IETF Logo Mail Archive

Re: [dnssd] Security through Obscurity

Douglas Otis <doug.mtview@gmail.com> Thu, 24 July 2014 01:27 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C226C1A026A for <dnssd@ietfa.amsl.com>; Wed, 23 Jul 2014 18:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHsbhUtXtIZU for <dnssd@ietfa.amsl.com>; Wed, 23 Jul 2014 18:27:36 -0700 (PDT)
Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E8BD1A019A for <dnssd@ietf.org>; Wed, 23 Jul 2014 18:27:36 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id t60so2032464wes.34 for <dnssd@ietf.org>; Wed, 23 Jul 2014 18:27:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=F2cdt3Q+e8Miws/TPAzYxrnOzrgtMZCdljcX2bYncsE=; b=yapf7KPEjod9G8nwMdYzhwEPlxs8259joq75RVQXxzSY1myCFcv9ZfR8+HnNkJVQ/l Gldki8XGjZvgTuEktbUgDxZqJSgabTWbyLnaUwyoOtCwtafk3ZLXM7o+VdbzLewbYktX mFdihyU7U4gMOvD3YN1DYG29LsfWOkiJY4tpudQofU63LG8ZX+4lgyd8rvgy1Nl5OYt2 D0XRC0JkPm7b1tHyl/j4Ah3uvwKQ9D7Stkb/Zlk0EfP+8gzZncYQHOjpaVU8SpzAxM9e 5POfXp8qUvyx6ai9bSxsocddOrMyZvzKyvRN/RaRFNG1EqRV+xwps6b1UJ/BwUwIEhgI ULpQ==
X-Received: by 10.194.62.140 with SMTP id y12mr7138673wjr.27.1406165255109; Wed, 23 Jul 2014 18:27:35 -0700 (PDT)
Received: from [192.168.11.129] (dhcp-8b54.meeting.ietf.org. [31.133.139.84]) by mx.google.com with ESMTPSA id ub11sm16279558wib.1.2014.07.23.18.27.33 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 23 Jul 2014 18:27:34 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com>
Date: Wed, 23 Jul 2014 21:27:31 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com>
To: RJ Atkinson <rja.lists@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/AuGpseayQDPLWr8RxKE1cd3ln7I
Cc: dnssd@ietf.org, Douglas Otis <doug.mtview@gmail.com>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 01:27:37 -0000

On Jul 23, 2014, at 4:51 PM, RJ Atkinson <rja.lists@gmail.com> wrote:

> 
> (NOTE WELL: I am not a WG Chair, IESG member, IAB member,
> or authorised spokesperson for anyone other than myself.)
> 
> 
> Earlier Doug Otis wrote:
>> It is not safe to advertise such addresses in DNS, 
>> especially when security depends on address obscurity.
> 
> 
> I believe that the the vast majority of security folks
> would object to the notion that obscurity is a mechanism 
> capable of providing any meaningful security.
> 
> If a client were to ask me for advice on protecting their
> interior services or interior devices from the global Internet, 
> I would suggest at least a firewall (ranging from router ACLs 
> to an air-gap: depending upon their local needs and threat model) 
> and possibly also other measures (again, depending upon local
> needs and threat model).  Operational security is not 
> one-size-fits-all, in my experience, but relying upon 
> security-through-obscurity seems unwise to me.

I agree with that statement, but at the same time some of these devices are assigned routable addresses by the vendors.  When assigned out of a 48 bit space, it might be possible to guess the device based on common manufacturers.  When randomly assigned by the owner, it is highly unlikely such an address will ever be guessed.  Add rate limiting, and this unknown should work well at mitigating attack.  But as I said, I agree with your statement and why I think mDNS should be working with ULAs.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email