IETF Logo Mail Archive

Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 29 April 2021 18:24 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9523A11F3 for <tls@ietfa.amsl.com>; Thu, 29 Apr 2021 11:24:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dhY5m6RnzGGM for <tls@ietfa.amsl.com>; Thu, 29 Apr 2021 11:24:44 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E940F3A11EC for <tls@ietf.org>; Thu, 29 Apr 2021 11:24:43 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id p15so19025445iln.3 for <tls@ietf.org>; Thu, 29 Apr 2021 11:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=44KFXxsO7bpD5q4uPGV5YJM9jOTL5AlNm369tN2esvg=; b=NRnZBALfpXKxYnMVPB3N0f06u2E7ga8k9dYPtq4Cc7eoPvnMbwSTCkRK8ILVv6SePD Zwt9NYxKpsUgJj7LHE1LevbCHK4jfHm+BES9zoDO0n1AgSSr5SRFbInAxODXBA/WOgEO U2/KtM/dBdeWREflOebob7nD1EWUog+qlO46wNAJSTzKxl6Opcd1AMtM9tu3DDwWKfp1 EmmB0BAeAW06wKpQhM+RHO5DOaSe2c+z/Cgr70L2Tfh29FxDT8MYiF6m92jnHC8fzxGH E0lC5JXlGHZrWlSLgZ0ZNkEI9jl6aYXWnjJVFnKDo88Vw6yI8WgiH0yenDLSlpXu5I6/ 4Vkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=44KFXxsO7bpD5q4uPGV5YJM9jOTL5AlNm369tN2esvg=; b=UfZtgSxGCgxxAbznom/DlxcxcZuRPP3WqFFEIydj1hhsk5V3ztn8ZVxxNPkAK1XVIJ lwN5fUJ6HPaR0DuonGOuuPCcccsRtAwwYiCs+lDdtiwI7QvOw8CR/hZNY4sVOnpAVmfJ cjS5GPqLll3/xp1izP+A9k4TBcFFn75ORDB5OjXvbvgkLdxNnZyl1Hxq1IlWn4EAX6Gu Urm5kZk5yaVavnHDO75jFwXEPBCBMRBXuVpO/O0PTt1EEH+vG8R5ILs1uJcj1Lf6sAJS Inb498mDHZGZNaqLqMsNOQ3e0aCnqiXJLgfY31AHGdJkFQw1CgL/2ny4FqbFrdF+tQSI kMnw==
X-Gm-Message-State: AOAM531ZTKnW7VgsvZJYh2PhiEncNd5DEd6XumB18DkHYUW7XezpHCw0 poj+LfeByk5xLNXseTOh9mj7/o245i8gOAWskqcsjg==
X-Google-Smtp-Source: ABdhPJybgDADdgIxDBUL9scoH87HMj7b3F7lsvt1E7yGMFt0AcN/vzbiTfqR3jj0G+BkInTJwQJa1olbfK+Mqx7aBm0=
X-Received: by 2002:a92:cd8a:: with SMTP id r10mr861331ilb.282.1619720682651; Thu, 29 Apr 2021 11:24:42 -0700 (PDT)
MIME-Version: 1.0
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com>
In-Reply-To: <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 29 Apr 2021 11:24:06 -0700
Message-ID: <CABcZeBMyf3pTXa2DfB3fPeEET+5AkLUzTzDNy+itmnxesdFGWw@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecdce705c1209b5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/k4WGWCXr5kuefeY2Bwi8k-1SbU4>
Subject: Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 18:24:48 -0000

Probably not, but I agree with MT.

The general idea here is that any given protocol trace should only be
interpretable in one way. So, either you need the interior protocol to be
self-describing or you need to separate the domains with ALPN. I don't
believe that either the IP ACL or mTLS addresses this issue, and in fact
arguably mTLS makes the problem worse because it provides authenticated
protocol traces which might be usable for cross-protocol attacks.

-Ekr


On Thu, Apr 29, 2021 at 7:26 AM Salz, Rich <rsalz=
40akamai.com@dmarc.ietf.org> wrote:

> >    No new protocol should use TLS without ALPN.  It only opens space for
> cross-protocol attacks.  Did the working group consider this possibility in
> their discussions?
>
> I don't believe that message has been made as public as it should be.
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email