Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy removal.
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 09 August 2017 18:33 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02B5F13232D for <uta@ietfa.amsl.com>; Wed, 9 Aug 2017 11:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id psaQe3fB8BJf for <uta@ietfa.amsl.com>; Wed, 9 Aug 2017 11:33:12 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A678131CD7 for <uta@ietf.org>; Wed, 9 Aug 2017 11:33:12 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 243307A3309; Wed, 9 Aug 2017 18:33:11 +0000 (UTC)
Date: Wed, 09 Aug 2017 18:33:11 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20170809183310.GU8146@mournblade.imrryr.org>
Reply-To: uta@ietf.org
References: <CANtKdUfJs=p-jiZ-QQ6Mk=iKh_2h6=596SYWLJ=mJsf61R0=9g@mail.gmail.com> <20170808143018.m6zqnapcnkiushfq@LK-Perkele-VII> <20170808172002.GN8146@mournblade.imrryr.org> <CANtKdUcmqsRG7aV8poqOCe=qMAk5qAkw2WY3JZqvnf1WVAknUw@mail.gmail.com> <20170808210631.GO8146@mournblade.imrryr.org> <CANtKdUfcn=Z73pxXTov70e2+-0kc9Q6PGTchS=aUhRR0V+RNMw@mail.gmail.com> <9408F973-F6F0-41CD-9A81-82185686E24C@dukhovni.org> <CANtKdUc6PaDyBOcG_LhvezbnZ8JEv=xFf=MosQWSY8dg4MxjLg@mail.gmail.com> <20170809174827.GQ8146@mournblade.imrryr.org> <CANtKdUdqHM-bu_Z_GVcCN_Jca9SNNNdBkQKPOOtX_a=zW_EJZA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANtKdUdqHM-bu_Z_GVcCN_Jca9SNNNdBkQKPOOtX_a=zW_EJZA@mail.gmail.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QpGIYhbHcLW76vSOWY8cXjV0nDU>
Subject: Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy removal.
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 18:33:14 -0000
On Wed, Aug 09, 2017 at 11:14:16AM -0700, Daniel Margolis wrote: > > No, with "none" the policy refresh can stop (and cache flushed) as > > soon as NXDOMAIN/NODATA is seen for the TXT lookup. The same is > > not true for "report", to avoid downgrade attacks. > > > > That's not true; once a policy expires, it can be flushed from the cache > (as it can no longer safely be used). You're missing the point, a robust STS implementation will rarely encounter an expired policy because it will periodically refresh policies (for domains to which email is still being sent) *before* they are due to expire. When an unexpired policy is being refreshed, there should not be mysterious refresh failures. So if the policy is not yet deleted, its lifetime will be again extended by the published "max_age". What signal *securely* indicates actual deletion of an unexpired policy? (Not the DNS TXT record, which just expedites refresh). > > Because the TXT record presence/absense is *insecure* (no DNSSEC > > or else we'd be doing DANE!). Therefore the TXT record must ONLY > > be used: > > > > 1. To signal initial policy presence when none is cached. > > 2. To signal expedited policy refresh when the id changes. > > 3. [New] To signal policy removal when the policy is "none" > > and the TXT record "disappears". > > 4. [New] Conversely to signal policy removal when the policy > > transitions to "none" and was cached in the absence of a > > TXT record (still absent). > > Can you point to what language in the current draft suggests that the > behavior with respect to policy refreshing differs if you have a cached > policy versus if you do not? I am still not understanding what difference > you see here. The draft under-specifies the requirements for getting refresh right. Let's forget the draft and think logically, then fix the draft. When a policy is cached, it should be easily downgraded to no policy. Therefore a signal forged DNS response MUST NOT flush the cache. STS is subject to downgrade at first contact, but is supposed to be resilient there-after, so long as mail flow to the domain happens often enough. Therefore, already cached policies are refreshed periodically (for domains that receive some mail) regardless of the TXT record, and the TXT record is only there to *expedite* refresh and signal cold-start policy presence. > > Mere removal of the TXT record is *not* sufficient to stop policy > > refresh. Recall that policy refresh will typically happen > > before the policy is expired (more robust continuity) and must > > not at that time be subject to DNS downgrade. > > I believe this is your mistake. While I agree that one should try to > refresh a policy prior to expiration, "refresh a policy" means checking the > TXT record. Sorry that means STS is trivial to downgrade to cold-start. If that's the spec, I'm not implementing it. > Your first sentence ("mere removal of the TXT record...") does not follow > from your second sentence. > > There's zero security advantage in ignoring the TXT record and going > straight to HTTPS, since HTTPS also relies upon the (insecure) DNS > resolution. No it does not. That's the whole point of HTTPS. > As a result, it makes no real sense to refresh the policy if > the TXT does not say to do it. I'm afraid you're missing the consequent attack, and that's why we've failed to reach closure on this issue. > A sender who implements this will appear to > be compliant with the draft--there's no real harm from doing this, aside > from maybe excessive HTTPS requests--but there's no great reason to do this > unless you think attackers can only attack the TXT record and not the > CNAME/A for the policy host. Forged CNAME/A do not downgrade the policy. They just cause a (noisy in the mail logs) failure to do the policy refresh, which will be retried, and hence the attack must stay on path for a good fraction of the policy lifetime (some time back I proposed refreshing the policy at 0.5 max_age, 0.75 max_age, ... but no less than the larger of 0.5 max_age and say 1 hour; search the list archive). STS policy refresh must not be suppressed by forged DNS replies. Only first contact is inevitably subject to DNS downgrade. -- Viktor.
- [Uta] I-D Action: draft-ietf-uta-mta-sts-07.txt internet-drafts
- [Uta] draft-ietf-uta-mta-sts-07 STS policy remova… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Ilari Liusvaara
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Ilari Liusvaara
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Peter Gutmann
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Jim Fenton
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Viktor Dukhovni
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Jim Fenton
- Re: [Uta] draft-ietf-uta-mta-sts-07 STS policy re… Daniel Margolis