Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reference threat model #4

Closed
mstojens opened this issue Feb 22, 2021 · 6 comments
Closed

Reference threat model #4

mstojens opened this issue Feb 22, 2021 · 6 comments
Assignees
@mstojens

Comments

@mstojens
Copy link
Contributor

Copied conversation below from tfpauly/draft-pauly-adaptive-dns-privacy#143
@mstojens
Copy link
Contributor Author

tfpauly said...

A. Security design

"In order to be considered an authenticated Equivalent Encrypted Resolver, the TLS certificate presented by the Encrypted Resolver MUST contain both the domain name (from the SVCB answer) and the IP address of its equivalent Unencrypted Resolver"

Requiring the certificate to cover the TargetName is unusual. Why does it help for the certificate to contain this domain name, if it is also required to authenticate or match the DNS server IP? Is a nontrivial TargetName always required?

"An attacker might try to direct Encrypted DNS traffic to itself by causing the client to think that a discovered Equivalent Encrypted Resolver uses a different IP address from the Unencrypted Resolver."

It seems like you are contemplating an attacker who controls the DNS path but not the RA/DHCP path. I'd appreciate seeing a few more words on that beyond the current reference to RA protection.

In general, some text on threat modeling might help to justify the design decisions.

@mstojens
Copy link
Contributor Author

tfpauly said...

Partly, I’m imagining we can rely on or take some of the threat modeling text from the requirements document here. However, I agree that that should be referenced or included.

@mstojens
Copy link
Contributor Author

martinthomson said...

I think that for equivalence, it is sufficient to include just the ipAddress SAN. Clients have to have a single target identity to match, or it gets a little tricky.

This assumes that the provenance of the IP is somehow not subject to attack. This includes DHCP/RA, manual configuration, and other forms of configuration like enterprise policy systems.

But it's not really that. This isn't about establishing whether the IP address is the right one, it's about saying affirmatively that this is the same as this other thing. For that, you don't need to worry about where the IP address came from. Of course, this is a stronger assertion regarding the DoT/DoH server than you can make about the Do53 server. The former is authenticated; the latter relies on the integrity of the route.

@mstojens
Copy link
Contributor Author

mstojens commented Feb 22, 2021
edited

vparla said...

One question I have is the embedding of IP addresses in certificates at all. In a world of migrating workloads on generic compute, it is not unreasonable to expect that DoH servers might not occupy a fixed IP address necessarily. While it can be accomplished with Anycast addressing, NATing or Loadbalancing schemes, I still have some reservations about the construct in general. Maybe I am missing something obvious here.

@mstojens
Copy link
Contributor Author

bemasc issued a PR

tfpauly/draft-pauly-adaptive-dns-privacy#147

@mstojens mstojens mentioned this issue Feb 22, 2021
Closed
@mstojens mstojens self-assigned this Mar 22, 2021
@mstojens
Copy link
Contributor Author

This topic has received significant attention since this was filed, and resulted in tight scoping revisions. More specific threat model gaps should be opened in new issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mstojens mstojens

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mstojens