Re: [dnssd] Any review of Threat model?
Hosnieh Rafiee <ietf@rozanak.com> Mon, 04 April 2016 20:44 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588EE12D815 for <dnssd@ietfa.amsl.com>; Mon, 4 Apr 2016 13:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QXZf-AAzi6Wx for <dnssd@ietfa.amsl.com>; Mon, 4 Apr 2016 13:44:56 -0700 (PDT)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35A7312D899 for <dnssd@ietf.org>; Mon, 4 Apr 2016 13:44:52 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 430A325CA246; Mon, 4 Apr 2016 20:44:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4poQSclpiScl; Mon, 4 Apr 2016 22:44:17 +0200 (CEST)
Received: from localhost.localdomain (p200300864F392B7AF2DEF1FFFE58C5D4.dip0.t-ipconnect.de [IPv6:2003:86:4f39:2b7a:f2de:f1ff:fe58:c5d4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id EE46F25CA240; Mon, 4 Apr 2016 22:44:16 +0200 (CEST)
To: Andrew Sullivan <ajs@anvilwalrusden.com>, dnssd@ietf.org
References: <56FFE286.9010304@rozanak.com> <20160404191306.GA36990@anvilwalrusden.com> <5702C4D3.5070500@rozanak.com> <20160404200942.GE36990@mx2.yitter.info>
From: Hosnieh Rafiee <ietf@rozanak.com>
Message-ID: <5702D220.2000501@rozanak.com>
Date: Mon, 04 Apr 2016 22:44:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1
MIME-Version: 1.0
In-Reply-To: <20160404200942.GE36990@mx2.yitter.info>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/PDu4By9UHYd8p9L8PSvRIPrrWyA>
Subject: Re: [dnssd] Any review of Threat model?
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2016 20:44:57 -0000
Hi again, On 04/04/2016 10:09 PM, Andrew Sullivan wrote: > > I'm trying to understand what the threat is from a practical point of > view. For instance, there is a claim in the draft about exfiltration. > The truth is that, if you're running split-horizon DNS, you _already_ > have this problem. Therefore, the risk is at worst that there are > more queries that contain such leaks. I don't know whether that's > worse, but I confess I'm pretty sceptical; but those kinds of > considerations need to be laid out. > > It simply isn't true that we just list the threats. We try to lay out > the threats, their severity, the liklihood that they'll happen, and so > on. Listing all the threats in the world would not be useful. The threat is the scope of discovery where causes the services to be available to unwanted domains and most part of this draft emphasis on these kinds of threats. of course it has different consequences and what we actually added to draft as I also explained in private chat in meetecho, is that we have to restrict the scope of discovery for some services specially in .home and homenet. You explained that people would like their home fileservers to be available over the internet and it doesn't matter whether or not we add it to global DNS. But I quite disagree with you because when it is exposed on global DNS server, it can go beyond even the wanted scope that might be defined on edge routers because normally the DNS queries are not filtered on the network edge devices because of enabling clients to use DNS services or enabling outsiders to query the names on global DNS servers inside their networks and map names. That means, any external attacker can also query this global DNS server and can retreive the name of services. Our most emphasis was on homenet services. that means the global DNS server for homenet is somewhere on ISPs and not inside the enterprise. That means all the users of that ISPs can access the services of other users in that ISPs as well as external people.... This is a huge security and privacy risks that it appears that it is easily neglected here. Since, for example, IPv6, unfortunately the ULA is not used for services and services already receive the global IP address, that means, services are accessibile easily to external scope with publishing their names on global DNS server. In other word, it is not only your fileserver that is available to you over global DNS server but also to anyone else in the world. This is why in draft we clearly said that .home domains (that are on going discussion in homenet groups) should be restricted to use global DNS server. Also There need to be restriction on the use of Global IP addresses and instead we use Unique local addresses that are by default not routable over the network and the admin needs to define rules on routers to route them.... This provide a bit of restriction and a bit of security and privacy for exposing services to unwanted domains. This is also what we have confirmed in the draft that unfortunately there was not time to discuss about them. and of course a few sections of the draft discussed about the existing attacks that the global DNS can causes on DNSSD services. >> 2.1.2.1 threat relates to defining a critical service when look-alike name >> detection becomes problematic. >> Unlike DNS, mDNS assumes visual selection IDNA and/or raw UTF-8 allows for >> many possible representations of the same visual representation. By >> allowing all the different representations allowed, this allows look alike >> names. this is why IDNA should be limited for mDNS because there might be >> different services with look alike names that cannot be easily determined. > I'm sorry, but this is just false. First, the problem already exists > with plain LDH, because of l and 1. Second, you can trivially > recreate these problems in IDNA2008 -- Latin-A and Cyrillic-A are the > usual example, but there are many such cases all of which are legal in > IDNA. "Look alike names" are a problem now, with the existing DNS-SD > specification and with other cases (like following links). All of the > rules to solve that -- using mDNS or DNS or YourNewResolutionProtocol > -- need to have these things handled by policy. If the only point is, > "Some policy controls are needed here," say that. But either this is > no more of an issue than any other i18n issue on the Internet, or else > there is something peculiar about this case that makes it more of an > issue. There's been no effort AFAICT to show that the "more of an > issue" case is what is going on here. You can, of course, define it as policy. In my understanding, this policy is a part of the protocol and the restrictions that assigned now as a definition of using such capacity for DNSSD protocol. In other word, the possible problems arises on DNSSD services by using variety of look alike names that need to be take into consideration that at the moment it is not. > Best regards, > > A > Best, Hosnieh
- [dnssd] Any review of Threat model? Hosnieh Rafiee
- Re: [dnssd] Any review of Threat model? Andrew Sullivan
- Re: [dnssd] Any review of Threat model? Hosnieh Rafiee
- Re: [dnssd] Any review of Threat model? Andrew Sullivan
- Re: [dnssd] Any review of Threat model? Hosnieh Rafiee
- Re: [dnssd] Any review of Threat model? Andrew Sullivan
- Re: [dnssd] Any review of Threat model? Tim Chown
- Re: [dnssd] Any review of Threat model? Hosnieh Rafiee