Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 20:14 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71D7B3A0EBD for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 13:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvIIBHzp1zqh for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 13:14:53 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EA193A0EB9 for <dnsop@ietf.org>; Mon, 26 Oct 2020 13:14:53 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 72D23548054; Mon, 26 Oct 2020 21:14:48 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 6AFE5440059; Mon, 26 Oct 2020 21:14:48 +0100 (CET)
Date: Mon, 26 Oct 2020 21:14:48 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Ted Lemon <mellon@fugue.com>
Cc: Jared Mauch <jared@puck.nether.net>, dnsop <dnsop@ietf.org>, kaduk@mit.edu
Message-ID: <20201026201448.GD40654@faui48f.informatik.uni-erlangen.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com> <6D931ED7-7A34-4E9D-B2CC-D2F555D79E0B@puck.nether.net> <20201026174221.GC40654@faui48f.informatik.uni-erlangen.de> <20201026200538.GA1328776@puck.nether.net> <4EBB9789-EDA8-418F-898F-3A2D0B3C5CC2@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4EBB9789-EDA8-418F-898F-3A2D0B3C5CC2@fugue.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NLFAZ8cJPGFBwV2pIpN8PCSQu-E>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 20:14:55 -0000

On Mon, Oct 26, 2020 at 04:09:41PM -0400, Ted Lemon wrote:
> On Oct 26, 2020, at 4:05 PM, Jared Mauch <jared@puck.nether.net> wrote:
> >> If the anwer of the experts is "do not harden implementations of existing protocols",
> >> but only improve protocols or eliminate security risks from underlays, i think
> >> that is not a good strategy to show to implementors trying to understand how
> >> to best harden existing protocols, but i will happily take that guidance
> >> and remove the text about the suggested heuristics.
> 
> The point of my answer was not ???don???t do anything to harden it,??? but rather ???don???t do _that_.???  :)

And the question from the AD was what could be done. So, do you have any
implemention suggestion ? Are there any sugestions for mDNS ?

(and i do not mean "harden the underlying L2 network" or "create a better protocol").

Btw: I do agree that for most use of mDNS as it is relying on dynamic ports,
my suggestion would create an undesired trend of allocating static port numbers.
This is also true for GRASP in general, but for the specific use-cases
in mind in my text, which are really inside-network infra protocols, the argument could be
made that static port allocation was indeed well feasible (as we're talking about a
very small number here) . But we had not done it because we hadn't vetted the benefits
of doing such a port allocation.

Cheers
    Toerless