Content-Type: multipart/alternative; boundary="0000000000008a474e0614d86462" Archived-At: Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01 X-BeenThere: tls@ietf.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2024 03:31:37 -0000 --0000000000008a474e0614d86462 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Yes, that fully addresses my concern. Thanks! Op vr 29 mrt 2024 om 22:54 schreef Eric Rescorla > > Hi Ted, > > Doesn't this section of RFC 9460 address this case and say what you are > recommending: > > https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1 > > -Ekr > > > > On Fri, Mar 29, 2024 at 6:49=E2=80=AFPM Ted Lemon wrot= e: > >> Okay, I think I see the disconnect, maybe. The issue I'm pointing to is >> that you may or may not be doing DNSSEC validation. And you may or may n= ot >> be /able/ to do DNSSEC validation if the infrastructure breaks it >> accidentally or deliberately. >> >> The document says: "The SVCB-optional client behavior specified in >> (Section 3 of [SVCB]) permits clients to fall back to a direct connectio= n >> if all SVCB options fail. This behavior is not suitable for ECH, because >> fallback would negate the privacy benefits of ECH." >> >> So it's saying that the default handling of SVCB is incorrect and would >> fail open, and overriding that behavior. Given that this is the case, th= at >> implies that it matters whether the data has been validated, but nowhere= in >> the document, certainly not in Security Considerations, is any mention m= ade >> of this issue. So that's what I'm pointing out. >> >> It is absolutely not the case in practice that all stub resolvers do >> validation. You are making a security decision about trust based on data >> the trustworthiness of which you've not discussed, in a situation where = the >> implementor has meaningful choices to make with respect to validating th= at >> trustworthiness. So it's worth mentioning that if the policy is not to >> validate, this vulnerability exists. >> >> I'm a DNS guy, not a TLS guy, so I don't know the history of this >> work=E2=80=94I'm just making this observation about the document I was a= sked to >> review. The fact that (apparently) no DNSDIR review ever raised this iss= ue >> about the other documents you mentioned is of no interest to me=E2=80=94= I'm not >> reviewing those documents.Whether you take this advice is between you an= d >> the IESG. I'm not even claiming to be right=E2=80=94just pointing out th= e issue I >> see. >> >> On Fri, Mar 29, 2024 at 7:21=E2=80=AFPM Rob Sayre wro= te: >> >>> I don't think it relates to DNSSEC. You can fail at DNS (DNSSEC failure= ) >>> or you can fail during ECH (unless you want to use non-ECH, which is no= t >>> ECH, and not part of this draft). >>> >>> It makes sense to me: one can reject a request unless the requirements >>> embedded in the SVCB are met (the server chooses those, which can inclu= de >>> many aspects of the request). I don't understand why one would insert >>> DNSSEC here. That seems to be the whole point--it works without it. >>> >>> thanks, >>> Rob >>> >>> >>> On Fri, Mar 29, 2024 at 3:57=E2=80=AFPM Ted Lemon wr= ote: >>> >>>> I'm not telling you that you have to require DNSSEC. I'm saying the >>>> document is incomplete if you don't talk about how it relates to DNSSE= C. I >>>> think EKR got the point, so maybe go with his approach? >>>> >>>> On Fri, Mar 29, 2024 at 6:27=E2=80=AFPM Rob Sayre w= rote: >>>> >>>>> It's a policy choice, though, right? I think ekr hinted at this issue >>>>> as well. >>>>> >>>>> It's that one might also view requests that reveal the SNI as >>>>> insecure. If that's the case, DNSSEC doesn't help. There will certain= ly be >>>>> a transition period where that will be impractical for many servers. = I >>>>> think these are separate problems, though. >>>>> >>>>> thanks, >>>>> Rob >>>>> >>>>> >>>>> On Fri, Mar 29, 2024 at 3:10=E2=80=AFPM Ted Lemon = wrote: >>>>> >>>>>> It looks like if you can't get the SCVB you're going to fail >>>>>> insecure, so being able to use DNSSEC to prevent that for signed dom= ains >>>>>> seems worthwhile. >>>>>> >>>>>> On Fri, Mar 29, 2024 at 4:41=E2=80=AFPM Rob Sayre = wrote: >>>>>> >>>>>>> On Fri, Mar 29, 2024 at 1:02=E2=80=AFPM Ted Lemon via Datatracker < >>>>>>> noreply@ietf.org> wrote: >>>>>>> >>>>>>>> >>>>>>>> I don't think it's reasonable to specify the privacy properties of >>>>>>>> SVCB and >>>>>>>> /not/ talk about DNSSEC validation. >>>>>>>> >>>>>>> >>>>>>> Could you explain more about this part? I think DNSSEC doesn't add >>>>>>> much here, unless you want to accept non-ECH traffic. For example, = many of >>>>>>> the test servers will bounce you to some other site if you don't se= nd ECH >>>>>>> or screw it up in some way (speaking as someone who has screwed it = up many >>>>>>> times...). >>>>>>> >>>>>>> I think there might be a DoS attack here, where someone messes with >>>>>>> the response, but they can also turn off the DNSSEC bit unless it's >>>>>>> DoT/DoH/DoQ etc. So, if using those, it's just the trustworthiness = of the >>>>>>> DNS server itself, right? Sorry if I'm missing something. >>>>>>> >>>>>>> thanks, >>>>>>> Rob >>>>>>> >>>>>>> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > --0000000000008a474e0614d86462 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Yes, that fully addresses my concern. Thanks!
<= br>
Op vr 2= 9 mrt 2024 om 22:54 schreef Eric Rescorla <ekr@rtfm.com>

Hi Ted,

Does= n't this section of RFC 9460 address this case and say what you are rec= ommending:


-Ekr


On Fri, Mar 29, 2024 at 6:49=E2=80=AFPM Ted Lemon <mellon@fugue.com> wrote:
Okay, I think I see the disconnect, maybe. The issu= e I'm pointing to is that you may or may not be doing DNSSEC validation= . And you may or may not be /able/ to do DNSSEC validation if the infrastru= cture breaks it accidentally or deliberately.

The docume= nt says: "The SVCB-optional client behavior specified in (Section 3 of= [SVCB]) permits clients to fall back to a direct connection if all SVCB op= tions fail. This behavior is not suitable for ECH, because fallback would n= egate the privacy benefits of ECH."

So it'= ;s saying that the default handling of SVCB is incorrect and would fail ope= n, and overriding that behavior. Given that this is the case, that implies = that it matters whether the data has been validated, but nowhere in the doc= ument, certainly not in Security Considerations, is any mention made of thi= s issue. So that's what I'm pointing out.

= It is absolutely not the case in practice that all stub resolvers do valida= tion. You are making a security decision about trust based on data the trus= tworthiness of which you've not discussed, in a situation where the imp= lementor has meaningful choices to make with respect to validating that tru= stworthiness. So it's worth mentioning that if the policy is not to val= idate, this vulnerability exists.=C2=A0

I'm a = DNS guy, not a TLS guy, so I don't know the history of this work=E2=80= =94I'm just making this observation about the document I was asked to r= eview. The fact that (apparently) no DNSDIR review ever raised this issue a= bout the other documents you mentioned is of no interest to me=E2=80=94I= 9;m not reviewing those documents.Whether you take this advice is between y= ou and the IESG. I'm not even claiming to be right=E2=80=94just pointin= g out the issue I see.=C2=A0

On Fri, Mar 29, 2024 at 7:21=E2=80=AFPM R= ob Sayre <sayrer@g= mail.com> wrote:
I don't think it relates to D= NSSEC. You can fail at DNS (DNSSEC failure) or you can fail during ECH (unl= ess you want to use non-ECH, which is not ECH, and not part of this draft).=

It makes sense to me: one= can reject a request unless the requirements embedded in the SVCB are met = (the server chooses those, which can include many aspects of the request). = I don't understand why one would insert DNSSEC here. That seems to be t= he whole point--it works without it.

t= hanks,
Rob


On Fri, Mar 29, 2024 at 3:57= =E2=80=AFPM Ted Lemon <mellon@fugue.com> wrote:
I'm not telling you that you have= to require DNSSEC. I'm saying the document is incomplete if you don= 9;t talk about how it relates to DNSSEC. I think EKR got the point, so mayb= e go with his approach?

On Fri, Mar 29, 2024 at 6:27=E2=80=AFPM Rob Sayre &l= t;sayrer@gmail.com> wrote:
It's a policy choice, though, right? I think ekr hinted a= t this issue as well.

It's that one might also view = requests that reveal the SNI as insecure. If that's the case, DNSSEC do= esn't help. There will certainly be a transition period where that will= be impractical for many servers. I think these are separate problems, thou= gh.

thanks,
Rob


On F= ri, Mar 29, 2024 at 3:10=E2=80=AFPM Ted Lemon <mellon@fugue.com> wrote:
It looks like= if you can't get the SCVB you're going to fail insecure, so being = able to use DNSSEC to prevent that for signed domains seems worthwhile.
On F= ri, Mar 29, 2024 at 4:41=E2=80=AFPM Rob Sayre <sayrer@gmail.com> wrote:
On Fri, Mar 29, 2024 at 1:02=E2=80=AFPM Ted Lemon via Datatracker <<= a href=3D"mailto:noreply@ietf.org" target=3D"_blank">noreply@ietf.org&g= t; wrote:

I don't think it's reasonable to specify the privacy properties of = SVCB and
/not/ talk about DNSSEC validation.

Cou= ld you explain more about this part? I think DNSSEC doesn't add much he= re, unless you want to accept non-ECH traffic. For example, many of the tes= t servers will bounce you to some other site if you don't send ECH or s= crew it up in some way (speaking as someone who has screwed it up many time= s...).

I think there might be a DoS attack here, w= here someone messes with the response, but they can also turn off the DNSSE= C bit unless it's DoT/DoH/DoQ etc. So, if using those, it's just th= e trustworthiness of the DNS server itself, right? Sorry if I'm missing= =C2=A0something.

thanks,
Rob
<= br>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
--0000000000008a474e0614d86462--