Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Ted Lemon <mellon@fugue.com> Mon, 26 October 2020 17:54 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA173A0E09 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNEoqGK9MlNZ for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 10:54:12 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0C293A0B85 for <dnsop@ietf.org>; Mon, 26 Oct 2020 10:54:12 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id w5so4709560qvn.12 for <dnsop@ietf.org>; Mon, 26 Oct 2020 10:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=c5/BcPqsWk1eIyY8jAn9OHIjDBebu1wmrLaBdWdZqsI=; b=TTyYLOBBFSjLqMDDAGQt+S5vo7bHdyFRQVDi4G9ieDghPo+SLB0GD4Syc5N1W2RQMD NzmGPVbWPfTXcwMA4IMppsPD7EB0CS6KOXErsw0PkL2+a4yfxyhoX8IytmwUpY1NKrvr i30+U516Mm1Iwi4o1QUDH6aw3P7yfxqqNEgeq/2fBLMZlSx9cpIJ4UBhy20O2/gQ1fQ+ ndcWXTZyngh5IlEw+xIC6diiU/K+9TYmoEEUaiBw1LAJyTQQMLYw/G5sAvHvN0kWh1XA jvYfWvfHmdiMRL2GRW3o1lF8Gb4fl6Mfqjp23Me4Ag0bnngCl5Jqn/wyxQ1tEyxMO5k8 BX3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=c5/BcPqsWk1eIyY8jAn9OHIjDBebu1wmrLaBdWdZqsI=; b=Vmnknqk/BSpm3hRWVGij05QXI5dF7qMwNzerak1QRomHOOkWYm6A6yE/GRNJEYSOcZ 75x/p+0rU/rMTpm0hI50XSGKax7To23A02XbS5AZYaQGbZk8pfL9s/7n3vC+ckjp5BoV jnUJBH0ilkFc9rarvI1MapljgXrGUJrvzXgEg4GXAU0NPEJypqk9Sz4EwnGKWEhTDKLc YhpMkGBfmzIYqBQA+BFQ7TdzY9z+3i1zsJBVdUrI818n95oqV7p/Dv3A6Xz1qXLwRCSL rbtFXfVUNV+iFBJ4bLk4SWi/+gWYjGpFw5V8YWP/6pnjPyhYqd7YIKIyT/HHcfm+MbWG 9Suw==
X-Gm-Message-State: AOAM530PQLjg8UF1b9Gnv9bPP3dpnNTylc5mCm7EY8SjMYy80/62J37x ajdh4r0PPR9uW9M3+R1sFASaPw==
X-Google-Smtp-Source: ABdhPJytY7DXFTJN1IJmo3towOxHx2ylgirbLcfA+2VJuzCNkJO68NSLYrM6UE/hFY952L/WdDfMig==
X-Received: by 2002:ad4:4701:: with SMTP id k1mr15145957qvz.47.1603734851650; Mon, 26 Oct 2020 10:54:11 -0700 (PDT)
Received: from mithrandir.lan (c-24-91-177-160.hsd1.nh.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id j10sm6220690qtn.46.2020.10.26.10.54.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2020 10:54:10 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <1BAA8A3C-68BC-4BCF-9497-FF90CD5AA6EF@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_69A001EB-EF86-4555-8FD5-1EE35C364E3F"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.0.3.2.91\))
Date: Mon, 26 Oct 2020 13:54:09 -0400
In-Reply-To: <20201026173018.GB40654@faui48f.informatik.uni-erlangen.de>
Cc: dnsop <dnsop@ietf.org>, kaduk@mit.edu
To: Toerless Eckert <tte@cs.fau.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com> <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de> <41920477-8979-49EC-9F14-11A100D622FF@fugue.com> <20201026173018.GB40654@faui48f.informatik.uni-erlangen.de>
X-Mailer: Apple Mail (2.3654.0.3.2.91)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yt9ziXf6uIi13mQPdnFVaeY2yjE>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 17:54:14 -0000

On Oct 26, 2020, at 1:30 PM, Toerless Eckert <tte@cs.fau.de> wrote:
>> If you???re going to do that, you might as well just turn off mDNS entirely.
> 
> How is this worse than NOT doing this heuristic ? 

It’s likely exactly the same. My expectation would be that the port in the SRV record is literally never the port number in the services table, with a few exceptions like ssh, which has a trust establishment framework and can’t be easily attacked using your proposed attack.

The sense in which it might be worse, though, is that it might fail sometimes, but not always. This makes it harder to figure out why it’s not working. You might not even realize that the problem is mDNS.