Re: [dnssd] Security through Obscurity

[Tom Pusateri <pusateri@bangj.com>]

> On Jul 23, 2014, at 9:27 PM, Douglas Otis <doug.mtview@gmail.com> wrote:
> 
> 
> On Jul 23, 2014, at 4:51 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
>> 
>> If a client were to ask me for advice on protecting their
>> interior services or interior devices from the global Internet, 
>> I would suggest at least a firewall (ranging from router ACLs 
>> to an air-gap: depending upon their local needs and threat model) 
>> and possibly also other measures (again, depending upon local
>> needs and threat model).  Operational security is not 
>> one-size-fits-all, in my experience, but relying upon 
>> security-through-obscurity seems unwise to me.
> 
> I agree with that statement, but at the same time some of these devices are assigned routable addresses by the vendors. When assigned out of a 48 bit space, it might be possible to guess the device based on common manufacturers.  When randomly assigned by the owner, it is highly unlikely such an address will ever be guessed.  Add rate limiting, and this unknown should work well at mitigating attack.  But as I said, I agree with your statement and why I think mDNS should be working with ULAs.
> 

mDNS advertisements are link-local. Whether mDNS uses GUAs, ULAs, or link-local addresses is irrelevant.

I'll assume you meant the broader term DNS-SD. If so, then the scope of the address is a matter best left up to the particular use case.
There are arguments for all of them and a mix of them depending on what you're trying to achieve. Bots operate inside private networks and can do as much damage with ULAs as with GUAs.

We need to stop thinking about an internal network and an external network. There is just THE network. Your security should reflect the fact that malfeasants will try to break into every one of your devices and they all need the appropriate level of protection from this. If a device is susceptible, that's not an DNS-SD problem, that's a device problem.

Tom