[TLS] Re: [EXTERNAL] Re: Consensus Call: early code point request for draft-ietf-tls-key-share-prediction

2024-10-09 Thread David Benjamin 
I mean, we'd probably need to burn another codepoint if it does change, but
codepoints are cheap. :-)

Did you have any particular changes in mind?

On Tue, Oct 8, 2024, 21:17 Eric Rescorla  wrote:

> I'm OK with a code point assignment so that people can test this out. I
> don't think we're at the point where we know the draft won't change.
>
> -Ekr
>
>
> On Wed, Sep 25, 2024 at 2:36 PM Bas Westerbaan  40cloudflare@dmarc.ietf.org> wrote:
>
>> If we want a new name, then I propose kex_hint — keyshare is a DH
>> concept. I'm happy with all proposals so far though — we have been bad at
>> naming, but fortunately consistently so.
>>
>> On Wed, Sep 25, 2024 at 7:06 PM Andrei Popov > 40microsoft@dmarc.ietf.org> wrote:
>>
>>> I think it's more important to keep consistent naming between TLS and
>>> DNS than to come up with some perfect terminology for this concept.
>>> Publishing the full list of groups supported by the server also appears
>>> to be more useful: any partial list is but a partial solution to the
>>> problem.
>>>
>>> Cheers,
>>>
>>> Andrei
>>>
>>> -Original Message-
>>> From: Stephen Farrell 
>>> Sent: Wednesday, September 25, 2024 9:30 AM
>>> To: David Benjamin 
>>> Cc: TLS List 
>>> Subject: [EXTERNAL] [TLS] Re: Consensus Call: early code point request
>>> for draft-ietf-tls-key-share-prediction
>>>
>>>
>>> Two quick bits...
>>>
>>> On 9/25/24 16:59, David Benjamin wrote:
>>>
>>> > If you publish L1+oddballs for all routes to T1 and the client then
>>> > predicts oddballs to S1, *this is not a failure*.
>>>
>>> Yeah, I was imprecise again:-) Yes HRR will kick in, but I think that
>>> scenario highlights a failure for this spec to help.
>>>
>>> That said...
>>>
>>> >> In that case ISTM the right thing is to publish L1 for T1 and
>>> >> L1+oddballs
>>> > for T2.
>>> >
>>> > That would *also* suboptimal for T1. Suppose the client supports
>>> > oddballs, saw L1, and predicted something in L1. Then they connect to
>>> > S2 but actually
>>> > S2 really wants oddballs when the client supports it. Then S2 will HRR.
>>>
>>> With s/would/could/ that's a fair point, though I don't think we're
>>> trying to represent that "really wants...when"
>>> via this spec, so one could argue that's out of scope.
>>>
>>> Anyway, I reckon I've made my point, if others agree they'll chime in,
>>> if not, I assume we'll stick with the current presentation syntax, maybe
>>> with a bit more clarification, and the DEs will like that or not.
>>>
>>> Cheers,
>>> S.
>>>
>>> ___
>>> TLS mailing list -- tls@ietf.org
>>> To unsubscribe send an email to tls-le...@ietf.org
>>>
>> ___
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-le...@ietf.org
>>
> ___
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-le...@ietf.org
>
___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

[TLS] Re: [DNSOP] Re: Re: Re: Re: AD review draft-ietf-tls-svcb-ech

2024-10-09 Thread Sean Turner 
Authors (Ben, Mike, and Eric),

It looks like we haves some agreement here. There’s some agreement that the PR 
[1] addresses the concern and there’s some agreement to agree to disagree on 
other points.  Please go ahead and merge the PR [1].

spt

[1] https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/16

> On Oct 8, 2024, at 21:38, Eric Rescorla  wrote:
> 
> I agree that you can't trust a resolver that you only know about from ADD.
> 
> -Ekr
> 
> 
> On Tue, Oct 8, 2024 at 8:31 AM Paul Wouters  wrote:
> I agree with your points. Our only difference of opinion seems to be about 
> how much one should trust a TRR.
> I still prefer to need to trust them the least possible, meaning I would want 
> DNSSEC validation to at least
> detect tampering at the TRR. With more ECH deployed, and less visibility of 
> SNI, there will be increase
> pressure on TRRs to do so.
> 
> But this discussion is not really in scope for the ECH SVCB draft, other than 
> that I am concerned about the
> illusion of ECH privacy being lost because of a "trusted by the network via 
> ADD" resolver being used.
> 
> Paul
> 
> On Mon, Oct 7, 2024 at 9:36 PM Eric Rescorla  wrote:
> Paul,
> 
> I don't understand your threat model here.
> 
> 1. As already noted upthread, ECH inherently leaks the name you are
> resolving to the resolver. This leak doesn't depend on the resolver
> tampering with the response, so DNSSEC verification on the client
> doesn't help here [0].
> 
> 2. If the client accepts the network resolver, as opposed to requiring
> a TRR, then a malicious network will always be able to force the user
> into leaking their browsing history on that network. Thus, as you
> say, if you want ECH to guarantee privacy you need to use encrypted
> transport to a TRR.
> 
> 3. As Ben observed, if the client caches the response from the
> recursive, then an ECH record from malicious resolver A (e.g., in the
> airport) might allow A to continue to learn the SNI even when you are
> using non-malicious resolver B (e.g., at your house). But the only
> way to get into this hole is to use the network provided (potentially
> malicious) resolver.
> 
> 4. The specific attack in (3) can be prevented if the client only
> cached ECH records when they were DNSSEC signed, but this still
> leaves you leaking to the malicious network's resolver whenever
> you try to retrieve an uncached value, so it's much better to
> just insist on using a TRR, which protects against this attack
> entirely, at which point DNSSEC provides limited value.
> 
> If you think this analysis is wrong, please explain the attack
> which is prevented by client-side DNSSEC validation, remembering
> that it can only be done reliably when the client already is
> using a TRR.
> 
> -Ekr
> 
> 
> [0] DNSSEC validation at the recursive might help, but that's not what
> we're talking about.
> 
> On Mon, Oct 7, 2024 at 9:16 AM Paul Wouters  wrote:
> 
> On Mon, Oct 7, 2024 at 9:26 AM Eric Rescorla  wrote:
> 
> 
> On Mon, Oct 7, 2024 at 6:01 AM Paul Wouters  wrote:
> 
> On Sun, Oct 6, 2024 at 12:17 PM Eric Rescorla  wrote:
> This is explicitly prohibited rfc9460 as it would provide linkability. 
> See rfc9460 section 12: "Clients MUST ensure that their DNS cache is 
> partitioned for each local network, or flushed on network changes, to prevent 
> a local adversary in one network from implanting a forged DNS record that 
> allows them to track users or hinder their connections after they leave that 
> network."
> 
> Not if the ECH record is DNSSEC signed.
> 
> Except that no browser client does DNSSEC validation and there is no 
> realistic prospect of that changing.
> 
> If you have a TRR configured that does DNSSEC, you can send the DO bit and 
> still have the advantage of the
> upstream DNSSEC without doing the work in the browser.
> 
> If you do encrypted DNS to a TRR, then you're not subject to attack by 
> resolvers on the local network, regardless of whether they do DNSSEC.
> 
> But still you should verify your trusted resolver where you can. Zerotrust 
> mentality.
> 
> Of course even better is using RFC 7901 Chain Query and run the few signature 
> validations yourself. It only costs
> 1RTT, just like a regular DNS lookup.
> 
> The issue with local DNSSEC validation isn't primarily performance; it's 
> breakage by nonconforming intermediaries.
> 
> There are no intermediaries if you connect to proper functioning TRRs (like 
> 1.1.1.1., 8.8.8.8, 9.9.9.9)
>  
> Actually, as I read RFC 7901, the situation is even worse because there are 
> going to be valid non-RFC 7901
> implementing resolvers, and so the attacker -- who, recall, controls the 
> local network -- can just refuse
> the discovery process described in S 5.1.
> 
> The local network can only block the DoH  HTTPS connection to your TRR, they 
> can't selectively block DNS queries within it.
> 
> I agree with not using locally assigned DNS resolvers (via DHCP or ADD) for 
> anything if you value privacy. Obviously, DNSSEC
> can