IETF Logo Mail Archive

Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)

Tom Pusateri <pusateri@bangj.com> Mon, 16 March 2015 18:10 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65AF1A89A8; Mon, 16 Mar 2015 11:10:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.038
X-Spam-Level:
X-Spam-Status: No, score=-1.038 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGDOOuAUqdNk; Mon, 16 Mar 2015 11:10:30 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E1741A89AA; Mon, 16 Mar 2015 11:10:29 -0700 (PDT)
Received: from [192.168.15.226] (64.203.236.12.static-pool-1.pool.hargray.net [64.203.236.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id D2D40205B; Mon, 16 Mar 2015 14:06:22 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_DD4F769E-558B-461E-9DD5-8BFD86260D10"; protocol="application/pgp-signature"; micalg="pgp-sha1"
X-Pgp-Agent: GPGMail 2.5b5
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <20150310230433.13239.32024.idtracker@ietfa.amsl.com>
Date: Mon, 16 Mar 2015 14:10:24 -0400
Message-Id: <1E100FC1-888D-4FFE-80DB-9AAC8EB99BA5@bangj.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kerry Lynn <kerlyn@ieee.org>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/8oI-vs4uzArxtlUtLUkpZurfM5k>
Cc: draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, dnssd-chairs@ietf.org, The IESG <iesg@ietf.org>, Tim Chown <tjc@ecs.soton.ac.uk>
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 18:10:31 -0000

> On Mar 10, 2015, at 7:04 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-dnssd-requirements-05: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> - section 6 intro: I'm not sure I buy that the set of relevant
> threats is only a union as stated. There are often new threats
> in new environments.
> 

Maybe this text would be more clear for the introduction:

Insofar as SSD may automatically gather DNS-SD resource records and
publish them over a wide area, the security issues that could
be discussed here include the security issues already discussed
in the Multicast DNS and DNS-Based Service Discovery specifications.
We will not re-discuss those issues here. Please see those
specifications for a detailed discussion of those common issues.
In this section we will discuss new potential threats that are
posed by deploying DNS-SD over multiple links or by automating
DNS-SD administration.


> - 6.6: I think one can also leak private information by
> searching in too broad a scope, e.g. if the client can be
> fingerprinted allowing re-identification. I think that's
> different from the example given, and maybe worth noting too.


The scope of the search is based on the domain name in the request and is perfectly controllable by the client. Unicast queries for PTR service records in no way leaks any more private information about the client than unicast queries for A records.

Thanks,
Tom

v2.23.0 | Report a Bug | By Email