Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was: extension of DoH to authoritative servers)

2019-02-14 Thread Joe Abley 
On 14 Feb 2019, at 05:03, Shane Kerr  wrote:

> On 14/02/2019 09.05, Stephane Bortzmeyer wrote:
>> On Wed, Feb 13, 2019 at 10:51:00PM +0100,
>>  Vladimír Čunát  wrote
>>  a message of 118 lines which said:
>>> Technically you can run DoT on whatever port you like.
>>> Example: with knot-resolver it's easy - you just add @443, either on
>>> side of server and/or on the side of forwarding over TLS.
>> The problem is that you cannot then share this port with HTTPS
>> services (the dkg draft on demultiplexing was abandoned, apparently
>> because it doesn't work). In a world of scarce IPv4 public addresses,
>> this is a serious problem.
> 
> Interesting. I know that the multi-purpose usage smelled bad but I didn't 
> know that it didn't work.
> 
> Is there a write-up on this?
> 
> Thinking about it naively, a demultiplexer really only needs to say "is there 
> a non-ASCII character in the first 2 or 3 bytes of a TLS session?".

I think we can consider explicit payload identification an important feature of 
successful protocols. Encapsulating layers need to signal key information about 
the nature of their contents explicitly, or you wind up with the kind of 
nonsense that we saw in flow-hashing in MPLS where expected network behaviours 
depended on which transport protocol or address family you happen to be using 
way up the stack, and ugly hacks abound.

Your thought-algorithm above might be ok for discriminating between DoT and 
HTTPS (although I think anything that depends on a condition like "non-ASCII" 
is highly suspect :-) but what about other protocols, current and imagined 
future, that might use TLS as an encapsulating protocol, e.g. to address 
similar privacy concerns? This doesn't seem like a problem that is particularly 
theoretical.

Running whatever protocol I like on whatever port I like is fine so long as I 
am informed about the nature of the communication (e.g. I am involved in the 
decisions at both ends; I configure my ssh client and my ssh server both to use 
53/tcp for my own special reasons so the use of that port is understood and 
doesn't need to be negotiated). In the DNS, one endpoint often has no prior 
knowledge of even the existence of the other endpoint. Asking one or both sides 
to make inferences about the nature of a session without explicit signalling 
does not seem robust.


Joe
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Multiplexing DNS & HTTP over TLS (was: extension of DoH to authoritative servers)

2019-02-14 Thread Shane Kerr 

Stephane,

On 14/02/2019 09.05, Stephane Bortzmeyer wrote:

On Wed, Feb 13, 2019 at 10:51:00PM +0100,
  Vladimír Čunát  wrote
  a message of 118 lines which said:


Technically you can run DoT on whatever port you like.



Example: with knot-resolver it's easy - you just add @443, either on
side of server and/or on the side of forwarding over TLS.


The problem is that you cannot then share this port with HTTPS
services (the dkg draft on demultiplexing was abandoned, apparently
because it doesn't work). In a world of scarce IPv4 public addresses,
this is a serious problem.


Interesting. I know that the multi-purpose usage smelled bad but I 
didn't know that it didn't work.



Is there a write-up on this?

Thinking about it naively, a demultiplexer really only needs to say "is 
there a non-ASCII character in the first 2 or 3 bytes of a TLS session?".


An HTTP message always starts with some ASCII letters, like "GET" or 
"HEAD". In contrast, a DNS over TLS client will start with a message 
length encoded in 2 bytes. Since in practice queries will be less than 
256 bytes and therefore not start out with an ASCII letter (like 'G' or 
'H'). Actually this would require a client message of 16705 bytes to 
required that *both* the first two bytes are ASCII letters:


>>> (ord('A') << 8) | ord('A')
16705

Since this is only required for the *first* DNS query on a TLS session, 
a client could always send a short query as the first one to avoid this 
issue. (I'm not sure how this would impact known-text analysis, but 
presumably TLS is resistant to this sort of cryptanalysis since HTTP 
almost always starts with the same few bytes.)


Even if the two-byte length results in ASCII letters, the client can 
sacrifice 1 bit of the message ID and ensure that it always has 
non-ASCII values, so the 3rd byte will always be non-ASCII and therefore 
not a valid HTTP command. So if it was really necessary to handle the 
case of queries of length 16705 or greater for the first query on a 
session, a client could always limit its message ID space to 32768 
possible values, which should be fine on a stateful connection where 
message ID is only used to match out-of-order answers.




I admit the issue of hand-off from a demultiplexer to a DNS server or 
HTTP server might be non-trivial, but in principle it should be possible.




Or is the issue to do with TLS itself? I don't know enough about SNI to 
know if there may be some reason why HTTP-based TLS could be different 
from DNS-based TLS, but I suppose it is possible. 樂


Cheers,

--
Shane

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop