IETF Logo Mail Archive

Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)

Douglas Otis <doug.mtview@gmail.com> Wed, 18 March 2015 18:38 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9031A900A; Wed, 18 Mar 2015 11:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id od-UlXOA6qFT; Wed, 18 Mar 2015 11:38:40 -0700 (PDT)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39ECF1A87EA; Wed, 18 Mar 2015 11:38:40 -0700 (PDT)
Received: by pabyw6 with SMTP id yw6so50173456pab.2; Wed, 18 Mar 2015 11:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=s2RxNGuOgmV8spkjXDN4QPCNY7dlzMOtr61kGqqWtx4=; b=ToKmeqg9/qTXB/S3qulWjrpaWAN9yJub8ryuQ+TndlfaFJqfvmvbCTlih4WxHl2TcN P3P26dRzDyKskmEGVCruT0dy66n4xcB4K5UYoLrWcI2O6vwEVLVYhDoIaje7zcmRLxFM CV87cVckeYlyFaXMTyIaYqSq5GiCrjhrRlOsZ7kcXVONFEA9x4vv8RhX7jjX/nvhvYOK 8o51ucm4q9c4osowRFBQGt4v4HoiJ2QxTjvCuRz1trGfc3gE5h6KQdfsEDzv8U65Uv8J JT2fdH2oiNNMmZ+CabF8FwcM97fBykHvXZrEBjo9iy0boaxMFvyFLRzxFj4G85h360wZ KSvQ==
X-Received: by 10.70.133.97 with SMTP id pb1mr98592825pdb.10.1426703919879; Wed, 18 Mar 2015 11:38:39 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id x1sm28736775pdr.17.2015.03.18.11.38.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Mar 2015 11:38:39 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <55088E6E.6010904@cs.tcd.ie>
Date: Wed, 18 Mar 2015 11:38:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <89D3FE5D-D6B2-4F5F-8CEE-6B7FD0BC0749@gmail.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com> <2C1D6897-BE72-4902-97A6-C5C6943B1EF7@gmail.com> <5508876F.9030904@cs.tcd.ie> <FD08CA4F-D429-4BCF-A9FE-E0BFFD62A9DD@bangj.com> <55088E6E.6010904@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/ALio92NZwOD-nND7u_BGFHNKFYc>
Cc: dnssd-chairs@ietf.org, draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, Chown Tim <tjc@ecs.soton.ac.uk>, Ralph Droms <rdroms.ietf@gmail.com>, Tom Pusateri <pusateri@bangj.com>, The IESG <iesg@ietf.org>
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 18:38:41 -0000

> On Mar 17, 2015, at 1:28 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Signed PGP part
> 
> Hiya,
> 
> On 17/03/15 20:25, Tom Pusateri wrote:
> > I'm not sure I understand your scenario.
> >
> > Clients issue searches in the form of unicast DNS queries to DNS
> > servers (or proxies). This is the same as with wide-area bonjour.
> > Only now, this may cause the proxies to issue their own multicast
> > queries on a local network in order to ensure their cache is
> > current. The original client's searches are never broadcast further
> > than they were before. A bad actor would have to intercept the
> > unicast queries from the client (which may be TLS encoded). To do
> > this, the bad actor must have compromised some network device to do
> > this.
> 
> So I don't think the above is clear from the requirements draft,
> which is all I've so far read. It may be clear later that there's
> no significant new threat in this respect due to a specific design
> having been adopted, and if so that's good.
> 
> S.

Dear Stephen,

I have seen no consumer-level routers which offer IPv6 filtering, except 
in an “all-or-nothing” fashion, which makes sense given the practical 
limitations of memory and configuration.  Even high-end routers have no 
ability to track privacy extension IPv6 addresses, so no practical 
filtering methods currently exist.  That’s why it is so important to 
indicate in the draft that no routable address should be published in 
DNS without the active participation of the administrator.  Without this 
step, mDNS will publish routable addresses to devices which are not safe 
on the Internet, and can never be made safe.

It seems Tom described new infrastructure attempting to leverage mDNS as a 
method to update host resources in DNS.  There are many avenues permitting 
remote clients a means to query DNS information, where DNS-SD will not
secure this sensitive information.  When DNS contains IPv6 globally 
accessible addresses not practically blocked, distributing these addresses 
will expose devices that could be in a class of being permanently vulnerable 
to Internet access i.e. printers, baby monitors, infrastructure controls, etc.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email