IETF Logo Mail Archive

Re: [dnssd] Threat model - answer to questions

Douglas Otis <doug.mtview@gmail.com> Mon, 08 December 2014 23:26 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4AE1A0072 for <dnssd@ietfa.amsl.com>; Mon, 8 Dec 2014 15:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siXZ5v1Pk6rP for <dnssd@ietfa.amsl.com>; Mon, 8 Dec 2014 15:26:51 -0800 (PST)
Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 373741A0016 for <dnssd@ietf.org>; Mon, 8 Dec 2014 15:26:51 -0800 (PST)
Received: by mail-qa0-f50.google.com with SMTP id w8so4037201qac.37 for <dnssd@ietf.org>; Mon, 08 Dec 2014 15:26:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IyVz01gmNEwtodK/mykbwecpEwSiDlORa//gXf4zHj4=; b=ZUVsJwTH2z6k6qNxL34sOOP6BjAnRXjU2ZAnEw8iFXIrwQl0pA5xTJfF84PqEjBSyy qJwUnScn4+szGZ/DpW6+XQcQxs/eZOXtGyL7j7K7s8YMkzYcFtcYuxl5QdUM46iVOup/ 5KFvzauqFtLBuw1ve3QNsskKxT2H0bTt9Ne+hq2rlIPNr8pfVHJ61YwSVgVIjG8pxv7A VOv501hIDt8SnShmOm4eAmXnRq6EBW+Em+JrehBgRu9+Yk7Aik7b2QskH0o/VQIguSQB GZb9o+v7qT6ZfHvtWckzKuHGPkBD4I0WPa3LjRrGZQwMHAYy1i+aCO/ZmDEVZ0MM9lM8 5UPQ==
X-Received: by 10.224.51.193 with SMTP id e1mr44977qag.30.1418081210486; Mon, 08 Dec 2014 15:26:50 -0800 (PST)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id k66sm24476367qgd.21.2014.12.08.15.26.49 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 08 Dec 2014 15:26:49 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="us-ascii"
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <814D0BFB77D95844A01CA29B44CBF8A7A7DD8A@lhreml513-mbb.china.huawei.com>
Date: Mon, 08 Dec 2014 15:26:48 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <3F7E9ABD-D110-42AD-B8FA-383FAA50A18B@gmail.com>
References: <814D0BFB77D95844A01CA29B44CBF8A7A5E576@lhreml513-mbb.china.huawei.com> <AD1ACD05-A7BF-44E8-AC52-9BDA756C1722@gmail.com> <814D0BFB77D95844A01CA29B44CBF8A7A7DD8A@lhreml513-mbb.china.huawei.com>
To: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/RGFglMyUO2_LZG18MsAmaXWHP-0
Cc: "dnssd@ietf.org" <dnssd@ietf.org>
Subject: Re: [dnssd] Threat model - answer to questions
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 23:26:56 -0000

On Dec 5, 2014, at 2:51 AM, Hosnieh Rafiee <hosnieh.rafiee@huawei.com> wrote:

> Hi Douglas,
> 
> Thanks for your comments. 
> 
>> For resource constrained devices, security is best enforced by use of
> <snip>
>> Omitting proper address selection rules is unlikely to obtain the
>> desired security.  This consideration was omitted in both the Hybrid
>> Proxy and Security Threat documents.
>> 
>> Note: Last hop security depends on header compliance with RA Guard
>> RFC7113.
> Thanks for the clarification. I actually removed it from the document because In IETF 90 when I was presenting, some folks told me that I should only focus on the scope of requirement documents and charter which is more related to DNSSD and a little about mDNS.
> 
> So, maybe this is a good time to raise this question:
> 
> What is the expectation of thread model? Shall I also evaluation the current available documents which discusses also about mDNS or only focus on SD part?

Dear Hosnieh,

The general goal for using mDNS to populate DNS is to approach zero-config when networks are isolated on different bridges unable to automatically propagate multicast traffic without use of protocols like PIM-SM (RFC3569).  The effects of these methods and their best implementation should be part of related threat analysis although draft-ietf-dnssd-requirements excluded important concerns.  In essence, these concerns should include the proper handling of RFC4193 (ULAs).  

A statement like:
,--
DNS-SD did not consider the impact of RFC4193 that should be carefully considered when using mDNS to populate DNS.  As such, a ULA prefix is not to be advertised outside the network domain. Administrators need to clearly set the scope of the ULAs and configure ACLs on relevant border routers to enforce this scope.  If internal DNS is used, administrators should use internal-only DNS names for ULAs and perhaps use split horizon DNS to ensure internal names do not resolve on the Internet as described in RFC6950.

To maintain security, address preference rules employed by a proxy device should properly consider use of ULAs as described by RFC7368.  Per section 2.4, a device should only use its ULA address within its domain. Even where multiple /48 ULA prefixes are in use within a single domain, as may occur when there are multiple Internet uplinks, utilizing a ULA source address and a ULA destination address from two disjoint internal ULA prefixes should still be preferred over GUAs.  When a device has not been specifically enabled to be externally accessible, mDNS proxy into DNS should not publish associated GUAs.  
'--

The section: 3.2.1.  Home, Enterprise, Mesh networks:
,--
When ISP, home router/gateway and service provider (like a printer) 
support IPv6 address, then service providers usually automatically 
sets an IPv6 address. Since this address is global, this node is 
accessible over the internet. If the address of this service provider 
is known to the attacker, then it might be able to compromise this 
service provider and access to this network (because service 
providers usually supports weak security features).
'--

Should be:
,--
When the ISP, home router/gateway, and a service (like a printer) 
support IPv6 addressing, these services may automatically announce over 
mDNS both ULA and GUA addresses.  Since a GUA address is global, 
the associated node may become accessible over the Internet. 

When the GUA address for a service becomes known to an attacker, it 
might grant unintended access to a service otherwise limited by 
boundaries imposed by mDNS discovery.
'--

This paragraph offers no protective strategy for devices within a networking domain supported by DNS-SD populated by the mDNS proxy scheme.  To be better understood, this paragraph should replace the term "service provider" with "service".  Unlike IPv4, there can be multiple IP address assignments per interface.   For example, a printer might return both GUA and ULA addresses.  From a security standpoint, it becomes essential only ULAs be published in DNS-SD populated by mDNS. 

CGA-TSIG or DNS over TLS are incongruent with the use of DNS-SD populated by mDNS since zero-config is being sought.  Omitting proper address selection rules will not ensure basic deployments offer the desired security.  This consideration was omitted in both the Hybrid Proxy and the requirements documents.  Threat related documents should also include header compliance requirements as specified by RA Guard RFC7113 also omitted by this draft.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email