Re: [dnssd] WGLC for draft-ietf-dnssd-requirements-03
Tim Chown <tjc@ecs.soton.ac.uk> Wed, 23 July 2014 22:40 UTC
Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FCAF1B2936 for <dnssd@ietfa.amsl.com>; Wed, 23 Jul 2014 15:40:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.221
X-Spam-Level:
X-Spam-Status: No, score=-1.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5aW81vf9hZ4 for <dnssd@ietfa.amsl.com>; Wed, 23 Jul 2014 15:40:54 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C73A1B28CE for <dnssd@ietf.org>; Wed, 23 Jul 2014 15:40:52 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s6NMei0u005606; Wed, 23 Jul 2014 23:40:44 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk s6NMei0u005606
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=201304; t=1406155245; bh=kpScY+Np4Griuu70gJ6ilIvQf8w=; h=Mime-Version:Subject:From:In-Reply-To:Date:Cc:References:To; b=fgTxe/poJAHmy1fCw1UTfqHLm/XnKTRb+v9PowDkliVCUhztU7Albqbg7s58ZhPi1 zdp0DaADBFkkwyXE+hzjsFkiUne22a7PI+lMujQks1JWR86jqoZxlt3UFDzQcgiUaL xEERTAmeb5WsN6tA+nILxnU/PDFp7dVGEuodS0s4=
Received: from gander.ecs.soton.ac.uk ([2001:630:d0:f102:250:56ff:fea0:401]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102:250:56ff:fea0:68da]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP (valid=N/A) id q6MNei04221073484Y ret-id none; Wed, 23 Jul 2014 23:40:44 +0100
Received: from tjc-vpn.ecs.soton.ac.uk (tjc-vpn.ecs.soton.ac.uk [152.78.236.241]) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s6NMeewm016671 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 23 Jul 2014 23:40:41 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_93E39B07-AD2F-47EF-AA8D-2DC46545699E"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <94FE061A-51FF-4F18-906F-703D16E9F303@gmail.com>
Date: Wed, 23 Jul 2014 23:40:39 +0100
Message-ID: <EMEW3|cb9e4444d9533ff943080c3cab6af584q6MNei03tjc|ecs.soton.ac.uk|A039AB31-751B-4646-A8FE-9C728A65DCAF@ecs.soton.ac.uk>
References: <10DC3A23-5ABF-4D01-97AE-17C5E488F664@ecs.soton.ac.uk> <EMEW3|b2e039c435c9cb5398775ee6c47ae47eq66AkU03tjc|ecs.soton.ac.uk|10DC3A23-5ABF-4D01-97AE-17C5E488F664@ecs.soton.ac.uk> <0022F0DD-AEC8-4222-8F74-E38399B6B02D@gmail.com> <609AC6B1-C544-4CF1-A1D9-0468D72C963B@ecs.soton.ac.uk> <EMEW3|4a5b37f34c5891ab73079da8169c32e3q6LMb503tjc|ecs.soton.ac.uk|609AC6B1-C544-4CF1-A1D9-0468D72C963B@ecs.soton.ac.uk> <94FE061A-51FF-4F18-906F-703D16E9F303@gmail.com> <A039AB31-751B-4646-A8FE-9C728A65DCAF@ecs.soton.ac.uk>
To: Douglas Otis <doug.mtview@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=q6MNei042210734800; tid=q6MNei04221073484Y; client=relay,forged,no_ptr,ipv6; mail=; rcpt=; nrcpt=2:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: s6NMei0u005606
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/Qinns9cADTifpcwApmr58rk3PyA
Cc: dnssd@ietf.org
Subject: Re: [dnssd] WGLC for draft-ietf-dnssd-requirements-03
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 22:40:57 -0000
Hi, On 23 Jul 2014, at 21:14, Douglas Otis <doug.mtview@gmail.com> wrote: > Dear Tim, > > See comments inline: > > On Jul 22, 2014, at 5:35 PM, Tim Chown <tjc@ecs.soton.ac.uk> wrote: > >> Hi, >> >> Thanks for your comments Doug. >> >> On 8 Jul 2014, at 01:47, Douglas Otis <doug.mtview@gmail.com> wrote: >> >>> On Jul 7, 2014, at 2:46 AM, Tim Chown <tjc@ecs.soton.ac.uk> wrote: >>> >>>> Hi, >>>> >>>> This email begins a two week WGLC on draft-ietf-dnssd-requirements-03, "Requirements for Scalable DNS-SD/mDNS Extensions”. >>>> >>>> Ralph and I as chairs believe the authors have addressed the issues raised at IETF89 and on the list since. >>>> >>>> You can see the draft here: >>>> http://tools.ietf.org/html/draft-ietf-dnssd-requirements-03 >>> >>> Dear dnssd-wg, >>> >>> 1) Layer 2 solutions intentionally ignored. >>> >>> One of the primary goals for extending mDNS per the Educause petition was to enable access to remote displays. Unfortunately, layer 3 routing is generally prohibited with unlicensed nodes in conveyance of copyright media. While layer 2 solutions are able to overcome multi-bridge limitations imposed by media compliance requirements, this has been ignored by the Scalable DNS-SD/mDNS requirements documentation to the point of being ruled out-of-scope for discussion because of an assumed need for layer 3 only solutions. Nevertheless, layer 3 solutions are normally precluded when not licensed as a means to ensure constraint of media redistribution. A quandary that could have been avoided by determining common strategies that could be used by either layer 2 or 3. For example, many routers are able to handle GUA+ULA. Layer 3 and 2 might be considered analogous when ULAs are mapped to MACs. >> >> You need to be more explicit at what you mean here. The purpose of dnssd is to allow DNS-based service discovery in multi-subnet environments, such as campuses and future home networks (as defined in the homenet WG). If your network is a flat layer 2 network, that particular problem doesn’t exist. >> >> In addition, REQ14 states: >> REQ14: SSD should operate over existing networks (as described by >> use cases A-F above) without requiring changes to the network >> technology or deployment. >> >> Regarding ULAs, the homenet-arch text describes the use of ULAs alongside GUAs in multi-link home networks. ULAs can then be used for internal communications, regardless of the GUAs, or changes in the GUAs. GUAs are then used for external communications. > > Agreed, but when a GUA is used and published, this should exclude devices unable to safely terminate a session from the Internet. It is not safe to advertise such addresses in DNS, especially when security depends on address obscurity. There was recently quite a long thread in homenet about publishing home devices in the global DNS, and how the homenet naming service can be operated. You might want to look at that if you havent already. The archive is at: http://www.ietf.org/mail-archive/web/homenet/current/maillist.html The related draft is: http://datatracker.ietf.org/doc/draft-mglt-homenet-naming-architecture-dhc-options/ And the topic started here: http://www.ietf.org/mail-archive/web/homenet/current/msg03702.html >> Not sure what you mean by ULAs being mapped to MACs. > > After reading the latest HDCP specification, concerns related to routing limitations were misplaced and peer-to-peer changes further reduce the concerns. Please ignore needing an alternative for Educause. Ah, OK. >>> 2) Many devices within a typical network may announce routable addresses via mDNS but are nevertheless unable to authenticate the access permitted when these mDNS resources are conveyed in DNS. >>> ,-- >>> The following is a summary of the technical requirements: >>> ... >>> o It must be cost-effective to manage at up to enterprise scale. >>> '-- >>> >>> Being unable to differentiate locality for those devices unable to handle Internet originating sessions, as in the printer example, means the Scalable DNS-SD/mDNS extension is NOT manageable at any scale. >> >> The charter states that a user away from a network should be able to discover devices in their ‘home’ network, which implies a remote proxy discovery capability, and GUAs for reachability. We should distinguish discoverability (including across the potential range of discovery ‘scopes’) from reachability (e.g. whether ACLs may exist on the path) from accessability (e.g. access control on the device). > > Normal practices depend on use of a gateway authenticating clients, such as use of VPNs. In such cases, service discovery can return ULAs which permits router bridging within a multi-router home network. It sounds like Ran wants to configure devices within a data-center. It might be helpful to reinforce a need to exclude FD::/8 addresses over Internet access links. Only devices able to terminate Internet sessions should be published globally. Unfortunately, it is impossible to make such a determination based on mDNS resources. This inability makes such a simplistic approach both unsafe and unmanageable. Well, within a multi-link network you have to expose an address with scope greater than link-local to the querier for them to be able to reach the service they are discovering. So yes, ULAs wiithin the home could make sense, so you discover services with addresses you know you can use regardless of the external connectivity status (or at least that’s the same argument as using ULAs in parallel with GUAs in homenet to give session survivability etc in the presence of addess ‘disruption’ by the ISP. I don’t think there’s any assumption in homenet that you’d VPN to the home, or via some home proxy, to access internal services. There has been a lot of discussion in v6ops and opsec (I think) about default home CER filtering settings. >>> Since different network realms are expected to permit device access behind different bridges based on their "routable" mDNS resources published in DNS, this circumvents a strategy of differentiating local origination. This becomes particularly problematic when different IPv6 prefixes are dynamically in use. >> >> The homenet arch postulates that ULAs can loosely be used as a hint of connection origin. > > Agreed. But none of the related wg drafts clarify essential roles ULAs have in securing a Hybrid mDNS to DNS approach. Within a dynamic multiple-prefix environment, ULA and RFC1981 space are essential in establishing stable and identifiable network perimeters. Such perimeters defend devices that don't expect direct access from the Internet or split-horizon DNS, as some have suggested. Let’s see what the WG says in the session. >>> In the Security Consideration Section, the union of DNS-SD and mDNS would be zero since DNS-SD claims it to be a data structure creating no security concerns. The union of zero with anything is zero. >> >> Not sure what you mean there - please expand. > > Sorry, a mistake was made confusing union with intersection. Nevertheless, the security consideration statement misrepresents security concerns being a combination of mDNS and DNS-SD security considerations. DNS-SD security considerations specification claims it adds no new security concerns. Such a view implies SSD security consideration are limited to those affecting mDNS. However, mDNS is confined to the bridge, whereas DNS removes this constraint. Such a change has a tremendous, albeit ignored, security impact. Right, potentially, and Hosnieh will talk to that in her slot, I think. You’re right it’s important. And privacy too. >>> Does REQ6 have priority over that of REQ14? >>> ,-- >>> REQ6: SSD must not adversely affect or break any other current >>> protocols or deployments. >>> '-- >>> ,-- >>> REQ14: SSD should operate over existing networks (as described by >>> use cases A-F above) without requiring changes to the network >>> technology or deployment. >> >> Ah. So I think REQ6 should say “any other current service discovery protocols or deployments.”. > > The follow-on sentence attempted to clarify a paradox created by the simplified view when REQ14 is not seen in conflict with REQ6. > >>> mDNS is restricted to a single link. The envisioned multi-link configuration affects the discovery and scope of the related services which may break current protocols and/or substantially increase their vulnerabilities. >> >> Well, I agree there’s certainly privacy and security issues if devices become discoverable over a wider ’scope', which I believe Hosnieh is going to talk about. > > Disagree. Significant issues are related to erosion of network permitters not being considered. For example, this draft could have included a reference to RFC6950 to expand on relevant DNS issues related to securing the proposed automatic publication by SSD that only excludes link-local and RFC1918. Although posted on the mailing-list, my review failed to include this reference. Two reasons for me to blush, but in essence security considerations ignored Internet originating threats permitted by obfuscation of network perimeters by promoting mDNS into DNS. RFC6950 certainly looks relevant. >>> 6.4. Authentication >>> ... >>> was: >>> ,-- >>> If there is a risk that clients may be fooled by the deployment of >>> rogue services, then application layer authentication should be >>> considered as part of any security solution. Authentication of any >>> particular service is outside the scope of this document. >>> '-- >>> >>> should be: >>> ,-- >>> When there is risk that either clients or devices may be spoofed >>> by malefactors, then a network overlay or application layer >>> authentication strategy should be considered. Authentication of >>> or by any particular service is outside the scope of this document. >>> ‘-- >> >> What you’re hinting at I think is to use ULAs as a hint of connection origin, to distinguish from external access. A question is whether a device that is only intended to be used internally should be published, and thus discoverable, externally. > > Default behaviors should be secure. At minimum, there should be a means to recognize whether a device can be directly discoverable and accessible from the Internet. This DMZ determination should be considered limited to manual configuration. > >>> For example, it is not practical to expect a printer will ever be able to authenticate a client. >> >> Many home network devices certainly do support authentication. Although often they’re left with default factory settings…. > > In the case of most consumer printers employing IPv6, they often make use of SLAAC or DHCP and report routable IPv6 addresses in mDNS resources. While these devices may support authentication in administrative configuration functions, only MAC filters constrain sending a fax, printing, scanning, etc. Such constraints can't be used and still permit router bridging. In other words, there is no protection and no logging to even permit effective monitoring. A home device may have a link-local, ULA and GUA - we should be clear on how/whether/when the ULA and/or GUA are used in any proxy scheme. There is also the question of what the proxy then effectively publishes externally. Stuart is recapping the Hybrid Proxy proposal tomorrow. >>> An overlay network can consist of GUA+ULA without change to network technology or deployment. ULAs can limit access to trusted users having immediate access to the local network realms. ULAs also avoid DNS deployment that attempt to merge local with global using complex and risky split-horizon configurations. ULAs already serve as the basis for BTMM configurations which avoids publishing resources for devices like printers unable to authenticate an external session. >> >> So ULAs could be used in a home, and they might be used in an enterprise - whether there that’s alongside GUAs or with NPTv6 is another question. > > It seems reasonable for ULAs to be used in both environments, with only selected devices moved manually into the DMZ. In both environments use of VPNs or secure tunneling is increasingly common. There is probably different behaviour/practice in home and enterprise/campus networks. But I have no data to support that. Tim > > Regards, > Douglas Otis > > _______________________________________________ > dnssd mailing list > dnssd@ietf.org > https://www.ietf.org/mailman/listinfo/dnssd
- [dnssd] WGLC for draft-ietf-dnssd-requirements-03 Tim Chown
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Douglas Otis
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… RJ Atkinson
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Tim Chown
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Tim Chown
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Stuart Cheshire
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Douglas Otis
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Tim Chown
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Ted Lemon
- Re: [dnssd] WGLC for draft-ietf-dnssd-requirement… Tim Chown