IETF Logo Mail Archive

Re: [dnssd] Any review of Threat model?

Tim Chown <Tim.Chown@jisc.ac.uk> Tue, 12 July 2016 11:07 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8531412D09B for <dnssd@ietfa.amsl.com>; Tue, 12 Jul 2016 04:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.111
X-Spam-Level:
X-Spam-Status: No, score=-4.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=jisc365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCHbKYQB32em for <dnssd@ietfa.amsl.com>; Tue, 12 Jul 2016 04:07:55 -0700 (PDT)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BAB412D0FB for <dnssd@ietf.org>; Tue, 12 Jul 2016 04:07:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YSPx94QHvFE446DU4jSs5G19byj3CqnN6IbrW1K9ReA=; b=a4wOXOtbnMlluBprrzB5BtaWS9fQXUD1+Rfn6Vfdq+fhzF8cH8EZUwieRqxJRuuSLUTRmPv9YJY8waOar9CAypFGoN9hbRjBardWU+Tpr8NAWpw6FipJsz4iTMAejkQCG4rFbbTvfMJjR+ZQmLS7pS3sbsHpcszZAVVjlG6n8tw=
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp0244.outbound.protection.outlook.com [213.199.154.244]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-63-4-PpZtClOkCxw0_MiGjSOg-1; Tue, 12 Jul 2016 12:07:50 +0100
Received: from AMSPR07MB455.eurprd07.prod.outlook.com (10.242.106.148) by AMSPR07MB454.eurprd07.prod.outlook.com (10.242.106.145) with Microsoft SMTP Server (TLS) id 15.1.534.14; Tue, 12 Jul 2016 11:07:46 +0000
Received: from AMSPR07MB455.eurprd07.prod.outlook.com ([10.242.106.148]) by AMSPR07MB455.eurprd07.prod.outlook.com ([10.242.106.148]) with mapi id 15.01.0539.018; Tue, 12 Jul 2016 11:07:46 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: "dnssd@ietf.org" <dnssd@ietf.org>
Thread-Topic: [dnssd] Any review of Threat model?
Thread-Index: AQHR3C2eFdrMiUbnXUWiRNpXpmDCPA==
Date: Tue, 12 Jul 2016 11:07:46 +0000
Message-ID: <FDB081BB-DF8C-4C25-8766-89CD565AF2DB@jisc.ac.uk>
References: <56FFE286.9010304@rozanak.com> <20160404191306.GA36990@anvilwalrusden.com> <5702C4D3.5070500@rozanak.com> <20160404200942.GE36990@mx2.yitter.info> <5702D220.2000501@rozanak.com> <20160404215837.GE37449@mx2.yitter.info>
In-Reply-To: <20160404215837.GE37449@mx2.yitter.info>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3124)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:630:50:d019:c414:da75:a5ad:b8fd]
x-ms-office365-filtering-correlation-id: 308d5bf4-be30-4ffb-2f45-08d3aa44c131
x-microsoft-exchange-diagnostics: 1; AMSPR07MB454; 20:srzRQ9SeJszZbQtc5SXp831tuu8WZxGSRRgJ5XOz4i0LKameiFSz9S24D3KbgOgADhxDVs4w3rWeRhZQWDHGWTMEHNdWxDnQY4azkPcgmozpXef/ifLWVYqvVet/yGvLnsJA7+xzEeYuxYFUuqCjkhSoR6IOxXTmCkVkzVh60+w=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AMSPR07MB454;
x-microsoft-antispam-prvs: <AMSPR07MB454542C3E68DAE3A9B6FBFCD6300@AMSPR07MB454.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:AMSPR07MB454; BCL:0; PCL:0; RULEID:; SRVR:AMSPR07MB454;
x-forefront-prvs: 0001227049
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(52314003)(24454002)(199003)(189002)(19580405001)(586003)(19580395003)(5002640100001)(77096005)(2501003)(68736007)(7846002)(57306001)(87936001)(11100500001)(76176999)(50986999)(93886004)(97736004)(106116001)(3660700001)(86362001)(450100001)(305945005)(106356001)(83716003)(92566002)(2950100001)(81156014)(74482002)(5640700001)(2906002)(8676002)(1730700003)(7736002)(6116002)(102836003)(122556002)(101416001)(15975445007)(81166006)(189998001)(105586002)(107886002)(110136002)(33656002)(50226002)(8936002)(10400500002)(82746002)(3280700002)(2351001)(36756003)(2900100001)(3826002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:AMSPR07MB454; H:AMSPR07MB455.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <B7F437AD1B438544861CF95FA17BB3A8@eurprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2016 11:07:46.3744 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMSPR07MB454
X-MC-Unique: 4-PpZtClOkCxw0_MiGjSOg-1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/BLjGvjHo9Ocz9QYlsej-fxE9opA>
Subject: Re: [dnssd] Any review of Threat model?
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 11:07:58 -0000

Hi,

We have some time at the end of the session in Berlin to discuss the future of the DNSSD Threats draft, as per https://tools.ietf.org/html/draft-otis-dnssd-scalable-dns-sd-threats-03

At present, there are outstanding unresolved comments at least from Andrew Sullivan, from the thread below, and as archived in the mail list archive at https://mailarchive.ietf.org/arch/search/?email_list=dnssd&gbt=1&index=H-BRUJFcg_aBLMtA3l3Pfh8CYns.

Doug is currently not available to work on the document, so if it is to be progressed Hosnieh will be looking for additional volunteers.

Comments in advance of the meeting are welcome.

Tim 



> On 4 Apr 2016, at 22:58, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> 
> Hi,
> 
> On Mon, Apr 04, 2016 at 10:44:16PM +0200, Hosnieh Rafiee wrote:
> 
>> The threat is the scope of discovery where causes the services to be
>> available to unwanted domains and most part of this draft emphasis on these
>> kinds of threats.
> 
> So, then, two things:
> 
>    1.  DNS-SD does not in fact do anything at all to make the
>    services available on the Internet.  They're already available.
> 
>    2.  It sounds like your document is better described as,
>    "Consequences of exposing previously-unannounced services via
>    DNS-SD".  If that's what you're trying to do, then making that
>    scope crystal clear at the beginning (like for instance, in the
>    abstract) would be good.
> 
> I still believe the document would benefit from really signficant
> reorganization, but at least making its goal way clearer would help.
> 
>> DNS. But I quite disagree with you because when it is exposed on global DNS
>> server, it can go beyond even the wanted scope that might be defined on edge
>> routers because normally the DNS queries are not filtered on the network
>> edge devices because of enabling clients to use DNS services or enabling
>> outsiders to query the names on global DNS servers inside their networks and
>> map names. That means, any external attacker can also query this global DNS
>> server and can retreive the name of services.
> 
> So, DNS-SD is about service discovery.  So it's not too surprising
> that services that are already available are easier to discover when
> DNS-SD is in use.  That actually does strike me as a potentially
> useful point to make.
> 
>> Our most emphasis was on homenet services. that means the global DNS server
>> for homenet is somewhere on ISPs and not inside the enterprise.
> 
> Or in the house, or whatever. AFAIK, HOMENET hasn't even established
> the architecture for this yet.
> 
>> all the users of that ISPs can access the services of other users in that
>> ISPs as well as external people.
> 
> That doesn't follow at all.  There are _lots_ of named services in my
> home net that you can't access, because if you try I'll drop your
> packets at the edge of my network.  Merely knowing the name of
> something does not guarantee access.
> 
> Now, knowing the name of something _is_ knowing something that
> previously one might not have known about.  And if the thing is
> unsecured, it is of course accessible too.  Given that the whole point
> is remote access, however, I can't see how the right answer to that
> is, "Don't permit service discovery."  The _whole point_ is service
> discovery.
> 
>> In other word, it is not only your fileserver that is available
>> to you over global DNS server but also to anyone else in the world.
> 
> Well, yes.  Of course.  Presumably this is what authentication and
> authorization is for.
> 
>> This is
>> why in draft we clearly said that .home domains (that are on going
>> discussion in homenet groups) should be restricted to use global DNS server.
> 
> This is a completely different issue, unrelated to any of the above.
> (A globally-ambiguous name akin to RFC 1918 addresses is not obviously
> a good idea anyway, but regardless its functioning in the global DNS
> is bound to be obscure.)
> 
>> You can, of course, define it as policy.  In my understanding, this policy
>> is a  part of the protocol
> 
> I think your understanding is quite mistaken.  There is nothing in
> IDNA to prevent a single label having in it "a" (U+0061) and "а"
> (U+0430).  They're both PVALD.  I know of no consumer-grade software
> in the world that doesn't use the very same bits on the screen to
> render those two characters.  They're as confusable as can possibly
> be, and there is nothing whatsoever in any protocol to prevent them
> being used in a way that is possibly confusing to users.
> 
>> definition of using such capacity for DNSSD protocol. In other word, the
>> possible problems arises on DNSSD services by using variety of look alike
>> names that need to be take into consideration that at the moment it is not.
> 
> So, andrews-laptop.local. and аndrews-laptop.local exhibit this
> problem, I agree.  (The second of those has the Cyrillic "a" in it.)
> 
> Certainly, anvilwalrusden.com and аnvilwalrusden.com have the same
> problem.  (Again, second one is Cyrillic --
> xn--nvilwalrusden-v1k.com).  Fortunately for us, Verisign doesn't
> permit domain names of the second form (because the U-label
> "аnvilwalrusden" is not all in one script).  This is a policy that Verisign has.
> 
> There is, however, nothing at all in Verisign's policy to prevent me
> from creating аndrews-laptop.anvilwalrusden.com
> (xn--ndrews-laptop-v1k.anvilwalrusden.com).  And there's nothing in
> the protocol to prevent it.  If you want to say, "Mixed script labels
> are not allowed anywhere in the DNS," I think you're going to have
> some push-back.
> 
> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
> 
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd

v2.23.0 | Report a Bug | By Email