Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 20:52 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470EE3A0F02 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 13:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zefjFFttPMjM for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 13:52:16 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C4603A0F01 for <dnsop@ietf.org>; Mon, 26 Oct 2020 13:52:15 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id E8889548068; Mon, 26 Oct 2020 21:52:10 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id E25C7440059; Mon, 26 Oct 2020 21:52:10 +0100 (CET)
Date: Mon, 26 Oct 2020 21:52:10 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Ted Lemon <mellon@fugue.com>
Cc: Jared Mauch <jared@puck.nether.net>, dnsop <dnsop@ietf.org>, kaduk@mit.edu
Message-ID: <20201026205210.GE40654@faui48f.informatik.uni-erlangen.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com> <6D931ED7-7A34-4E9D-B2CC-D2F555D79E0B@puck.nether.net> <20201026174221.GC40654@faui48f.informatik.uni-erlangen.de> <20201026200538.GA1328776@puck.nether.net> <4EBB9789-EDA8-418F-898F-3A2D0B3C5CC2@fugue.com> <20201026201448.GD40654@faui48f.informatik.uni-erlangen.de> <84D39283-D696-476E-A9CB-2ACCD7A7365F@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <84D39283-D696-476E-A9CB-2ACCD7A7365F@fugue.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ej9Q4PpChiGzriYu9_bCVlXQcv8>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 20:52:18 -0000
On Mon, Oct 26, 2020 at 04:39:10PM -0400, Ted Lemon wrote: > On Oct 26, 2020, at 4:14 PM, Toerless Eckert <tte@cs.fau.de> wrote: > > And the question from the AD was what could be done. So, do you have any > > implemention suggestion ? Are there any sugestions for mDNS ? > > There are no simple mitigations. If there were, they would already be in the protocol. And with protocol you also include local state machineries such as the heuristic i described ? (sorry, just wanting to make sure). > > Btw: I do agree that for most use of mDNS as it is relying on dynamic ports, > > my suggestion would create an undesired trend of allocating static port numbers. > > This is also true for GRASP in general, but for the specific use-cases > > in mind in my text, which are really inside-network infra protocols, the argument could be > > made that static port allocation was indeed well feasible (as we're talking about a > > very small number here) . But we had not done it because we hadn't vetted the benefits > > of doing such a port allocation. > > If it???s a multicast discovery protocol with no authentication, then constraining the set of allowed ports just means that the node that???s attacking you has to be able to listen on that port, which it likely can. So I think this reduces function without increasing hardening. Elimination of the port number as an announced service element (and instead assuming there is a well-known port) eliminates the amplified attack of sending such announcements with a sweep of port numbers and therefore condemning the consuming client to try out all those port numbers. > What actually hardens mDNS is that it???s a link-local protocol. > It doesn???t work across links. I am not aware that the solutions to extend mDNS across multiple hops would be any more hardened necessarily. But water under the bridge. > This limits the attack surface. > But there???s no way to eliminate the attack surface. > If I were in Ben???s shoes, I???d be asking you to change the protocol > to support authentication and ToFU as a hardening strategy, > with some better trust establishment mechanism as future work based > on the existing presence of crypto signatures. > But the current consensus of the IETF is apparently that ADs aren???t allowed to insist on things like that. :( Well, it would singling out new work with a humunguously higher bar to jump over than widely used protocols even including similar DoS attack in DAAD if i am not mistaken (given how mDNS isn't all that prevalent). Or just look at how convoluted the work was to attempt making process with neighbor discovery in routing protocols. Actually for our specific use-case i would like to propose an authenticated method, alas there is no pre-established knowledge of the cert of the neighbor, so it might have to include the whole bloody cert in a packet to authenticte the packet, and that might be problematic size-wise. Maybe payload-layer segmented multicasting *sigh*. Discussion for another time. -- --- tte@cs.fau.de
- [DNSOP] DNSOP: question about hardening "somethin… Toerless Eckert
- Re: [DNSOP] DNSOP: question about hardening "some… Ted Lemon
- Re: [DNSOP] DNSOP: question about hardening "some… Toerless Eckert
- Re: [DNSOP] DNSOP: question about hardening "some… Ted Lemon
- Re: [DNSOP] DNSOP: question about hardening "some… Jared Mauch
- Re: [DNSOP] DNSOP: question about hardening "some… Toerless Eckert
- Re: [DNSOP] DNSOP: question about hardening "some… Toerless Eckert
- Re: [DNSOP] DNSOP: question about hardening "some… Ted Lemon
- Re: [DNSOP] DNSOP: question about hardening "some… Jared Mauch
- Re: [DNSOP] DNSOP: question about hardening "some… Ted Lemon
- Re: [DNSOP] DNSOP: question about hardening "some… Toerless Eckert
- Re: [DNSOP] DNSOP: question about hardening "some… Ted Lemon
- Re: [DNSOP] DNSOP: question about hardening "some… Toerless Eckert
- Re: [DNSOP] DNSOP: question about hardening "some… Jared Mauch