Re: [Tsv-art] [dns-privacy] Tsvart last call review of draft-ietf-dprive-dnsoquic-08
Brian Haberman <brian@innovationslab.net> Thu, 27 January 2022 14:05 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944D13A0CB0 for <tsv-art@ietfa.amsl.com>; Thu, 27 Jan 2022 06:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=innovationslab-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krY7ZGEwKk5j for <tsv-art@ietfa.amsl.com>; Thu, 27 Jan 2022 06:05:09 -0800 (PST)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2917F3A0CB7 for <tsv-art@ietf.org>; Thu, 27 Jan 2022 06:05:09 -0800 (PST)
Received: by mail-qk1-x72b.google.com with SMTP id j24so342448qkk.10 for <tsv-art@ietf.org>; Thu, 27 Jan 2022 06:05:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=innovationslab-net.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=6xIQi+65pKCr72JwcvhXV2ocxY44Vo+WogM3uSUs/hQ=; b=ZXdp72k7Wkfq/6hj7hC3brtWylwxisXKRpzckfDt1lDwW4C3HXUDM64a7sfBvvq2yk 6NbNx+N3BrGqQcg1TSSDo4popkNiIkrda5627EX4k+iItTLTuRYJcRisxeVa/pF2SyiZ BF+UaJ6nXNW9h/iB+IAoqpkezawXxcOcQZVBqYFut0Ne8tP0gIXIboPJUQ4iIiEoXKYm ICr2Q6QuXrIhGve7YB0QK2/SQqzJ7brN7Hkk+uJYB8RU2VeTSckz4VaRLva4H9budwRJ qIh+XRu4GnZcMV8v8MrayWOhPzr9bdDwQTvsMEDdw75NGNtPEBgPwwRC3J/5Me0CdtnN FccQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=6xIQi+65pKCr72JwcvhXV2ocxY44Vo+WogM3uSUs/hQ=; b=uS0cw6EpancpQBFk5byT3Jqhu0Ai86F4xtKRW0iBliapFkY/l0mp+YsKhyjBDB5EPR g8G4cSEX0br6wTqlTpD+U8bwBXLNfpBzPY+ki3LseievIW8rq1aFTcGjJp5BHN6jma5S 8VuZTvATCbRHuKxGPbLzS0BHyFvKN/P3nR1qBC/4fjfVdLjoPsD5biD0EZe3l2wJIjGW PycmBRTBe34hBDqxzrtRTwWxIxIgo7TG+l2QXGEXl7qND6T7c8UQ4VkJQ6pT606g+mFV h5arq/3d45gEsfXHJewUopA4KQnCYeCBabADnUFbhTAZDtcGUSnKU59fr7dI+CmZM/aP 1i8w==
X-Gm-Message-State: AOAM530oiVI6MF6j8eQu9KHJOmkwh37+wdpdmNOLS+S4+6eAR8bBSv9w xgq9RZvpA2rtoOxNpnaEqvX7Eg==
X-Google-Smtp-Source: ABdhPJzY245T6+MdgbP9ma+bCpA7MnEK9OEPeNuq2hN6T9OTqHi2c3+TyfmOfrqwlhNhQhVtfyiNFg==
X-Received: by 2002:a05:620a:1918:: with SMTP id bj24mr2623615qkb.267.1643292307112; Thu, 27 Jan 2022 06:05:07 -0800 (PST)
Received: from ?IPV6:2601:5ce:300:84e:1dd4:9a4e:fb91:9b3? ([2601:5ce:300:84e:1dd4:9a4e:fb91:9b3]) by smtp.gmail.com with ESMTPSA id v14sm1436390qkl.128.2022.01.27.06.05.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 27 Jan 2022 06:05:06 -0800 (PST)
Message-ID: <2aa27b6f-577d-0890-d351-938e3c481f4a@innovationslab.net>
Date: Thu, 27 Jan 2022 09:05:04 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.1
Content-Language: en-US
To: Allison Mankin <allison.mankin@gmail.com>, Sara Dickinson <sara@sinodun.com>
Cc: Brian Trammell <ietf@trammell.ch>, Christian Huitema <huitema@huitema.net>, DNS Privacy Working Group <dns-privacy@ietf.org>, draft-ietf-dprive-dnsoquic.all@ietf.org, last-call@ietf.org, tsv-art@ietf.org
References: <164303671825.29006.13435316265266313857@ietfa.amsl.com> <e81b7117-126a-4557-b020-eb5dbffa775b@huitema.net> <E131CF24-A64B-481A-A856-11B83886B154@sinodun.com> <CAP8yD=sTW0JYF9bApshJ6RFoYYVRbOQGsQs9DWwVCiyFPU7+fQ@mail.gmail.com>
From: Brian Haberman <brian@innovationslab.net>
In-Reply-To: <CAP8yD=sTW0JYF9bApshJ6RFoYYVRbOQGsQs9DWwVCiyFPU7+fQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------y0T7LcUQC8aigQUTyJIPi0RD"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/-qA7YWifh1k8155qnn01csRD6iA>
Subject: Re: [Tsv-art] [dns-privacy] Tsvart last call review of draft-ietf-dprive-dnsoquic-08
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2022 14:05:14 -0000
I support the additional text on padding. As a process note, I believe we will need to re-issue the IETF Last Call to allow for the discussion of the down-ref to 8467. Regards, Brian On 1/27/22 8:36 AM, Allison Mankin wrote: > I share Sara's position. > > On Thu, Jan 27, 2022 at 08:18 Sara Dickinson <sara@sinodun.com> wrote: > >> Hi Brian, >> >> Thanks for the review, and as Christian said the padding question has been >> a point of discussion. >> >> I’m personally comfortable with a downref to RFC 8467 with text to support >> why this is done as you suggest. Multiple studies have shown just how easy >> traffic analysis is without any padding - we could actually cite one of the >> more recent ones. RFC 8467 is implemented for stub-recursive DoT in most >> open source software and is in use by major recursive operators. For me >> this approach mitigates the immediate risk of exposing DNS names - >> preventing traffic analysis from identifying DoQ is a much longer term goal >> (and requires ECH). >> >> I’ve had a first pass at a PR making RFC8467 normative here: >> https://github.com/huitema/dnsoquic/pull/143 >> >> Regards >> >> Sara >> >> >>> On 26 Jan 2022, at 20:32, Christian Huitema <huitema@huitema.net> wrote: >>> >>> Thanks for the review, Brian. >>> >>> We have been going back and forth on the padding requirements, and the >> current text is specifically written to avoid a downward reference to RFC >> 8467. You are making a good arguments that it is hard for implementers to >> comply with a requirement that they MUST pad if there is no specific >> guidance about how to pad. On the other hand, I think that we should not >> delay publication until getting definitive agreement on the appropriate >> padding policy. For example, we would have to resolve the tension between >> application specific padding, with a goal to hide which DNS names are being >> queried, and generic transport level padding, with a goal to prevent >> traffic analysis from distinguishing between DoQ and other applications. >> So, I am inclined to just replace MUST by SHOULD, and leave it at that. >> That's one of your proposed remedies, but I wonder whether others might >> object. >>> >>> -- Christian Huitema >>> >>> >>> On 1/24/2022 5:05 AM, Brian Trammell via Datatracker wrote: >>>> Reviewer: Brian Trammell >>>> Review result: Ready with Nits >>>> >>>> This document has been reviewed as part of the transport area review >> team's >>>> ongoing effort to review key IETF documents. These comments were written >>>> primarily for the transport area directors, but are copied to the >> document's >>>> authors and WG to allow them to address any issues raised and also to >> the IETF >>>> discussion list for information. >>>> >>>> When done at the time of IETF Last Call, the authors should consider >> this >>>> review as part of the last-call comments they receive. Please always CC >>>> tsv-art@ietf.org if you reply to or forward this review. >>>> >>>> This document is a mature and straightforward mapping of DNS over QUIC, >>>> modeling a QUIC connection as equivalent to DNS over TCP with one query >>>> per stream. 0-RTT and fallback design choices are reasonable and >>>> well-explained. Security and privacy considerations are well-presented
- [Tsv-art] Tsvart last call review of draft-ietf-d… Brian Trammell via Datatracker
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Christian Huitema
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Sara Dickinson
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Allison Mankin
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Brian Haberman
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Daniel Kahn Gillmor
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Brian Trammell (IETF)
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Allison Mankin
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Sara Dickinson