Re: [DNSOP] Proposed text for reverse-mapping-considerations draft
John Schnizlein <jschnizl@cisco.com> Thu, 31 May 2007 21:46 UTC
Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HtsTa-0005Wu-F5; Thu, 31 May 2007 17:46:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HtsTZ-0005Wl-HQ for dnsop@ietf.org; Thu, 31 May 2007 17:46:33 -0400
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HtsTY-0003Hk-7O for dnsop@ietf.org; Thu, 31 May 2007 17:46:33 -0400
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 31 May 2007 17:46:32 -0400
X-IronPort-AV: i="4.16,370,1175486400"; d="scan'208"; a="61661057:sNHT48025678"
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l4VLkVKC025321; Thu, 31 May 2007 17:46:31 -0400
Received: from [68.49.215.249] (che-vpn-cluster-2-307.cisco.com [10.86.243.52]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l4VLkT5f005752; Thu, 31 May 2007 21:46:31 GMT
In-Reply-To: <20070531212447.GA20747@afilias.info>
References: <20070531212447.GA20747@afilias.info>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <8C05A71B-AE2C-4E37-873D-6C8B85731172@cisco.com>
Content-Transfer-Encoding: 7bit
From: John Schnizlein <jschnizl@cisco.com>
Subject: Re: [DNSOP] Proposed text for reverse-mapping-considerations draft
Date: Thu, 31 May 2007 17:46:30 -0400
To: Andrew Sullivan <andrew@ca.afilias.info>
X-Mailer: Apple Mail (2.752.2)
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3362; t=1180647991; x=1181511991; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jschnizl@cisco.com; z=From:=20John=20Schnizlein=20<jschnizl@cisco.com> |Subject:=20Re=3A=20[DNSOP]=20Proposed=20text=20for=20reverse-mapping-con siderations=20draft |Sender:=20 |To:=20Andrew=20Sullivan=20<andrew@ca.afilias.info>; bh=e8S70MVZ/xjUykMJ9Req1nssLHXmzpQCJ1EHTCXJMRM=; b=s7kXqLtzgQ4fkj6PtkBx9GT0I87CfnHyAaxZFwtKwSTvQKnxhov7kOIjkfO0KCQU9Mn7XGZN AoriTc01VRhGjoCNdXYwVF00u8lbaYcbcazl3Q+uGQ/Dc+v/DWYRlRkz;
Authentication-Results: rtp-dkim-2; header.From=jschnizl@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: dnsop@ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org
I think this background about the origin of "security" through reverse lookup is helpful. Certainly not hurtful, which is what my old rant about its use on UUnet's FTP server might be. John On May 31, 2007, at 5:24 PM, Andrew Sullivan wrote: > Dear colleagues, > > We received a suggestion that a short section outlining the history of > the use of reverse mapping in security contexts would be a good thing > to add to the reverse-mapping-considerations draft. I have some > proposed text to add. Before I add it, I'd like to ask for comments. > I am hoping that this text will be relatively uncontroversial, but if > it proves to be more contentious than the document has been already, > I'll cheerfully leave it out. > > > > 2.1 Historical origins of reverse mapping use in security > > .in 3 > The growth of the Internet in the late 1980s and early 1990s brought > with it attackers who acquired access to machines without > authorization. Many systems attached to the Internet up to that time > were poorly prepared for such attacks, and administrators were forced > to react using available resources rather than to redesign the network > to meet the new security challenges. > > The popular TCP Wrapper package was originally conceived to discover > the network location of an attacker [Venema1992]. It used the reverse > mapping of a connecting host to provide the hostname of that host in > its output. > > During the same period, the so-called "UNIX r* commands", like rlogin > [RFC1282] and [RFC1258], were widely used, in spite of warnings that > they were prone to abuse [Reid1987]. The r* commands allowed users to > employ a list of trusted hosts, from which connections would be > accepted and authenticated without password (sometimes called the > "rhosts authentication" mechanism). The mechanism remained in > widespread use (in spite of known flaws) because of its convenience. > Since the list of trusted hosts was a simple list of hostnames or > addresses, an attacker could acquire access by intercepting the DNS > query for a hostname, and replying with the IP address from which the > attacker was making the rhosts authentication attempt. (This was not > the only weakness in the mechanism, but it is the most relevant to > reverse mapping.) > > In an effort to strengthen the rhosts authentication mechanism, the > TCP Wrapper package soon offered the ability to perform reverse > mapping matching checks. If the reverse and forward mappings did not > match, the wrapper program would terminate the connection before > checking any of its other permissions. This mechanism could be used > for all connections, on the grounds that forward and reverse > mismatches were an indication either that an attack was in progress; > or else that the network was badly managed, and therefore a likely > origin for attack. > > > Best regards, > Andrew > > > -- > Andrew Sullivan 204-4141 Yonge Street > Afilias Canada Toronto, Ontario Canada > <andrew@ca.afilias.info> M2P 2A8 > jabber: ajsaf@jabber.org +1 416 646 3304 x4110 > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www1.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Proposed text for reverse-mapping-conside… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… John Schnizlein
- Re: [DNSOP] Proposed text for reverse-mapping-con… Olafur Gudmundsson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Edward Lewis
- Re: [DNSOP] Proposed text for reverse-mapping-con… Russ Mundy
- Re: [DNSOP] Proposed text for reverse-mapping-con… Edward Lewis
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Robert Story
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Andrew Sullivan
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson
- Re: [DNSOP] Proposed text for reverse-mapping-con… Dean Anderson