New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reference threat model #4
Comments
tfpauly said...A. Security design
Requiring the certificate to cover the TargetName is unusual. Why does it help for the certificate to contain this domain name, if it is also required to authenticate or match the DNS server IP? Is a nontrivial TargetName always required?
It seems like you are contemplating an attacker who controls the DNS path but not the RA/DHCP path. I'd appreciate seeing a few more words on that beyond the current reference to RA protection. In general, some text on threat modeling might help to justify the design decisions. |
tfpauly said...Partly, I’m imagining we can rely on or take some of the threat modeling text from the requirements document here. However, I agree that that should be referenced or included. |
martinthomson said...I think that for equivalence, it is sufficient to include just the ipAddress SAN. Clients have to have a single target identity to match, or it gets a little tricky. This assumes that the provenance of the IP is somehow not subject to attack. This includes DHCP/RA, manual configuration, and other forms of configuration like enterprise policy systems. But it's not really that. This isn't about establishing whether the IP address is the right one, it's about saying affirmatively that this is the same as this other thing. For that, you don't need to worry about where the IP address came from. Of course, this is a stronger assertion regarding the DoT/DoH server than you can make about the Do53 server. The former is authenticated; the latter relies on the integrity of the route. |
vparla said...One question I have is the embedding of IP addresses in certificates at all. In a world of migrating workloads on generic compute, it is not unreasonable to expect that DoH servers might not occupy a fixed IP address necessarily. While it can be accomplished with Anycast addressing, NATing or Loadbalancing schemes, I still have some reservations about the construct in general. Maybe I am missing something obvious here. |
bemasc issued a PR |
This topic has received significant attention since this was filed, and resulted in tight scoping revisions. More specific threat model gaps should be opened in new issues. |
Copied conversation below from tfpauly/draft-pauly-adaptive-dns-privacy#143
The text was updated successfully, but these errors were encountered: