Re: [Tsv-art] [dns-privacy] Tsvart last call review of draft-ietf-dprive-dnsoquic-08
Sara Dickinson <sara@sinodun.com> Fri, 28 January 2022 10:50 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409193A0A6E; Fri, 28 Jan 2022 02:50:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAG-fTFhZy2f; Fri, 28 Jan 2022 02:50:25 -0800 (PST)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 020923A0A51; Fri, 28 Jan 2022 02:50:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=9ej8isTYtgm2TaOB4AdGVneMJEb2klNL9YHG/TR5iEA=; b=b0wScWuRiQkd7tJuiyYAsoujcD 5huynIhhozsf6xCEUohSpwcQI9sN/kLdvKW9QvxNNZp2U5Bogp8Svt56+96kmrH2Nv32I2JcSTVLJ nY7Es+2S8ealQSjUIHhHPK6AFqjcHhTxJojkrZWkux+8z0Ml07lGD5lQ7nTkHiiGQJn1MHGvs00ob 1TyHAgA/url4ncOeBCbNBt8C0JmcufP8qYaV8ONRy0p/sOeQke6KQr9r1EZLgMxhWSmKgZYCSFHWL f8cTd5BAwzdZxS7KP+GRizVPAi2LcNchkvA4aZEyjnTjHelJIx06EO22Qor/j3KZJuL3qhwAwwozY sOBOhkBg==;
Received: from [2a02:8010:6a36:102:fffa::53] (port=50688) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1nDOpc-00011J-70; Fri, 28 Jan 2022 10:50:16 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <477FB4CA-3089-41B9-B062-C4B9307456C3@trammell.ch>
Date: Fri, 28 Jan 2022 10:50:04 +0000
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, draft-ietf-dprive-dnsoquic.all@ietf.org, tsv-art@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, Christian Huitema <huitema@huitema.net>, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D593A0B-88D9-4EE6-988F-AE78373A1557@sinodun.com>
References: <164303671825.29006.13435316265266313857@ietfa.amsl.com> <e81b7117-126a-4557-b020-eb5dbffa775b@huitema.net> <E131CF24-A64B-481A-A856-11B83886B154@sinodun.com> <87r18tovbm.fsf@fifthhorseman.net> <477FB4CA-3089-41B9-B062-C4B9307456C3@trammell.ch>
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/Nb241IHe0p00U9B9urT7GZ9UbuE>
Subject: Re: [Tsv-art] [dns-privacy] Tsvart last call review of draft-ietf-dprive-dnsoquic-08
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2022 10:50:31 -0000
> On 27 Jan 2022, at 20:06, Brian Trammell (IETF) <ietf@trammell.ch> wrote: > > Greetings, all, > > This proposal addresses my concerns about padding implementation; thanks! One point below. Hi All, Many thanks for all the feedback on this. The PR is merged with the nits fixed. Regards Sara. > >> On 27 Jan 2022, at 20:03, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > <snip> > >> On 1/24/2022 5:05 AM, Brian Trammell via Datatracker wrote: >> >>> Further, traffic analysis threats are not limited to packet lengths, >>> as section 9.5 acknowledges. Is there any equivalent MUST guidance >>> regarding stream frame timing for traffic analysis resistance that >>> could be given here? >> >> This is a great question, and i am unaware of any work that this draft >> could point to that would address temporal traffic analysis in a DNS >> resolution context. >> >> I think the first order traffic analysis concerns that would be worth >> tackling are largely from the responder (server) side -- it gets even >> more complex if want to address *when* a DNS client should make a given >> request. > >> In particular, if DoQ is used in authoritative deployments, i'd expect >> most server responses (served locally from an ingested zonefile) to have >> roughly the same temporal delay. I could imagine some noticeable >> temporal differences between "popular" and unpopular records for >> authoritative servers that do live DNSSEC signing or NSEC5-style >> proof-of-nonexistence that requires cryptographic work on behalf of the >> authoritative. >> >> From the client side of authoritative DoQ, it's conceivable that some >> temporal traffic analysis resistance could be gained by thinking about >> how recursive resolvers can best prefetch to keep their cache hot. > > Indeed, from a timing correlation standpoint the state of the art is “use a giant recursive with multiple egress to hide in a large anonymity set”, which this is a generalization of…. > >> But I suspect this is in the realm of "more research needed", and isn't >> appropriate for this draft. > > Yep. The question just popped into my head while reviewing. > >> If anyone has any informative pointers that they think are worth >> including as a nod toward temporal traffic analysis, i'd be interested >> in reviewing them, but I don't think they should block this draft's >> progress. > > To be clear, I also don’t think this question should block publication, but I’d encourage the working group to consider timing guidance for DNS privacy. Indeed, some of the more general questions could be referred to PEARG? Most of these techniques should be equally applicable, with varying degrees of implementation difficulty depending on the transport. > > Thanks, cheers, > > Brian > > >> >> --dkg >> _______________________________________________ >> Tsv-art mailing list >> Tsv-art@ietf.org >> https://www.ietf.org/mailman/listinfo/tsv-art >
- [Tsv-art] Tsvart last call review of draft-ietf-d… Brian Trammell via Datatracker
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Christian Huitema
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Sara Dickinson
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Allison Mankin
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Brian Haberman
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Daniel Kahn Gillmor
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Brian Trammell (IETF)
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Allison Mankin
- Re: [Tsv-art] [dns-privacy] Tsvart last call revi… Sara Dickinson