Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 17:42 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F88C3A0DF3 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4nwL-rBIMig for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:42:26 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 678993A0DEE for <dnsop@ietf.org>; Mon, 26 Oct 2020 10:42:26 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 61444548066; Mon, 26 Oct 2020 18:42:21 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 5BF7B440059; Mon, 26 Oct 2020 18:42:21 +0100 (CET)
Date: Mon, 26 Oct 2020 18:42:21 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Jared Mauch <jared@puck.nether.net>
Cc: Ted Lemon <mellon@fugue.com>, dnsop@ietf.org, kaduk@mit.edu
Message-ID: <20201026174221.GC40654@faui48f.informatik.uni-erlangen.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com> <6D931ED7-7A34-4E9D-B2CC-D2F555D79E0B@puck.nether.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6D931ED7-7A34-4E9D-B2CC-D2F555D79E0B@puck.nether.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4pav8JU3QmR_h4nk4xIfkgHLXek>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 17:42:28 -0000

Thanks, Jared

Somehow everybody tries to escape answering the question asked by giving
their correct but orthogonal pet problem space answer. Ted correctly claims
the protocols suck security wise, and you correctly claim that there are a lot more
deployment considerations in face of risky underlays.

At this point in time i am just trying to get an RFC out the door, and Bens
security review was asking for options how to operationalize the choosen protocol
to be hardened. My answer was the heuristic.

If the anwer of the experts is "do not harden implementations of existing protocols",
but only improve protocols or eliminate security risks from underlays, i think
that is not a good strategy to show to implementors trying to understand how
to best harden existing protocols, but i will happily take that guidance
and remove the text about the suggested heuristics.

Cheers
   Toerless

On Mon, Oct 26, 2020 at 01:11:33PM -0400, Jared Mauch wrote:
> 
> 
> > On Oct 26, 2020, at 1:05 PM, Ted Lemon <mellon@fugue.com> wrote:
> > 
> > On Oct 26, 2020, at 12:59 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> >> The networks where i am worried are not home networks,
> >> but something like an office park network, where supposedly each
> >> tenant (company) should have gotten their disjoint L2 domains, ... and then
> >> they didn't. And one of the tenants has a "funny" network engineer/hacker.
> > 
> > That???s pretty clearly the thing to fix.
> > 
> 
> There???s plenty of bad engineering out there, but when on a shared lan without client isolation enabled (Eg: wireless) many bad things can be done.
> 
> I think explaining that the threat domain is the layer-2 and that administrators should consider what services are available, eg: do you accept dhcp server on the network, what devices are permitted to send RA???s etc all become part of the question..
> 
> Much of this is just operational guidance in how to run a good network which prevents these types of bad behaviors and consequences from exceeding their blast radius.
> 
> - Jared

-- 
---
tte@cs.fau.de