IETF Logo Mail Archive

Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)

Ralph Droms <rdroms.ietf@gmail.com> Tue, 17 March 2015 20:11 UTC

Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C622E1A8893; Tue, 17 Mar 2015 13:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PM4nmin-B6AQ; Tue, 17 Mar 2015 13:11:29 -0700 (PDT)
Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE6911A1B64; Tue, 17 Mar 2015 13:11:29 -0700 (PDT)
Received: by qgfa8 with SMTP id a8so19215081qgf.0; Tue, 17 Mar 2015 13:11:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C9IlxCChNzu5Yj5oFvHQcjUJbpPq4F6OWsy44HfXKFY=; b=jFeDgsh6GP3Zl/alMO7nw+B7xJYXuiOaO7IpZYPoOGgTtmmvYfvBt4GvmoUIb90emG whqiu+iMS8chsSh0sxgDzrp4iRdkD24nYX+M5Y4SyRCmBuP0oUbYjpPb1JVfaPQjLF6I HiINtbaMxoSaFx7SZWKeusgYXRxCsD+rltCM442MmXkXzK8HW4uQyAAZ51LVM0G96oiE /Sk7Je3vJ920Vx5PwEmQ4uLKPlC4rwkxwecYyXbTB6LBrpEVxKQ5mnaZmdiOHCT+37Om 5gUvn/Nk1j4AaI/KSdys0ruf6V17lxlgI0SZLAshuMr/rMhqsoZUs8NrQlKCxGtH3/+s cItw==
X-Received: by 10.140.218.196 with SMTP id o187mr59639285qhb.30.1426623088931; Tue, 17 Mar 2015 13:11:28 -0700 (PDT)
Received: from [10.131.118.44] (rtp-isp-nat1.cisco.com. [64.102.254.33]) by mx.google.com with ESMTPSA id 8sm10299746qhr.32.2015.03.17.13.11.27 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 13:11:28 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Ralph Droms <rdroms.ietf@gmail.com>
In-Reply-To: <695E3CFA-B385-481E-9333-68BE1862B29F@gmail.com>
Date: Tue, 17 Mar 2015 16:11:26 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3909687-AE90-4E6B-ACF5-077741B1033B@gmail.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com> <83452A4F-D738-43D5-85FD-316B0DC8509F@gmail.com> <CABOxzu1Fq=O_4xtWUXFB82=fudhTE2Qd0FyD1wSRntsLaEiJiQ@mail.gmail.com> <9FC464C2-79E9-477D-9AFA-4C247F071677@gmail.com> <AAC2A111-A75E-48A5-8270-187DBBB109FB@bangj.com> <80E11ACB-1AE9-479E-A36A-1610C0EF307A@gmail.com> <AA84FD4B-1516-4CE5-BD00-5B0EC1CAC5EE@gmail.com> <695E3CFA-B385-481E-9333-68BE1862B29F@gmail.com>
To: Douglas Otis <doug.mtview@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/QLwhQF-sxIUxYr86BK7Uv6oFt-k>
Cc: Kerry Lynn <kerlyn@ieee.org>, dnssd-chairs@ietf.org, draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, Chown Tim <tjc@ecs.soton.ac.uk>, The IESG <iesg@ietf.org>, Tom Pusateri <pusateri@bangj.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 20:11:32 -0000

> On Mar 17, 2015, at 3:32 PM 3/17/15, Douglas Otis <doug.mtview@gmail.com> wrote:
> 
> Dear Ralph,
> 
>> On Mar 17, 2015, at 10:58 AM, Ralph Droms <rdroms.ietf@gmail.com> wrote:
>> 
>> Doug - Here is my summary of what I understand to be your concerns with
>> draft-ietf-dnssd-requirements-05:
>> 
>> 1) A change from link-scope mDNS SD to a larger scope may result in the
>> existence and address of a device being made more widely available than
>> currently expected.
> 
> Of course.
> 
>> 2) Some devices and networks are incapable of defending themselves
>> against unwanted access or other attacks once the address of the device
>> to be attacked is known.
> 
> When the _wrong_ address is published within DNS that then permits direct
> Internet access, this may evade desired protections. Although many mDNS
> devices report all such options, such reporting is only seen on the local 
> network.

I need to parse your response carefully so that we can understand each other.  In what sense is an address that permits direct address a "_wrong_" address?  Is this sentence equivalent: "When an address (such as a globally routable address) is published within DNS that then permits direct Internet access, [...]"

To make sure I understand the second sentence, is this sentence equivalent: "Although many mDNS implementations advertise all of the addresses available for a device, those advertisements are restricted to the local link and, therefore, don't advertise globally routable addresses to the Internet."

>> 3) Use of RFC 4193 is a way to protect against attacks enabled by the
>> increased scope of discovery envisioned by extended DNS-SD.
> 
> Use of RFC4193 is used to protect Homenet as well as various enterprise
> environments.  It is also used by Apple in their Back-To-My-Mac scheme.

To be clear, you agree with my point 3 and you cite two examples of the use of RFC 4193.  My understanding is that Homenet does not mandate the use of RFC 4193, perhaps because of the difficulties in mandating such usage; from section 2.4 of RFC 7368: "Devices in a homenet may be given only a ULA as a means to restrict reachability from outside the homenet."  My understanding is that RFC 4913 addresses are used in Back-To-My-Mac as an identifier if no other IPv6 address is available, rather than to restrict reachability.  Back-To-My-Mac uses an array of other security mechanisms to protect devices using the technology.
 
> 
>> You expressed these concerns during WG development and review of
>> draft-ietf-dnssd-requirements.  Tim and I judged the consensus of the
>> WG to be in support of advancing the document to the IESG, based in part
>> on the following analysis:
>> 
>> Points 1 and 2 are answered by the third paragraph of section 6.1.  For
>> completeness, the last sentence of that paragraph might be extended to
>> include "and protection against other forms of attack".
> 
> Address selection preferences represent critical security aspects that 
> MUST BE supported by the protocol.

Do you mean selection of which among several available addresses are advertised through DNS-SD?

> If RFC1918 or RFC4193 addresses are 
> reported via mDNS to the  DNS-SD proxy, there MUST be a requirement for 
> these addresses to be used over any Internet routable address.

Used where or by what devices?  Where are these restrictions enforced?

>  It is 
> important these requirements make it clear mDNS is not suitable for 
> publishing hosts on the Internet.  Where safer alternatives exist, such 
> publication MUST REQUIRE administrative intervention.  Otherwise 
> organizations making use of such schemes will be placed at great risk.

In my opinion, there is not consensus in the WG to support your concern.  The current text in the document represents WG consensus for the description of the potential problem.

>> Point 3 tries to mandate a solution through a specific deployment
>> mechanism and is, therefore, out of scope for a requirements document.
>> It may also be more broadly out of scope of the dnssd charter, which
>> addresses just DNS-based service discovery and does not include mandating
>> network deployment requirements as part of a solution.
> 
> This point offers an example strategy (address preferences) that MUST be 
> supported.  Ensuring support is not the same as making this a mandate!  
> It seems clear this group failed to develop schemes to protect devices 
> that normally limit access to that of the local network, as provided by 
> constraints imposed by mDNS.  As such, there should have been greater 
> review of those offered by Homenet or even Back-To-My-Mac.

"example strategy [...] that MUST be supported" sounds like a mandate to me.  This is a requirements document, not a final design, and therefore this document does not need to develop a solution to the problem you are concerned with.

> 
>> If you do not agree that your concerns have been answered by this
>> analysis, please state the basis for your continued concern, so that we
>> can judge rough consensus on support for publication of the document.
> 
> The requirements document remains critically flawed without justification. 
> Ensuring an ability to offer safe deployment unfortunately does not prevent 
> less safe schemes. Nevertheless, supporting a safe scheme should be a basic 
> requirement. 

Can you give a specific requirement or requirements that could be added to the document to satisfy your concerns?


> 
> Regards,
> Douglas Otis
>

v2.23.0 | Report a Bug | By Email