IETF Logo Mail Archive

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Jared Mauch <jared@puck.nether.net> Mon, 26 October 2020 17:11 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9BF3A0DDD for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiOZ_0bUVwLU for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:11:35 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569F83A0D9D for <dnsop@ietf.org>; Mon, 26 Oct 2020 10:11:35 -0700 (PDT)
Received: from [10.0.0.129] (unknown [23.138.112.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id C34315400C3; Mon, 26 Oct 2020 13:11:33 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <41920477-8979-49EC-9F14-11A100D622FF@fugue.com>
Date: Mon, 26 Oct 2020 13:11:33 -0400
Cc: Toerless Eckert <tte@cs.fau.de>, dnsop@ietf.org, kaduk@mit.edu
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D931ED7-7A34-4E9D-B2CC-D2F555D79E0B@puck.nether.net>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/f9gcrrzVsCODQ2ywb--NVhfVOGA>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 17:11:43 -0000


> On Oct 26, 2020, at 1:05 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Oct 26, 2020, at 12:59 PM, Toerless Eckert <tte@cs.fau.de> wrote:
>> The networks where i am worried are not home networks,
>> but something like an office park network, where supposedly each
>> tenant (company) should have gotten their disjoint L2 domains, ... and then
>> they didn't. And one of the tenants has a "funny" network engineer/hacker.
> 
> That’s pretty clearly the thing to fix.
> 

There’s plenty of bad engineering out there, but when on a shared lan without client isolation enabled (Eg: wireless) many bad things can be done.

I think explaining that the threat domain is the layer-2 and that administrators should consider what services are available, eg: do you accept dhcp server on the network, what devices are permitted to send RA’s etc all become part of the question..

Much of this is just operational guidance in how to run a good network which prevents these types of bad behaviors and consequences from exceeding their blast radius.

- Jared

v2.23.0 | Report a Bug | By Email