IETF Logo Mail Archive

Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01

Ted Lemon <mellon@fugue.com> Sat, 30 March 2024 17:28 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C0E3C14F696 for <tls@ietfa.amsl.com>; Sat, 30 Mar 2024 10:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AV7h0NsSiBOv for <tls@ietfa.amsl.com>; Sat, 30 Mar 2024 10:27:58 -0700 (PDT)
Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61AB1C14F61E for <tls@ietf.org>; Sat, 30 Mar 2024 10:27:58 -0700 (PDT)
Received: by mail-qv1-xf29.google.com with SMTP id 6a1803df08f44-69699fecccdso16838466d6.1 for <tls@ietf.org>; Sat, 30 Mar 2024 10:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1711819677; x=1712424477; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=O6SSZZaWZbAS34RDmabGYyRm0+E6I9ZKmCJClJUUi2s=; b=f5XZcQmDyoCl2BUvRzEPrIjcuSZR7+OlF+4YgXbF8799ViWmApYhtY55BlktoID/gH numnKFr2UsxPwlXxUM40eOGUkfAftaD4v7xtiZT0clcQki6d68LcxE5AAFy66aMT8KWo HB57ItFDf0sZIIJK2W5xI30Y/bAGXM4JAqz4xLNEhICSoL9Rsh70cijJi9/WZMtosN+q Wz/Jxd8rWntN/tZr2VD0YLjgp6xcYK3dbL7QOfkwSEKBPRC5YxbW/t36UvhtKNolQmUn Kh7AIjw8NYdAx2W4+rIu4htIDUUGAD1nmAm5ZpbpG6h0cVTKgm04IV+6YkEAuOJlyOO6 oPOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711819677; x=1712424477; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=O6SSZZaWZbAS34RDmabGYyRm0+E6I9ZKmCJClJUUi2s=; b=k9RPey5okhISqJhVbZ/bLChIwo9trm4/NL8RukBsbfJY0OKXG7qW8gfhCrrGQ1f+Pw NWwfhERba4MaMERlOrf4XahnMGo5ZdQ4WzLzYyZ/vlJwpxcrUzA5yoU/6wlAKS7maO6X /HTmotrNXlkj8mQPyAWGcliFqtKX2QYNr7Zpxl/XkrLuP7CYUUI5nFA2w4T2e2DxKE5U nxVjSbnMyCfmm12V1vxibOnBB1mZ9hH6le9ivyo4TAcGMyYFyZFEo0pM24Tu/wPqqglU QtTtl5oTHroHEakAnYXpgFBqWVIpBjdhK4lU3c2sG9RT5/ozH1thvHaA4KK2BBET9chP ZveA==
X-Forwarded-Encrypted: i=1; AJvYcCVmMwha4UIfH+RNX4J1z4sxsnVGRnAKh976ntbkRJUojmIqEzAeFDQ/hX5Zcj8ocNR5+qm+Ku9SCy3A2p8=
X-Gm-Message-State: AOJu0YywUe300QoxEmNLvEDJ5zScrd6jpx6Xw2mMwBQKM5KZKthnHFs5 G7dCbh0Z0+GnDPWweEynRapsLbdhkBcYTiv8go4BVj9hQ/b5mTHLxq4Rzar0Er+GB4+bPsvcL6n vej5o1Le9H3g+0kxiwqk4GleTiB9pITozL0sJ3Q==
X-Google-Smtp-Source: AGHT+IHOw2vK3CKlTFLD5a4NA8TLMfVQK5ojs3tRFifJf/q2CcHgiraDU1osh/fR56Km1JyZ+zzj4j3I/njnS1zqgTk=
X-Received: by 2002:ad4:444a:0:b0:696:8f3a:ecaa with SMTP id l10-20020ad4444a000000b006968f3aecaamr5012147qvt.53.1711819676847; Sat, 30 Mar 2024 10:27:56 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com> <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com> <CAChr6SxKA7YidnYWW=6DOWeQo+_CKNaWNOQL9JQnJUB3thgBhw@mail.gmail.com> <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com> <CAChr6Sx0WX-X3dWjkwMJAa4Rz3BhnUdYMFwWgLkorm6d-16g1w@mail.gmail.com> <CAPt1N1=LzjPMfADvdTdt_kCZ3XTznKs4p4_FYAH_RDb6WVcv7w@mail.gmail.com> <CABcZeBMVbi2_0yaTTe+-U2cBWqscXAdhcrwPufKNg0a-8U292A@mail.gmail.com> <CAPt1N1kEVk6MEHqnXAPenRp057eTDhptxsstcxyEkXqWBdyHQA@mail.gmail.com> <CAKC-DJiEWYDmz3EdPq2hjpR6kGPAnRPTA9H1HAwo4BR-1XG=mQ@mail.gmail.com>
In-Reply-To: <CAKC-DJiEWYDmz3EdPq2hjpR6kGPAnRPTA9H1HAwo4BR-1XG=mQ@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Sat, 30 Mar 2024 13:27:20 -0400
Message-ID: <CAPt1N1kNCr+khExy8ajksPakgsQtnPWC4ckmwB9kZDhQk4Cywg@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Eric Rescorla <ekr@rtfm.com>, Rob Sayre <sayrer@gmail.com>, dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c2bf160614e41363"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qB2xwEv02Zu6Sf-g3cJO04FuuqA>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 17:28:02 -0000

I think that would make sense, yes.

On Sat, Mar 30, 2024 at 10:58 AM Erik Nygren <erik+ietf@nygren.org> wrote:

> Do we want a few sentences in Security Considerations that references
> https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1 to call this out?
>
> This seems like something that became less clear when we split these two
> docs apart.
> Most of draft-ietf-tls-svcb-ech used to be a section of what is now
> rfc9460 but got split out
> due to publication timelines.  It may be that some non-normative
> references back to rfc9460
> might help readers not miss things like this which might have been more
> clear when they
> were a single document.
>
>    Erik
>
>
>
>
> On Fri, Mar 29, 2024 at 11:31 PM Ted Lemon <mellon@fugue.com> wrote:
>
>> Yes, that fully addresses my concern. Thanks!
>>
>> Op vr 29 mrt 2024 om 22:54 schreef Eric Rescorla <ekr@rtfm.com>
>>
>>>
>>> Hi Ted,
>>>
>>> Doesn't this section of RFC 9460 address this case and say what you are
>>> recommending:
>>>
>>> https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1
>>>
>>> -Ekr
>>>
>>>
>>>
>>> On Fri, Mar 29, 2024 at 6:49 PM Ted Lemon <mellon@fugue.com> wrote:
>>>
>>>> Okay, I think I see the disconnect, maybe. The issue I'm pointing to is
>>>> that you may or may not be doing DNSSEC validation. And you may or may not
>>>> be /able/ to do DNSSEC validation if the infrastructure breaks it
>>>> accidentally or deliberately.
>>>>
>>>> The document says: "The SVCB-optional client behavior specified in
>>>> (Section 3 of [SVCB]) permits clients to fall back to a direct connection
>>>> if all SVCB options fail. This behavior is not suitable for ECH, because
>>>> fallback would negate the privacy benefits of ECH."
>>>>
>>>> So it's saying that the default handling of SVCB is incorrect and would
>>>> fail open, and overriding that behavior. Given that this is the case, that
>>>> implies that it matters whether the data has been validated, but nowhere in
>>>> the document, certainly not in Security Considerations, is any mention made
>>>> of this issue. So that's what I'm pointing out.
>>>>
>>>> It is absolutely not the case in practice that all stub resolvers do
>>>> validation. You are making a security decision about trust based on data
>>>> the trustworthiness of which you've not discussed, in a situation where the
>>>> implementor has meaningful choices to make with respect to validating that
>>>> trustworthiness. So it's worth mentioning that if the policy is not to
>>>> validate, this vulnerability exists.
>>>>
>>>> I'm a DNS guy, not a TLS guy, so I don't know the history of this
>>>> work—I'm just making this observation about the document I was asked to
>>>> review. The fact that (apparently) no DNSDIR review ever raised this issue
>>>> about the other documents you mentioned is of no interest to me—I'm not
>>>> reviewing those documents.Whether you take this advice is between you and
>>>> the IESG. I'm not even claiming to be right—just pointing out the issue I
>>>> see.
>>>>
>>>> On Fri, Mar 29, 2024 at 7:21 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>
>>>>> I don't think it relates to DNSSEC. You can fail at DNS (DNSSEC
>>>>> failure) or you can fail during ECH (unless you want to use non-ECH, which
>>>>> is not ECH, and not part of this draft).
>>>>>
>>>>> It makes sense to me: one can reject a request unless the requirements
>>>>> embedded in the SVCB are met (the server chooses those, which can include
>>>>> many aspects of the request). I don't understand why one would insert
>>>>> DNSSEC here. That seems to be the whole point--it works without it.
>>>>>
>>>>> thanks,
>>>>> Rob
>>>>>
>>>>>
>>>>> On Fri, Mar 29, 2024 at 3:57 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>>
>>>>>> I'm not telling you that you have to require DNSSEC. I'm saying the
>>>>>> document is incomplete if you don't talk about how it relates to DNSSEC. I
>>>>>> think EKR got the point, so maybe go with his approach?
>>>>>>
>>>>>> On Fri, Mar 29, 2024 at 6:27 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>>>
>>>>>>> It's a policy choice, though, right? I think ekr hinted at this
>>>>>>> issue as well.
>>>>>>>
>>>>>>> It's that one might also view requests that reveal the SNI as
>>>>>>> insecure. If that's the case, DNSSEC doesn't help. There will certainly be
>>>>>>> a transition period where that will be impractical for many servers. I
>>>>>>> think these are separate problems, though.
>>>>>>>
>>>>>>> thanks,
>>>>>>> Rob
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 29, 2024 at 3:10 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>>>>
>>>>>>>> It looks like if you can't get the SCVB you're going to fail
>>>>>>>> insecure, so being able to use DNSSEC to prevent that for signed domains
>>>>>>>> seems worthwhile.
>>>>>>>>
>>>>>>>> On Fri, Mar 29, 2024 at 4:41 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker <
>>>>>>>>> noreply@ietf.org> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I don't think it's reasonable to specify the privacy properties
>>>>>>>>>> of SVCB and
>>>>>>>>>> /not/ talk about DNSSEC validation.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Could you explain more about this part? I think DNSSEC doesn't add
>>>>>>>>> much here, unless you want to accept non-ECH traffic. For example, many of
>>>>>>>>> the test servers will bounce you to some other site if you don't send ECH
>>>>>>>>> or screw it up in some way (speaking as someone who has screwed it up many
>>>>>>>>> times...).
>>>>>>>>>
>>>>>>>>> I think there might be a DoS attack here, where someone messes
>>>>>>>>> with the response, but they can also turn off the DNSSEC bit unless it's
>>>>>>>>> DoT/DoH/DoQ etc. So, if using those, it's just the trustworthiness of the
>>>>>>>>> DNS server itself, right? Sorry if I'm missing something.
>>>>>>>>>
>>>>>>>>> thanks,
>>>>>>>>> Rob
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>

v2.23.0 | Report a Bug | By Email