Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
Douglas Otis <doug.mtview@gmail.com> Wed, 18 March 2015 18:38 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9031A900A; Wed, 18 Mar 2015 11:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id od-UlXOA6qFT; Wed, 18 Mar 2015 11:38:40 -0700 (PDT)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39ECF1A87EA; Wed, 18 Mar 2015 11:38:40 -0700 (PDT)
Received: by pabyw6 with SMTP id yw6so50173456pab.2; Wed, 18 Mar 2015 11:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=s2RxNGuOgmV8spkjXDN4QPCNY7dlzMOtr61kGqqWtx4=; b=ToKmeqg9/qTXB/S3qulWjrpaWAN9yJub8ryuQ+TndlfaFJqfvmvbCTlih4WxHl2TcN P3P26dRzDyKskmEGVCruT0dy66n4xcB4K5UYoLrWcI2O6vwEVLVYhDoIaje7zcmRLxFM CV87cVckeYlyFaXMTyIaYqSq5GiCrjhrRlOsZ7kcXVONFEA9x4vv8RhX7jjX/nvhvYOK 8o51ucm4q9c4osowRFBQGt4v4HoiJ2QxTjvCuRz1trGfc3gE5h6KQdfsEDzv8U65Uv8J JT2fdH2oiNNMmZ+CabF8FwcM97fBykHvXZrEBjo9iy0boaxMFvyFLRzxFj4G85h360wZ KSvQ==
X-Received: by 10.70.133.97 with SMTP id pb1mr98592825pdb.10.1426703919879; Wed, 18 Mar 2015 11:38:39 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id x1sm28736775pdr.17.2015.03.18.11.38.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Mar 2015 11:38:39 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <55088E6E.6010904@cs.tcd.ie>
Date: Wed, 18 Mar 2015 11:38:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <89D3FE5D-D6B2-4F5F-8CEE-6B7FD0BC0749@gmail.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com> <2C1D6897-BE72-4902-97A6-C5C6943B1EF7@gmail.com> <5508876F.9030904@cs.tcd.ie> <FD08CA4F-D429-4BCF-A9FE-E0BFFD62A9DD@bangj.com> <55088E6E.6010904@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/ALio92NZwOD-nND7u_BGFHNKFYc>
Cc: dnssd-chairs@ietf.org, draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, Chown Tim <tjc@ecs.soton.ac.uk>, Ralph Droms <rdroms.ietf@gmail.com>, Tom Pusateri <pusateri@bangj.com>, The IESG <iesg@ietf.org>
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 18:38:41 -0000
> On Mar 17, 2015, at 1:28 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Signed PGP part > > Hiya, > > On 17/03/15 20:25, Tom Pusateri wrote: > > I'm not sure I understand your scenario. > > > > Clients issue searches in the form of unicast DNS queries to DNS > > servers (or proxies). This is the same as with wide-area bonjour. > > Only now, this may cause the proxies to issue their own multicast > > queries on a local network in order to ensure their cache is > > current. The original client's searches are never broadcast further > > than they were before. A bad actor would have to intercept the > > unicast queries from the client (which may be TLS encoded). To do > > this, the bad actor must have compromised some network device to do > > this. > > So I don't think the above is clear from the requirements draft, > which is all I've so far read. It may be clear later that there's > no significant new threat in this respect due to a specific design > having been adopted, and if so that's good. > > S. Dear Stephen, I have seen no consumer-level routers which offer IPv6 filtering, except in an “all-or-nothing” fashion, which makes sense given the practical limitations of memory and configuration. Even high-end routers have no ability to track privacy extension IPv6 addresses, so no practical filtering methods currently exist. That’s why it is so important to indicate in the draft that no routable address should be published in DNS without the active participation of the administrator. Without this step, mDNS will publish routable addresses to devices which are not safe on the Internet, and can never be made safe. It seems Tom described new infrastructure attempting to leverage mDNS as a method to update host resources in DNS. There are many avenues permitting remote clients a means to query DNS information, where DNS-SD will not secure this sensitive information. When DNS contains IPv6 globally accessible addresses not practically blocked, distributing these addresses will expose devices that could be in a class of being permanently vulnerable to Internet access i.e. printers, baby monitors, infrastructure controls, etc. Regards, Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- [dnssd] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Kerry Lynn