Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 17:30 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72CC63A0DE5 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:30:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.869
X-Spam-Level:
X-Spam-Status: No, score=-0.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2YuKu8Rh1BC for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:30:23 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0D183A0DE4 for <dnsop@ietf.org>; Mon, 26 Oct 2020 10:30:23 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 966CF548068; Mon, 26 Oct 2020 18:30:18 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 8F120440059; Mon, 26 Oct 2020 18:30:18 +0100 (CET)
Date: Mon, 26 Oct 2020 18:30:18 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Ted Lemon <mellon@fugue.com>
Cc: dnsop@ietf.org, kaduk@mit.edu
Message-ID: <20201026173018.GB40654@faui48f.informatik.uni-erlangen.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <41920477-8979-49EC-9F14-11A100D622FF@fugue.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0L60Kq0FiTK_hLzDnn_Zyh0USyY>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 17:30:25 -0000

On Mon, Oct 26, 2020 at 01:05:42PM -0400, Ted Lemon wrote:
> On Oct 26, 2020, at 12:59 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> > The networks where i am worried are not home networks,
> > but something like an office park network, where supposedly each
> > tenant (company) should have gotten their disjoint L2 domains, ... and then
> > they didn't. And one of the tenants has a "funny" network engineer/hacker.
> 
> That???s pretty clearly the thing to fix.

The whole point is to build solutions on top of underlays where there can be attacks, right ?

> > So, eliminate for your assessment the option of better
> > protocols. Now, why would this heuristic then still be
> > "very bad" ? To me it just eliminates the benefits of
> > dynamic port signaling when there is an attack. And has no
> > impact under no attack.
> 
> If you???re going to do that, you might as well just turn off mDNS entirely.

How is this worse than NOT doing this heuristic ? 

No difference under no attack.

What heuristic would you use under attack, and why ?

> I don???t know whether or not this would also be true of GRASP, however.

So far i do not see a difference except for deployment cases (home vs. more difficult / potentially more easily attacked underlays, but then again, mDNS is widely used within universities/schools too, sone might argue that there is not even a different in deployment).

Cheers
    Toerless