Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 29 April 2021 18:38 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B04333A1270; Thu, 29 Apr 2021 11:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO9B3GXOQXRR; Thu, 29 Apr 2021 11:38:08 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00139.outbound.protection.outlook.com [40.107.0.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36FCE3A126C; Thu, 29 Apr 2021 11:38:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UCPoLraixe7IbTr4ZRv+nFltl0v46OIVwUPMfkpiFXlROFgQDMOCsex2QuYAdeX3MBqsV0tDYhVozUg8lCm6y2UrNlhjCQE+qR9uLECg50KbvK+kLHzh817JF1J8fGZwKu7DkggQuWvShITBDkai96ULkSjO/Sg1VjEH9b6RpnAN6C0aW5TWt8E771dybu0NYBikKvqufXB8S4G62wz8DD+OHyDgGpEaFiIrEkZk8DpsOfMSP542Os2vvRjDJOdWkELwKooDtbdC/wA4aFWthxd+FXBlgGjqEULg5JlORRSsC/MekMsXG4JoMsJw+guIL0lKTjz1BfG0dDo8N9/Ulg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6N0EZ4c1jMcGOoKW5B4AyxFuu8dEfCJt7URIpfrSsY8=; b=OvZKtQEA/kSabdEvaGvyfsmOHo3ARpi4WVEa3ERxd83pZQko8Qxhq6TQExUuHF7sxhsfSpsJgaa0Ay86KH3AAW0J45Vrbz1gzH9d2lUbb7zn9GbPZx+wQDrseN2bw9ZXMzJl9DZnHRxSUwvHlq6SRHuxpXQkk7dy3UIGz6bliZLu9l9J/OvKNGsbuAdJbfk1X5zqo8sjKd8RRDdFdqKp88Cl2ErLduDh8UreBZD3azxCaYieb3EhcPEXCOd1RR+lkvfjuzqgsLNEmrIGnoSYDOl6WIc36LiJMbz5y5VuigTpvHGeLt+12K8aKjlucestIF/t879T61HBl+lVKJ0stg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6N0EZ4c1jMcGOoKW5B4AyxFuu8dEfCJt7URIpfrSsY8=; b=EE2wCws0IWZrho4K57R7L5WDyHjLY5d5DSBTWHNFD9TATdrueZ6iudsSTP4MPYdIBUrmdxjlmaxH3g+9OfPwSqx5aDEIXqUySJXvU7YZE32sMYl65ujCFPpwlJ3sbsVkfd0Z/HWHWht1VNG1qsvIw0/148Fj1pabKcUDZ/cm5Vssu6I3AI80CCAl4AOS2v4e8Xu1YQmcaz9s/WqyxpqWvnnDsfDVtZmE1ISV/w9vySdLI5ScEhfCeoD+HHu8F113B/oHvhIRFjdhSDbi140yxc5GKT3m/AuTNR+ksl3n80mWsxICe+qXSsLbu1hzJnceEbllF+4o60ZS2ww338Y1Aw==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB8PR02MB5546.eurprd02.prod.outlook.com (2603:10a6:10:e9::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Thu, 29 Apr 2021 18:38:04 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::2d8d:9193:d3f3:6cc6]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::2d8d:9193:d3f3:6cc6%5]) with mapi id 15.20.4087.025; Thu, 29 Apr 2021 18:38:04 +0000
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "tls@ietf.org" <tls@ietf.org>
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com> <CABcZeBMyf3pTXa2DfB3fPeEET+5AkLUzTzDNy+itmnxesdFGWw@mail.gmail.com> <630E784C-8F57-414E-AA9D-63DBC9F4507A@akamai.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <fc7d5d1f-1f32-80ad-78c9-5f4686f83c44@cs.tcd.ie>
Date: Thu, 29 Apr 2021 19:38:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
In-Reply-To: <630E784C-8F57-414E-AA9D-63DBC9F4507A@akamai.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r8g56Jjwuv8Y0BtS2TmQ3xNpCLVyX0b2Y"
X-Originating-IP: [2001:bb6:5e5e:b458:54fa:5a45:697b:1306]
X-ClientProxiedBy: DB7PR05CA0004.eurprd05.prod.outlook.com (2603:10a6:10:36::17) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:54fa:5a45:697b:1306] (2001:bb6:5e5e:b458:54fa:5a45:697b:1306) by DB7PR05CA0004.eurprd05.prod.outlook.com (2603:10a6:10:36::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25 via Frontend Transport; Thu, 29 Apr 2021 18:38:03 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1f4bc4f4-406f-44bb-a956-08d90b3dec95
X-MS-TrafficTypeDiagnostic: DB8PR02MB5546:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB8PR02MB5546C7151A9E8CBF2BD89FA3A85F9@DB8PR02MB5546.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:2512;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7QXncChwdsKC+YWuOEVjw56u9rcVvZNcutCszDn+KuHd6QLUZsLmkNr1NhESxVLVqvKRJL8JThqGcy31c607SGOI8A+OnOH+iR974McmzpHMgquCkdqv9g7qCnrzSR5ky8NgQRlQ0aiBB7Poiq79NESq1053sGB/qDqnHeX7u8lf9Iz7wFITfUurs8i0KAeV1L+J4SBLGUxYPaUCd0KDVaCX3M/h7ujogOGA0YaNc+faLtjn/kwZIwV3t8gMZZqmY+pg1bTf01LEOTp3kZmvPUUDmshoTqEwYNJPzL9A5cpCRG9i4o5CKUe13oAAEO5r1kHr2kLxq7w/EKgEpvdnsccqXenlAlKE7hEb7QUJdlLtccJcY16gI0FU74ViXrAW6bSjrEvRWFbQV6EaLOqneSzXo5nUH76h26RRlUU2/irqTcMFE8d7/95fqYc8JVMU1MqHLbd9XjQu91XZEnVmYkC5jKTpGiCq45uy91GuuOhlXprIUws1U2cidrzfRl8aPWnTsPmTuMDkyFfbPrBc3URx7vYLXl6MxqgRy08bn+Xoe5X6MwLKZSfcDJHkbXmpjX/6q9fBWXUsxUhLhO1qXGJRhnDPLxKAwNqFjQ3OLIK4g9jj94eXUvb8MIyCoRCN9uuSQECdtKMF9FsHOoBoi133rKMtjmXDtSpCAWQu0zMvXhlQeQPBjRVL9Og2ZVs9qKET9ZM/qLgm/yQec52ZMuN0Yum0Gz0TatcuIJMHAq3hokfdhRPMOZSp5aYJPZ+o
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(136003)(376002)(396003)(39850400004)(52116002)(110136005)(316002)(8676002)(66616009)(235185007)(786003)(66946007)(66476007)(31696002)(54906003)(36756003)(31686004)(8936002)(66556008)(966005)(5660300002)(86362001)(6486002)(4326008)(478600001)(83380400001)(2906002)(44832011)(33964004)(21480400003)(2616005)(53546011)(38100700002)(16526019)(186003)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?Z1prZTJ4eitOWEZTUEdkOThnNWg5Mjk3YjNHYTljWnluRVdWTlAvbE9NRFc1?= =?utf-8?B?NlB5MmRGUGQ4ZHcrejlGbGMrLzdUS05BSkR4OWVMKzBaZ1I1UzdHMWR3Umg5?= =?utf-8?B?c0xGb0NzTENRek9DL3dXUG44bjJpZ1ZGTmVla1pmY1EvTDhkV2kvaFducmd0?= =?utf-8?B?L21ISXR2bE9vTldPcktncnFUdGdsMURrbDlBbHIxSnRnMUF0NGpJckhseVox?= =?utf-8?B?OU1IUzJjd2c3akJMbVhxd0E0RXRHRXEwdSt2cmRkRzF4UUVVaG1pZ1lBMXhD?= =?utf-8?B?cXBZOHhHSlV4KzFMN1ZIT3lNUkJpOHpOQXdsR05obXJSV1Z1c0l4ckFObVNH?= =?utf-8?B?ZVlESmxTcFloRys5MVEyRjRTNU9qU2dqRlpsSGxPeGZiSXp0K0FLWkxWNDRV?= =?utf-8?B?L1prQ3NlL1dSNURUTG9ZVDAvaFJ6ZlZhSWhmNzZlUXNIMnZqS3FrQS8rQit6?= =?utf-8?B?ZWs3VHpOZnIwc1k4YndGRjVWOUNoR0l6L216WWlVOXBjbGl1bzNvK2MreWpY?= =?utf-8?B?Q3lNbDRVeDJ3RTZQK3ljTXRxVmI0ampuaG1jV3J2Q09jbnZhR0pUQWxTQzVz?= =?utf-8?B?Tjd6STUrYW50SzczekxoN0pPN1ZnNThHS3pQZHNqK0ZqLzdYMS9neDFDc2p5?= =?utf-8?B?ckdDU21PcWFyU2syUS9rc3FmSER0dENwc0l4eUdiRENGWVRPM1Nkdk1aTGgw?= =?utf-8?B?WHpSa3RMSnZ2a2EvWW5nSHA3UTY0dzluU1hoclNVdTNRdktHVTFPNU5Jd2pu?= =?utf-8?B?aWtJMmlpR1dGdVc1Z2REODFWZCtFLzJGMVBqZ3ZzZ1NnclZudWxjOUVNblRm?= =?utf-8?B?WmZkbkwxL0dmYUFISGNNcDJjK2xVUHg1TGhsNlkzRnY4cnd6alZ4NllUa0Rk?= =?utf-8?B?MlFTa0gxL2FhenI1TTM0R3ZsN1JYMktUMXE3aGh6QnNZcVVwWDIxbVE0YUUx?= =?utf-8?B?Sm05bUtPMzdNb3pLeU9TZTdEbW5LUG9NQUd5bFE5Z3ViRUpoR0dpNjRVZ0p2?= =?utf-8?B?SnF3REY1YlhTRVNOekJna1Q5TitrMHNPRUxiKytRd3pXL2lUNjVlQ1Q0aHJj?= =?utf-8?B?dTFUendtcndvNFBlZjBFcFlQY2JGR1g0NG83VUpLbUx1SUhpajBONXRmczlo?= =?utf-8?B?OTBzUGg2dXF4eUNBYVVzS200Z0ZlSFB6K0NuNWFicm5rYitlNHdhRkk4bW9i?= =?utf-8?B?aWNIcjBHcTI1eTRYb21EekplNVFUYThxeURia3huZk9FbnRtVGpMbkZOTStU?= =?utf-8?B?YzRqMk4yc0xjTHQ0NnhZdGV4WWQ4alpHeGZsa0JYVHVUOW9xdmlQUnpQeEcr?= =?utf-8?B?T0tSaHBnUC9rbGFwN2k1aWxZd0JCZzJFOEVaQ08zekVZd0hMVGtDZTE0S2Zk?= =?utf-8?B?bkY2bU44OXg5TTV1M0V1MnFSUjM1V0gvRkx4eisxTDZSOHY2eHRObkdXZEVp?= =?utf-8?B?Vy9QYkR3MUltSE5oTGpuWFNQUnJYV2tjbFI4b1lWSHM5WHRtdkRreFdyNVJB?= =?utf-8?B?VTNiTFhUWjdGK0QwZWRMMGliOU8xdEVZRzJZL0hzSFVLcm53aXlEWU1WQVRO?= =?utf-8?B?TGV2SWtQS1JFTGtxeDNUVDlyRG80MGttYXNVMXlid0N1cDBUY3RrWXNUMzhl?= =?utf-8?B?WURJbnFhRW5HUEljemdSY3dVaDE0Y3AvQnFmME03dFR6MXFYQkFWd1VrU2lS?= =?utf-8?B?VGExSWZ5YXRRaHBtbmZFdExvU3NEOHBETmF0Z2hLbUpMYXJLWCt0eGMxajBj?= =?utf-8?B?K1VBS0dWWEtFeGUzQXhXTnlqcFhNWWhDZXZIU0JjdkZQNmZkZkZ2U0NJOEZm?= =?utf-8?B?RTBHQ3VxK0V3T2FnZHV6MUJyOWYvbHZNSHAvYWZQOGoxTDk5aWZRK3FOaGU3?= =?utf-8?Q?wMJ3K8nMc+XL1?=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 1f4bc4f4-406f-44bb-a956-08d90b3dec95
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2021 18:38:04.0687 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: BCaWcGrvlcrDPI+aaId8S8IqN7145UJZoPWm4bBksmRiBDr1Ew4Bc4EOaub/eYfk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR02MB5546
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wuSo6YZAEp6e89lYFTki5Ltwyf8>
Subject: Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 18:38:14 -0000


On 29/04/2021 19:28, Salz, Rich wrote:
> To make it obvious (I thought it was): I agree, and think we need to
> make that fact more widely known.

I think I agree but seems like ECH may add a subtlety - maybe
what we need to promote is the idea that new protocols should
define new ALPN strings, but also that intermediaries can't
depend on those to route connections as the inner and outer
ALPN values can be independent in the case of ECH (use of
which might not that visible to the application if a library
were to default to use of ECH where possible).

Cheers,
S.

> 
> From: Eric Rescorla <ekr@rtfm.com> Date: Thursday, April 29, 2021 at
> 2:24 PM To: Rich Salz <rsalz@akamai.com> Cc: Martin Thomson
> <mt@lowentropy.net>et>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>rg>,
> "tls@ietf.org" <tls@ietf.org> Subject: Re: [dns-privacy] [TLS] Martin
> Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with
> COMMENT)
> 
> Probably not, but I agree with MT.
> 
> The general idea here is that any given protocol trace should only be
> interpretable in one way. So, either you need the interior protocol
> to be self-describing or you need to separate the domains with ALPN.
> I don't believe that either the IP ACL or mTLS addresses this issue,
> and in fact arguably mTLS makes the problem worse because it provides
> authenticated protocol traces which might be usable for
> cross-protocol attacks.
> 
> -Ekr
> 
> 
> On Thu, Apr 29, 2021 at 7:26 AM Salz, Rich
> <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>
> wrote:
>> No new protocol should use TLS without ALPN.  It only opens space
>> for cross-protocol attacks.  Did the working group consider this
>> possibility in their discussions?
> 
> I don't believe that message has been made as public as it should
> be.
> 
> _______________________________________________ dns-privacy mailing
> list dns-privacy@ietf.org<mailto:dns-privacy@ietf.org> 
> https://www.ietf.org/mailman/listinfo/dns-privacy<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dns-privacy__;!!GjvTz_vk!EtJaCTiH36U_bsA5vP82lZpBELKgq8908Dnb9MmdFc9M0FfjBeJMg3QwgwSs$>
>
> 
> 
> _______________________________________________ TLS mailing list 
> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
>