IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-belyavskiy-fakesni-00.txt

David Fifield <david@bamsoftware.com> Tue, 26 March 2019 18:26 UTC

Return-Path: <david@bamsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5608120888; Tue, 26 Mar 2019 11:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.541
X-Spam-Level:
X-Spam-Status: No, score=-0.541 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=0.793, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bamsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WZBDv9gQBZC; Tue, 26 Mar 2019 11:26:10 -0700 (PDT)
Received: from melchior.bamsoftware.com (unknown [IPv6:2600:3c00::f03c:91ff:fe96:a467]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4931120886; Tue, 26 Mar 2019 11:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=YTqadFvc8TfNNbVVLoRYAfLRSPG7FZG9bQPwZgNC23w=; b=uYXcsEqLtGaXkkXc1sdvj9e2co uxUOVBBvrU1BrI2Nb65wl8kiHXvnc9acIu3rDw1VaWPx6nQ9/LA+Eax7dlPyuXMjhK9iZ53sc+G5H nimWiby8wQHO4Z8m4T5rbXVWZwbmRUI7eXdjCxGhf2RI6SKF0M/sTphNg0P6V3jQbgLI=;
Date: Tue, 26 Mar 2019 12:25:56 -0600
From: David Fifield <david@bamsoftware.com>
To: Dmitry Belyavsky <beldmit@gmail.com>
Cc: TLS Mailing List <tls@ietf.org>, secdispatch@ietf.org
Message-ID: <20190326182556.ljxb5yaunzdmur5g@bamsoftware.com>
Mail-Followup-To: Dmitry Belyavsky <beldmit@gmail.com>, TLS Mailing List <tls@ietf.org>, secdispatch@ietf.org
References: <155060540091.20709.12797700493315209480.idtracker@ietfa.amsl.com> <CADqLbzLt3sJhisojiEDA93zOymBE0QjVxT2T+NAZjYSGm2Nzmg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADqLbzLt3sJhisojiEDA93zOymBE0QjVxT2T+NAZjYSGm2Nzmg@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hXAvkwy81zEtUEY61VAlYFBTBHQ>
Subject: Re: [TLS] Fwd: New Version Notification for draft-belyavskiy-fakesni-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 18:26:12 -0000

On Tue, Feb 19, 2019 at 11:04:06PM +0300, Dmitry Belyavsky wrote:
> Please take a look at an initial submission of the draft.
> The draft describes a Fake SNI mechanism intended to cheat DPI systems in
> a case 
> when a DPI system blocks the connection if ESNI is present.
> 
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Tue, Feb 19, 2019 at 10:43 PM
> Subject: New Version Notification for draft-belyavskiy-fakesni-00.txt
> To: Dmitry Belyavskiy <beldmit@gmail.com>
> 
> Abstract:
>    The document provides a specification of the Fake Server Name
>    Indication.  Being implemented, the Fake SNI specification provides a
>    way to work around the monitoring solutions without providing any
>    additional information to external observers.

I initially viewed this proposal negatively, but after thinking about it
more during Dmitry's talk today (https://datatracker.ietf.org/meeting/104/materials/slides-104-tls-slides-ietf104-tls-fake-sni-00),
I think there are ways in which it can make sense.

The reason I initially viewed it negatively was that it seemed to be a
naive attempt at addressing the "proxy distribution" problem--where you
have to somehow share secret information with your genuine users but not
let it fall into the hands of an adversary, with the challenge that you
don't have a secure way to distinguish genuine users from an adversary.
The draft acknowledges the challenge but, I think, treats it too
lightly, as for me it is the core consideration: "DPI solutions are able
to obtain the DNS _fakesni records as legitimate clients do." It's the
same problem you would face if you were to establish mirror sites to
mitigate blocking: how do you inform your users of the mirror sites'
URLs without also informing the adversary you're protecting against?
Another way way to think about it is: you have a large set of secret
tokens, and you want it so that *anyone* can discover one token, but
*no one* can discover all the tokens.

There's a fair amount of research on secure proxy distribution, but they
all work by imposing limits on the adversary, by leveraging trust
relationships among genuine users, tying discovery to real-world
resources, or some other method. Here is a selection of research:
	https://censorbib.nymity.ch/#Nasr2019a
	https://censorbib.nymity.ch/#Douglas2016a
	https://censorbib.nymity.ch/#Wang2013a
	https://censorbib.nymity.ch/#McCoy2011a
The Fake SNI draft's DNS discovery doesn't impose any significant
limits, so if there is only one or a few fake SNIs, I think the idea
won't work against an adversary that can afford to do continuous
polling, even if the set of fake SNIs is rotated frequently.

But if you ensure that each fake SNI value is distributed once and only
once, then I think the idea has some merit. Then, it doesn't help an
adversary to do its own polling, because any SNIs it discovers will
never be used by a legitimate client. It doesn't help if it blocks SNI
values that clients have been seen to use, because those values will not
be used again.

This all assumes trustworthy DNS, so an adversary can't see the SNI
you're about to use before you use it. And it also assumes some level of
colocation, or else there is nothing to prevent an intermediary from
blocking the IP address regardless of SNI. (The same observations apply
to ESNI as well as Fake SNI.)

However, even with one-time-use fake SNI values, the design still has a
problem with replay. The generic attack is described at
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-04#section-3.1.
The adversary observes a client using an SNI value, then makes its own
connection to the same server using the same SNI value. Now the
adversary knows what particular colocated service on the server the
client is accessing, and even if it cannot block the server entirely
(because of colocation), it can terminate that client's specific
connection. Perhaps the server can check for and reject reused fake SNI
values--but then it also needs to be the case that all (or at least
many) of the users of the server's colocated services use Fake SNI, not
just the ones who are trying to access the services the adversary would
like to block, or else you violate the "Do not stick out" criterion.

v2.23.0 | Report a Bug | By Email