Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
On Fri, Jul 07, 2017 at 09:58:19AM +, Shane Kerr wrote: > Hugo, > > I'm curious what you mean by this. Do you really mean to propose an > option to pad every query and response message to 65K bytes? I guess I > don't object it for the sake of completion, but it seems a bit crazy. > > OTOH, people use Tor for browsing, so maybe someone will actually > want to do this? ;) > > Seriously though, on the query side padding beyond a few hundred bytes > is not helpful, because no queries are longer than that. Maybe on the > response side it is indeed more privacy-protecting. On query side, one could always pad to 286 (288 for TCP) bytes, AFAICT the maximal query in practice is: xx xx: Query length (TCP only). xx xx: Query ID. 01: Query, requesting recursion. 00: DNSSEC errors are fatal. 00 01: 1 query 00 00: No answers 00 00: No authority 00 01: 1 additional record <255 bytes>: QNAME xx xx: QTYPE 00 01: QCLASS (1=IN). 00: Dummy domain (root) 00 29: OPT 04 B0: Maximum UDP response size (1200 bytes). 00 00 80 00: EDNS0, DNSSEC supported. 00 04: 4 bytes of EDNS data 00 12: Padding 00 00: 0 bytes of padding However, responses are thornier issue. This is recursive, so it might need to relay all kinds of responses. I could provke one ccTLD to return a 3651 byte response with normal QTYPE (ZSK rollover plus healthy amount of authoritative nameservers, most available over IPv6). That kind of response when sent over UDP gets fragmented at IP layer (not good) or triggers a fallback to TCP (not good). -Ilari ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
Shane Kerrwrote: > > I'm curious what you mean by this. Do you really mean to propose an > option to pad every query and response message to 65K bytes? Reasonable values might be the MTU or the EDNS buffer size. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Southeast Fitzroy: Northerly or northeasterly, 4 or 5 increasing 6 at times. Slight or moderate. Occasional rain. Good, occasionally poor. ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
Paul, At 2017-07-06 18:09:51 -0700 "Paul Hoffman"wrote: > On 3 Jul 2017, at 14:29, Alexander Mayrhofer wrote: > > > i've updated the Padding Policy draft - the main change is the > > inclusion of an actual recommendation, essentially a blunt copy of > > Daniel's recommendations from his empirical research work. > > > > I'm looking forward to hearing a discussion around these > > recommendations - I will subsequently update the draft based on the > > outcome of those discussions. > > The new wording seems fine to me. I know we'll get people complaining > about how long the suggested defaults are, but they are just suggested > defaults, not demands. I agree, and let me be the first to complain. ;) As I said in my previous e-mail on this, I think we should minimize the number of packets, so we should pad to a value that fits into something based on the 1500 byte value. The easiest approach is to use 500 bytes (not 468) as the block size. Alternately we could use 486 bytes to account for tunneled traffic. It's not a big concern, but I also don't see any reason not to do this. Cheers, -- Shane pgpMhYyPZodm9.pgp Description: OpenPGP digitale handtekening ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
On 3 Jul 2017, at 14:29, Alexander Mayrhofer wrote: i've updated the Padding Policy draft - the main change is the inclusion of an actual recommendation, essentially a blunt copy of Daniel's recommendations from his empirical research work. I'm looking forward to hearing a discussion around these recommendations - I will subsequently update the draft based on the outcome of those discussions. The new wording seems fine to me. I know we'll get people complaining about how long the suggested defaults are, but they are just suggested defaults, not demands. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
Hi Alexander (and list), Thanks, Alexander, for your efforts on the document (and DKG for the empirical work). May I suggest that another strategy is included, that of "always pad to the maximum message size". This is obviously wasteful, and may be recommended against. However, I believe its inclusion is equivalent to the "no padding" and "fixed block size pad" options which are listed for completeness whilst providing no or very little privacy protection. The "always pad to maximum message size" option is actually the maximal privacy setting (when encrypted) but is horribly wasteful. Perhaps mention it directly after the "no padding option" and describe that it provides maximal privacy protection, but is wasteful and more balanced strategies are described below, including the recommended strategy. Something like this: --- 4.2 Maximal Length Padding In maximal length padding the sender pads every message to the maximum allowed size for a message. Advantages: Maximal length padding, when combined with encrypted transport, provides the highest level of privacy protection. Disadvantages: Maximal length padding places a heavy burden on all parties, including the client, all intervening network equipment, and the server. Maximal length padding is not a recommended strategy. --- Regards, Hugo Connery On Mon, 2017-07-03 at 23:29 +0200, Alexander Mayrhofer wrote: > Hi, > > i've updated the Padding Policy draft - the main change is the > inclusion of an actual recommendation, essentially a blunt copy of > Daniel's recommendations from his empirical research work. > > I'm looking forward to hearing a discussion around these > recommendations - I will subsequently update the draft based on the > outcome of those discussions. > > best, > Alex > > > On Mon, Jul 3, 2017 at 11:25 PM,wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > > directories. > > This draft is a work item of the DNS PRIVate Exchange of the IETF. > > > > Title : Padding Policy for EDNS(0) > > Author : Alexander Mayrhofer > > Filename: draft-ietf-dprive-padding-policy-01.txt > > Pages : 7 > > Date: 2017-07-03 > > > > Abstract: > > RFC 7830 specifies the EDNS0 'Padding' option, but does not > > specify > > the length of padding to be used in specific applications. This > > memo > > lists the possible options ("Padding Policies"), discusses the > > implications of each of these options, and provides a > > recommended > > option. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01 > > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-padding-pol > > icy-01 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-padding-policy- > > 01 > > > > > > Please note that it may take a couple of minutes from the time of > > submission > > until the htmlized version and diff are available at > > tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > ___ > > dns-privacy mailing list > > dns-privacy@ietf.org > > https://www.ietf.org/mailman/listinfo/dns-privacy > > ___ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
Hi, i've updated the Padding Policy draft - the main change is the inclusion of an actual recommendation, essentially a blunt copy of Daniel's recommendations from his empirical research work. I'm looking forward to hearing a discussion around these recommendations - I will subsequently update the draft based on the outcome of those discussions. best, Alex On Mon, Jul 3, 2017 at 11:25 PM,wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the DNS PRIVate Exchange of the IETF. > > Title : Padding Policy for EDNS(0) > Author : Alexander Mayrhofer > Filename: draft-ietf-dprive-padding-policy-01.txt > Pages : 7 > Date: 2017-07-03 > > Abstract: >RFC 7830 specifies the EDNS0 'Padding' option, but does not specify >the length of padding to be used in specific applications. This memo >lists the possible options ("Padding Policies"), discusses the >implications of each of these options, and provides a recommended >option. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01 > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-padding-policy-01 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-padding-policy-01 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > ___ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
[dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS PRIVate Exchange of the IETF. Title : Padding Policy for EDNS(0) Author : Alexander Mayrhofer Filename: draft-ietf-dprive-padding-policy-01.txt Pages : 7 Date: 2017-07-03 Abstract: RFC 7830 specifies the EDNS0 'Padding' option, but does not specify the length of padding to be used in specific applications. This memo lists the possible options ("Padding Policies"), discusses the implications of each of these options, and provides a recommended option. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dprive-padding-policy/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01 https://datatracker.ietf.org/doc/html/draft-ietf-dprive-padding-policy-01 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-padding-policy-01 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy