search

huitema / dnsoquic

DNS over QUIC
10 stars 7 forks source link

Robustness to traffic analysis? #11

Closed huitema closed 3 years ago

huitema commented 7 years ago

Need more discussion, obviously, but here is a first text:

Even though QUIC packets are encrypted, adversaries can gain information from observing packet lengths, in both queries and responses, as well as packet timing. Many DNS requests are emitted by web browsers. Loading a specific web page may require resolving dozen of DNS names. If an application adopts a simple mapping of one query or response per packet, or "one QUIC STREAM frame per packet", then the succession of packet lengths may provide enough information to identify the requested site.

Implementations of DNS over QUIC SHOULD mitigate the packet length observation attacks. It is RECOMMENDED to transmit a variable number of STREAM frames in a single packet, and to use the padding options to align the packet length to a small set of fixed sizes.

janaiyengar commented 7 years ago

+1. Since DNS traffic shouldn't be bandwidth-limited anyways, I'd be fine with recommending that all packets be padded to MaxPacketLength.

On Fri, Apr 28, 2017 at 12:11 PM, huitema notifications@github.com wrote:

Need more discussion, obviously, but here is a first text:

Even though QUIC packets are encrypted, adversaries can gain information from observing packet lengths, in both queries and responses, as well as packet timing. Many DNS requests are emitted by web browsers. Loading a specific web page may require resolving dozen of DNS names. If an application adopts a simple mapping of one query or response per packet, or "one QUIC STREAM frame per packet", then the succession of packet lengths may provide enough information to identify the requested site.

Implementations of DNS over QUIC SHOULD mitigate the packet length observation attacks. It is RECOMMENDED to transmit a variable number of STREAM frames in a single packet, and to use the padding options to align the packet length to a small set of fixed sizes.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/huitema/dnsoquic/issues/11, or mute the thread https://github.com/notifications/unsubscribe-auth/AKjg1OtVcybP7T7Xa0LY_BYmKElxYqz0ks5r0jnGgaJpZM4NL3Pm .

huitema commented 3 years ago

Closing this issue, as it is addressed in new drafts.