Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[Ilari Liusvaara]

On Fri, Jul 07, 2017 at 09:58:19AM +, Shane Kerr wrote:
> Hugo,
> 
> I'm curious what you mean by this. Do you really mean to propose an
> option to pad every query and response message to 65K bytes? I guess I
> don't object it for the sake of completion, but it seems a bit crazy.
> 
> OTOH, people use Tor for browsing, so maybe someone will actually
> want to do this? ;)
> 
> Seriously though, on the query side padding beyond a few hundred bytes
> is not helpful, because no queries are longer than that. Maybe on the
> response side it is indeed more privacy-protecting. 

On query side, one could always pad to 286 (288 for TCP) bytes, AFAICT
the maximal query in practice is:

xx xx: Query length (TCP only).
xx xx: Query ID.
01: Query, requesting recursion.
00: DNSSEC errors are fatal.
00 01: 1 query
00 00: No answers
00 00: No authority
00 01: 1 additional record
<255 bytes>: QNAME
xx xx: QTYPE
00 01: QCLASS (1=IN).
00: Dummy domain (root)
00 29: OPT
04 B0: Maximum UDP response size (1200 bytes).
00 00 80 00: EDNS0, DNSSEC supported.
00 04: 4 bytes of EDNS data
00 12: Padding
00 00: 0 bytes of padding

However, responses are thornier issue. This is recursive, so it might
need to relay all kinds of responses. I could provke one ccTLD to
return a 3651 byte response with normal QTYPE (ZSK rollover plus
healthy amount of authoritative nameservers, most available over
IPv6). That kind of response when sent over UDP gets fragmented at
IP layer (not good) or triggers a fallback to TCP (not good).


-Ilari

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[Tony Finch]

Shane Kerr  wrote:
>
> I'm curious what you mean by this. Do you really mean to propose an
> option to pad every query and response message to 65K bytes?

Reasonable values might be the MTU or the EDNS buffer size.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Southeast Fitzroy: Northerly or northeasterly, 4 or 5 increasing 6 at times.
Slight or moderate. Occasional rain. Good, occasionally poor.

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[Shane Kerr]

Paul,

At 2017-07-06 18:09:51 -0700
"Paul Hoffman"  wrote:

> On 3 Jul 2017, at 14:29, Alexander Mayrhofer wrote:
> 
> > i've updated the Padding Policy draft - the main change is the
> > inclusion of an actual recommendation, essentially a blunt copy of
> > Daniel's recommendations from his empirical research work.
> >
> > I'm looking forward to hearing a discussion around these
> > recommendations - I will subsequently update the draft based on the
> > outcome of those discussions.  
> 
> The new wording seems fine to me. I know we'll get people complaining 
> about how long the suggested defaults are, but they are just suggested 
> defaults, not demands.

I agree, and let me be the first to complain. ;)

As I said in my previous e-mail on this, I think we should minimize the
number of packets, so we should pad to a value that fits into something
based on the 1500 byte value.

The easiest approach is to use 500 bytes (not 468) as the block size.
Alternately we could use 486 bytes to account for tunneled traffic.
It's not a big concern, but I also don't see any reason not to do this.

Cheers,

--
Shane


pgpMhYyPZodm9.pgp
Description: OpenPGP digitale handtekening
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[Paul Hoffman]

On 3 Jul 2017, at 14:29, Alexander Mayrhofer wrote:


i've updated the Padding Policy draft - the main change is the
inclusion of an actual recommendation, essentially a blunt copy of
Daniel's recommendations from his empirical research work.

I'm looking forward to hearing a discussion around these
recommendations - I will subsequently update the draft based on the
outcome of those discussions.


The new wording seems fine to me. I know we'll get people complaining 
about how long the suggested defaults are, but they are just suggested 
defaults, not demands.


--Paul Hoffman

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[Hugo Connery]

Hi Alexander (and list),

Thanks, Alexander, for your efforts on the document
(and DKG for the empirical work).

May I suggest that another strategy is included, that of 
"always pad to the maximum message size".  This is obviously
wasteful, and may be recommended against.  However, I believe
its inclusion is equivalent to the "no padding" and "fixed
block size pad" options which are listed for completeness whilst
providing no or very little privacy protection.

The "always pad to maximum message size" option is actually 
the maximal privacy setting (when encrypted) but is horribly
wasteful.

Perhaps mention it directly after the "no padding option" and
describe that it provides maximal privacy protection, but is 
wasteful and more balanced strategies are described below,
including the recommended strategy.

Something like this:

---

4.2 Maximal Length Padding

In maximal length padding the sender pads every message to the
maximum allowed size for a message.

Advantages: Maximal length padding, when combined with encrypted
transport, provides the highest level of privacy protection.

Disadvantages: Maximal length padding places a heavy burden on all
parties, including the client, all intervening network equipment, and
the server.

Maximal length padding is not a recommended strategy.

---

Regards,  Hugo Connery


On Mon, 2017-07-03 at 23:29 +0200, Alexander Mayrhofer wrote:
> Hi,
> 
> i've updated the Padding Policy draft - the main change is the
> inclusion of an actual recommendation, essentially a blunt copy of
> Daniel's recommendations from his empirical research work.
> 
> I'm looking forward to hearing a discussion around these
> recommendations - I will subsequently update the draft based on the
> outcome of those discussions.
> 
> best,
> Alex
> 
> 
> On Mon, Jul 3, 2017 at 11:25 PM,  wrote:
> > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > This draft is a work item of the DNS PRIVate Exchange of the IETF.
> > 
> > Title   : Padding Policy for EDNS(0)
> > Author  : Alexander Mayrhofer
> > Filename: draft-ietf-dprive-padding-policy-01.txt
> > Pages   : 7
> > Date: 2017-07-03
> > 
> > Abstract:
> >    RFC 7830 specifies the EDNS0 'Padding' option, but does not
> > specify
> >    the length of padding to be used in specific applications.  This
> > memo
> >    lists the possible options ("Padding Policies"), discusses the
> >    implications of each of these options, and provides a
> > recommended
> >    option.
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/
> > 
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01
> > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-padding-pol
> > icy-01
> > 
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-padding-policy-
> > 01
> > 
> > 
> > Please note that it may take a couple of minutes from the time of
> > submission
> > until the htmlized version and diff are available at
> > tools.ietf.org.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> > 
> > ___
> > dns-privacy mailing list
> > dns-privacy@ietf.org
> > https://www.ietf.org/mailman/listinfo/dns-privacy
> 
> ___
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[Alexander Mayrhofer]

Hi,

i've updated the Padding Policy draft - the main change is the
inclusion of an actual recommendation, essentially a blunt copy of
Daniel's recommendations from his empirical research work.

I'm looking forward to hearing a discussion around these
recommendations - I will subsequently update the draft based on the
outcome of those discussions.

best,
Alex


On Mon, Jul 3, 2017 at 11:25 PM,  wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
> This draft is a work item of the DNS PRIVate Exchange of the IETF.
>
> Title   : Padding Policy for EDNS(0)
> Author  : Alexander Mayrhofer
> Filename: draft-ietf-dprive-padding-policy-01.txt
> Pages   : 7
> Date: 2017-07-03
>
> Abstract:
>RFC 7830 specifies the EDNS0 'Padding' option, but does not specify
>the length of padding to be used in specific applications.  This memo
>lists the possible options ("Padding Policies"), discusses the
>implications of each of these options, and provides a recommended
>option.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01
> https://datatracker.ietf.org/doc/html/draft-ietf-dprive-padding-policy-01
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-padding-policy-01
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> ___
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the DNS PRIVate Exchange of the IETF.

Title   : Padding Policy for EDNS(0)
Author  : Alexander Mayrhofer
Filename: draft-ietf-dprive-padding-policy-01.txt
Pages   : 7
Date: 2017-07-03

Abstract:
   RFC 7830 specifies the EDNS0 'Padding' option, but does not specify
   the length of padding to be used in specific applications.  This memo
   lists the possible options ("Padding Policies"), discusses the
   implications of each of these options, and provides a recommended
   option.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01
https://datatracker.ietf.org/doc/html/draft-ietf-dprive-padding-policy-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-padding-policy-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy