Re: [DNSOP] Proposed text for reverse-mapping-considerations draft
Olafur Gudmundsson <ogud@ogud.com> Thu, 31 May 2007 22:17 UTC
Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Htsxi-00058s-Nf; Thu, 31 May 2007 18:17:42 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Htsxe-00058Q-CQ for dnsop@ietf.org; Thu, 31 May 2007 18:17:39 -0400
Received: from hlid.ogud.com ([66.92.146.160] helo=ogud.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Htsxd-0002NK-Ti for dnsop@ietf.org; Thu, 31 May 2007 18:17:38 -0400
Received: from Puki.ogud.com (hlid.ogud.com [66.92.146.160]) by ogud.com (8.13.1/8.13.1) with ESMTP id l4VMHTuP020301; Thu, 31 May 2007 18:17:29 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-Id: <200705312217.l4VMHTuP020301@ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 31 May 2007 18:16:48 -0400
To: John Schnizlein <jschnizl@cisco.com>, Andrew Sullivan <andrew@ca.afilias.info>
From: Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [DNSOP] Proposed text for reverse-mapping-considerations draft
In-Reply-To: <8C05A71B-AE2C-4E37-873D-6C8B85731172@cisco.com>
References: <20070531212447.GA20747@afilias.info> <8C05A71B-AE2C-4E37-873D-6C8B85731172@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.61 on 66.92.146.160
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 386e0819b1192672467565a524848168
Cc: dnsop@ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org
I think this text is helpful, to understand where the 'requirement´ for reverse DNS entries came from. This mechanism was used by ftp servers to keep logs and enforce export control on cryptographic software :-) You may want to add a paragraph that the r* command use of reverse mapping for security was copied/cloned by number of other protocols. Olafur At 17:46 31/05/2007, John Schnizlein wrote: >I think this background about the origin of "security" through >reverse lookup is helpful. Certainly not hurtful, which is what my >old rant about its use on UUnet's FTP server might be. > >John > >On May 31, 2007, at 5:24 PM, Andrew Sullivan wrote: > >>Dear colleagues, >> >>We received a suggestion that a short section outlining the history of >>the use of reverse mapping in security contexts would be a good thing >>to add to the reverse-mapping-considerations draft. I have some >>proposed text to add. Before I add it, I'd like to ask for comments. >>I am hoping that this text will be relatively uncontroversial, but if >>it proves to be more contentious than the document has been already, >>I'll cheerfully leave it out. >> >> >> >>2.1 Historical origins of reverse mapping use in security >> >>.in 3 >>The growth of the Internet in the late 1980s and early 1990s brought >>with it attackers who acquired access to machines without >>authorization. Many systems attached to the Internet up to that time >>were poorly prepared for such attacks, and administrators were forced >>to react using available resources rather than to redesign the network >>to meet the new security challenges. >> >>The popular TCP Wrapper package was originally conceived to discover >>the network location of an attacker [Venema1992]. It used the reverse >>mapping of a connecting host to provide the hostname of that host in >>its output. >> >>During the same period, the so-called "UNIX r* commands", like rlogin >>[RFC1282] and [RFC1258], were widely used, in spite of warnings that >>they were prone to abuse [Reid1987]. The r* commands allowed users to >>employ a list of trusted hosts, from which connections would be >>accepted and authenticated without password (sometimes called the >>"rhosts authentication" mechanism). The mechanism remained in >>widespread use (in spite of known flaws) because of its convenience. >>Since the list of trusted hosts was a simple list of hostnames or >>addresses, an attacker could acquire access by intercepting the DNS >>query for a hostname, and replying with the IP address from which the >>attacker was making the rhosts authentication attempt. (This was not >>the only weakness in the mechanism, but it is the most relevant to >>reverse mapping.) >> >>In an effort to strengthen the rhosts authentication mechanism, the >>TCP Wrapper package soon offered the ability to perform reverse >>mapping matching checks. If the reverse and forward mappings did not >>match, the wrapper program would terminate the connection before >>checking any of its other permissions. This mechanism could be used >>for all connections, on the grounds that forward and reverse >>mismatches were an indication either that an attack was in progress; >>or else that the network was badly managed, and therefore a likely >>origin for attack. >> >> >>Best regards, >>Andrew >> >> >>-- >>Andrew Sullivan 204-4141 Yonge Street >>Afilias Canada Toronto, Ontario Canada >><andrew@ca.afilias.info> M2P 2A8 >>jabber: ajsaf@jabber.org +1 416 646 3304 x4110 >> >>_______________________________________________ >>DNSOP mailing list >>DNSOP@ietf.org >>https://www1.ietf.org/mailman/listinfo/dnsop > >_______________________________________________ >DNSOP mailing list >DNSOP@ietf.org >https://www1.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Proposed text for reverse-mapping-conside… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… John Schnizlein
- Re: [DNSOP] Proposed text for reverse-mapping-con… Olafur Gudmundsson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Edward Lewis
- Re: [DNSOP] Proposed text for reverse-mapping-con… Russ Mundy
- Re: [DNSOP] Proposed text for reverse-mapping-con… Edward Lewis
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Robert Story
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson