Re: [Int-area] [DNSOP] various approaches to dns channel secrecy

[Paul Vixie]

Matthäus Wander wrote:
 * Paul Vixie [7/5/2014 7:47 PM]:
 Matthäus Wander wrote:
 DTLS works on top of UDP (among others) and thus can pass CPE devices.
 no, it cannot. DTLS does not look something that the CPE was programmed
 to accept; thus in many cases it is silently dropped.


 DTLS can be used on top of UDP. CPE devices allow outgoing UDP sessions
 to arbitrary ports. If they didn't, many online games and VoIP
 applications would not work.

it's possible to find single counter examples to almost any assertion.
however, consider RFC 2671 (EDNS), published fifteen years ago. because
it changes the format of a UDP/53 datagram, there is silent loss across
most CPE boundaries. implementers of EDNS have had to investigate and
deploy about a dozen different fallback strategies since then, not to
make EDNS work, but to make it fail reliably enough so that normal
non-EDNS can be tried. since DNSSEC relies on EDNS0, this is a real
problem. to the extent that it's gotten any better it's because someone
changed this CPE logic:

if (normal dns packet)
intercept it and answer inappropriately, 30% of the time;
let it get where it's going, 70% of the time;
else
drop;

to this:

if (normal dns packet)
intercept it and answer inappropriately, 30% of the time;
let it get where it's going, 70% of the time;
else if (normal edns packet)
intercept it and answer inappropriately, 30% of the time;
let it get where it's going, 70% of the time;
else
drop;

in other words what fixes have been made have been EDNS specific, where
the real fix is:

if (packet addressed to you)
handle it or send ICMP;
else
let it get where it's going;

that fix is not going into the O(10^9) CPE devices now in place, ever.

if we can't get this right for EDNS in 15 years, my bet is that another
15 (or 150) years of trying won't produce better results. in fact, by
jim gettys and dave taht i've been made to understand that the world's
CPE problem is much worse than i knew. we might be able to fix it for
the next billion devices some day, but the devices shipping today are
still crippled.

incentives are such that a CPE provider hopes to sell web access, not
internet access.

your counter-example of DNS gaming does not change the treatment now
accorded UDP/53 at the internet edge. if you seriously think that a DTLS
solution can be universally deployed, including in hotel rooms, home CPE
environments, coffee shops, and mobile, then you and i are having a
same planet, different worlds experience, and i wish you well on your
walk.

vixie

___
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] various approaches to dns channel secrecy

[Eliot Lear]

Paul,

This seems like a fine and modular approach that doesn't boil the ocean.

Eliot

On 7/5/14, 5:04 AM, Paul Vixie wrote:
 i've now seen a number of proposals reaction to the snowden
 disclosures, seeking channel encryption for dns transactions. i have
 some thoughts on the matter which are not in response to any specific
 proposal, but rather, to the problem statement and the context of any
 solution.

 first, dns data itself is public -- the data is there for anybody to
 query for it, if you know what to query for. only the question,
 questioner, and time can be kept secret. answers are only worth keeping
 secret because they identify the question, questioner, and time.

 second, dns transactions are not secret to protocol agents. whether stub
 resolver, full resolver, forwarder, proxy, or authority server -- the
 full identity of the question must be knowable to the agent in order to
 properly process that question. if the agent does logging, then the
 question, questioner, and time will be stored and potentially shared or
 analyzed.

 by implication, then, the remainder of possible problem statement
 material is hide question from on-wire surveillance, there being no
 way to hide the questioner or the time. to further narrow this, the
 prospective on-wire surveillance has to be from third parties who are
 not also operators of on-path dns protocol agents, because any second
 party could be using on-wire surveillance as part of their logging
 solution, and by (2) above there is no way to hide from them. so we're
 left with hide question from on-wire surveillance by third parties.

 this is extremely narrow but i can envision activists and dissidents who
 rightly fear for their safety based on this narrowly defined threat, so
 i'm ready to agree that there should be some method in DNS of providing
 this secrecy. and as we know from the history of secrecy, if you only
 encrypt the things you care about, then they stand out. therefore,
 secrecy of this kind must become ubiquitous.

 datagram level channel secrecy (for example, DTLS or IPSEC) offers a
 solution which matches the existing datagram level UDP transport used
 primarily by DNS. however, the all-pervasive middleboxes (small plastic
 CPE devices installed by the hundreds of millions by DSL and Cable and
 other providers) have been shown to be more powerful than IPv6, DNSSEC,
 and EDNS -- we could expect them to prevent any new datagram level
 channel secrecy protocol we might otherwise wish to employ.

 TCP/53 is less prone to middlebox data inspection, and may seem to be an
 attractive solution here. i think not for two reasons. first, TCP/53
 is often blocked outright, and second, because TCP/53 as defined in RFC
 1035 has a connection management scheme that prohibits persistent TCP/53
 connections at Internet scale, and we cannot afford the setup/teardown
 costs of a non-persistent TCP-based channel secrecy protocol for DNS. to
 those who suggest redefining TCP/53 and upgrading the entire physical
 plant and all software and operating systems, i challenge you to first
 show how this is less global effort than other proposals now on the
 table, and then show how you would handle the long-tail problem, since
 many agents will never be upgraded, or will only be upgraded on a scale
 of half-decades. DNS works today because TCP/53 is a fallback for
 UDP/53. its definition and deployment makes it unsuitable either
 currently or as-would-be upgraded to become the primary transport.

 i suggest that any channel secrecy protocol we wish to add to the DNS
 system must be suitable as the primary transport, to which the existing
 UDP/53 and TCP/53 protocols are fallbacks. i further suggest that any
 new transport be operable at internet scale, which demands connection
 persistence. finally i suggest that this be done using a protocol that
 the internet's middle boxes (cheap CPE devices who think they know
 what all valid traffic must look like) will allow to pass without comment.

 one candidate for this would be RESTful JSON carried over HTTPS. because
 of its extensive use in e-commerce and web API applications, HTTPS
 works everywhere. because HTTPS currently depends on X.509 keys, other
 groups in the IETF world are already working to make HTTPS proof against
 on-path surveillance. (google for perfect forward secrecy to learn
 more), and others are working to defend the internet user population
 against wildcard or targeted SSL certificates issued by governments and
 other anti-secrecy agents with on-path capabilities.

 stephane bortzmeyer has already shown us that JSON representation of DNS
 transactions is possible. i have heard from another protocol engineer
 who is also working in this area (and who credits bortzmeyer for
 informing his work).

 the special advantage of TCP/443 as a primary transport for persistent
 DNS with channel secrecy is that HTTPS's connection management permits
 massive scale, as in, a single protocol agent with tens