IETF Logo Mail Archive

Re: [dnssd] Security through Obscurity

Tim Chown <tjc@ecs.soton.ac.uk> Wed, 23 July 2014 22:43 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1692B1B29CC for <dnssd@ietfa.amsl.com>; Wed, 23 Jul 2014 15:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.222
X-Spam-Level:
X-Spam-Status: No, score=-1.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKSCL2i3WuaW for <dnssd@ietfa.amsl.com>; Wed, 23 Jul 2014 15:43:41 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A0DB1B2942 for <dnssd@ietf.org>; Wed, 23 Jul 2014 15:43:41 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s6NMhcuL006108; Wed, 23 Jul 2014 23:43:38 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk s6NMhcuL006108
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=201304; t=1406155419; bh=bCDv1n48j/guaL8Si4kv+kJZ8Vk=; h=Mime-Version:Subject:From:In-Reply-To:Date:Cc:References:To; b=fy6g5ZfXYBuP19eWcRmwnQJSJbFIYzMdYtG9BU/Ca0nneZL0TiBNSSsXwEXL8LeIY 5ilBL56aS8WxMAYdxpeF+wLeOGz6hjp+xFzLWMyB8XhppML0fDgPV/7VBGhXFyWpqT 7p6PXa6z5yATWxkos9zXmXmPig3rjn2QQNjM3SMk=
Received: from gander.ecs.soton.ac.uk (gander.ecs.soton.ac.uk [2001:630:d0:f102::25d]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102::25e]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP (valid=N/A) id q6MNhc0422107364XF ret-id none; Wed, 23 Jul 2014 23:43:39 +0100
Received: from tjc-vpn.ecs.soton.ac.uk (tjc-vpn.ecs.soton.ac.uk [152.78.236.241]) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s6NMhYgF017048 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 23 Jul 2014 23:43:35 +0100
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com>
Date: Wed, 23 Jul 2014 23:43:34 +0100
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|2600382c8d6f30afc8697f921ff4de46q6MNhc03tjc|ecs.soton.ac.uk|4FDF75D1-28F0-47DA-ABA9-8B4B36F7CD0B@ecs.soton.ac.uk>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <4FDF75D1-28F0-47DA-ABA9-8B4B36F7CD0B@ecs.soton.ac.uk>
To: RJ Atkinson <rja.lists@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=q6MNhc042210736400; tid=q6MNhc0422107364XF; client=relay,ipv6; mail=; rcpt=; nrcpt=2:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: s6NMhcuL006108
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/0tvN_PYKDsnMROHOpkKRwsFXipU
Cc: dnssd@ietf.org
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 22:43:43 -0000

On 23 Jul 2014, at 21:51, RJ Atkinson <rja.lists@gmail.com> wrote:

> 
> (NOTE WELL: I am not a WG Chair, IESG member, IAB member,
> or authorised spokesperson for anyone other than myself.)
> 
> 
> Earlier Doug Otis wrote:
>> It is not safe to advertise such addresses in DNS, 
>> especially when security depends on address obscurity.
> 
> 
> I believe that the the vast majority of security folks
> would object to the notion that obscurity is a mechanism 
> capable of providing any meaningful security.
> 
> If a client were to ask me for advice on protecting their
> interior services or interior devices from the global Internet, 
> I would suggest at least a firewall (ranging from router ACLs 
> to an air-gap: depending upon their local needs and threat model) 
> and possibly also other measures (again, depending upon local
> needs and threat model).  Operational security is not 
> one-size-fits-all, in my experience, but relying upon 
> security-through-obscurity seems unwise to me.

Indeed. Though I’d argue that work such as RFC 7217 still has value.

>> It sounds like Ran wants to configure devices within a data-center.
> 
> 
> Incorrect.  To be very clear, my post to DNS-SD WG from earlier 
> this week definitely was NOT focused on data centre environments. 

I certainly didn’t take it that way.

Tim

> 
> Yours,
> 
> Ran
> 
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd

v2.23.0 | Report a Bug | By Email