Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 20:52 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470EE3A0F02 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 13:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zefjFFttPMjM for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 13:52:16 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C4603A0F01 for <dnsop@ietf.org>; Mon, 26 Oct 2020 13:52:15 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id E8889548068; Mon, 26 Oct 2020 21:52:10 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id E25C7440059; Mon, 26 Oct 2020 21:52:10 +0100 (CET)
Date: Mon, 26 Oct 2020 21:52:10 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Ted Lemon <mellon@fugue.com>
Cc: Jared Mauch <jared@puck.nether.net>, dnsop <dnsop@ietf.org>, kaduk@mit.edu
Message-ID: <20201026205210.GE40654@faui48f.informatik.uni-erlangen.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com> <6D931ED7-7A34-4E9D-B2CC-D2F555D79E0B@puck.nether.net> <20201026174221.GC40654@faui48f.informatik.uni-erlangen.de> <20201026200538.GA1328776@puck.nether.net> <4EBB9789-EDA8-418F-898F-3A2D0B3C5CC2@fugue.com> <20201026201448.GD40654@faui48f.informatik.uni-erlangen.de> <84D39283-D696-476E-A9CB-2ACCD7A7365F@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <84D39283-D696-476E-A9CB-2ACCD7A7365F@fugue.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ej9Q4PpChiGzriYu9_bCVlXQcv8>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 20:52:18 -0000

On Mon, Oct 26, 2020 at 04:39:10PM -0400, Ted Lemon wrote:
> On Oct 26, 2020, at 4:14 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> > And the question from the AD was what could be done. So, do you have any
> > implemention suggestion ? Are there any sugestions for mDNS ?
> 
> There are no simple mitigations. If there were, they would already be in the protocol.

And with protocol you also include local state machineries such as the
heuristic i described ? (sorry, just wanting to make sure).

> > Btw: I do agree that for most use of mDNS as it is relying on dynamic ports,
> > my suggestion would create an undesired trend of allocating static port numbers.
> > This is also true for GRASP in general, but for the specific use-cases
> > in mind in my text, which are really inside-network infra protocols, the argument could be
> > made that static port allocation was indeed well feasible (as we're talking about a
> > very small number here) . But we had not done it because we hadn't vetted the benefits
> > of doing such a port allocation.
> 
> If it???s a multicast discovery protocol with no authentication, then constraining the set of allowed ports just means that the node that???s attacking you has to be able to listen on that port, which it likely can. So I think this reduces function without increasing hardening.

Elimination of the port number as an announced service element (and instead assuming
 there is a well-known port) eliminates the amplified attack of sending such announcements
with a sweep of port numbers and therefore condemning the consuming client to
try out all those port numbers.

> What actually hardens mDNS is that it???s a link-local protocol.
> It doesn???t work across links.

I am not aware that the solutions to extend mDNS across multiple hops
would be any more hardened necessarily. But water under the bridge.

> This limits the attack surface.
> But there???s no way to eliminate the attack surface.
> If I were in Ben???s shoes, I???d be asking you to change the protocol
> to support authentication and ToFU as a hardening strategy,
> with some better trust establishment mechanism as future work based
> on the existing presence of crypto signatures.
> But the current consensus of the IETF is apparently that ADs aren???t allowed to insist on things like that. :(

Well, it would singling out new work with a humunguously higher bar to jump
over than widely used protocols even including similar DoS attack in
DAAD if i am not mistaken (given how mDNS isn't all that prevalent).
Or just look at how convoluted the work was to attempt making process
with neighbor discovery in routing protocols.

Actually for our specific use-case i would like to propose an authenticated
method, alas there is no pre-established knowledge of the cert of the
neighbor, so it might have to include the whole bloody cert in a packet to authenticte
the packet, and that might be problematic size-wise. Maybe payload-layer
segmented multicasting *sigh*. Discussion for another time.

-- 
---
tte@cs.fau.de