Re: [dnssd] Security through Obscurity
"Albrecht, Harald" <harald.albrecht@siemens.com> Tue, 29 July 2014 08:50 UTC
Return-Path: <harald.albrecht@siemens.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECAA1A00DB for <dnssd@ietfa.amsl.com>; Tue, 29 Jul 2014 01:50:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.549
X-Spam-Level:
X-Spam-Status: No, score=-6.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dr97_uKXzor7 for <dnssd@ietfa.amsl.com>; Tue, 29 Jul 2014 01:50:47 -0700 (PDT)
Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BC3F1A00E7 for <dnssd@ietf.org>; Tue, 29 Jul 2014 01:50:47 -0700 (PDT)
Received: from mail2.sbs.de (localhost [127.0.0.1]) by gecko.sbs.de (8.14.3/8.14.3) with ESMTP id s6T8oYWG017034; Tue, 29 Jul 2014 10:50:34 +0200
Received: from DEFTHW99ERKMSX.ww902.siemens.net (defthw99erkmsx.ww902.siemens.net [139.22.70.147]) by mail2.sbs.de (8.14.3/8.14.3) with ESMTP id s6T8oYD3028214 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 29 Jul 2014 10:50:34 +0200
Received: from DENBGAT9ERBMSX.ww902.siemens.net (139.22.70.93) by DEFTHW99ERKMSX.ww902.siemens.net (139.22.70.147) with Microsoft SMTP Server (TLS) id 14.3.195.1; Tue, 29 Jul 2014 10:50:34 +0200
Received: from DEFTHW99EK5MSX.ww902.siemens.net ([169.254.6.83]) by DENBGAT9ERBMSX.ww902.siemens.net ([139.22.70.93]) with mapi id 14.03.0195.001; Tue, 29 Jul 2014 10:50:33 +0200
From: "Albrecht, Harald" <harald.albrecht@siemens.com>
To: Tim Chown <tjc@ecs.soton.ac.uk>
Thread-Topic: [dnssd] Security through Obscurity
Thread-Index: AQHPprfbeCMVdoWCv0+IRw2l+oT97JuuTemAgADDcoCAAAvegIAAIsuAgAAJowCAABzGgIAAEAEAgADpzzCAAGScAIAFTO+AgACYA1D///rNgIAAIhPg
Date: Tue, 29 Jul 2014 08:50:32 +0000
Message-ID: <E36F274013087B4EA05E08EB503750390BEE6605@DEFTHW99EK5MSX.ww902.siemens.net>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com> <0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <EMEW3|faec94f4ff05bea449f9614b93dae254q6NE8Q03tjc|ecs.soton.ac.uk|0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com> <8465FD60-84CD-41B3-BBE3-1BDB52DF0DDB@hp.com> <364AAF85-5FB4-4828-A5A4-11160E747BC9@gmail.com> <24377.1406225491@sandelman.ca> <3949.1406228928@sandelman.ca> <E36F274013087B4EA05E08EB503750390BEDE8DF@DEFTHW99EK5MSX.ww902.siemens.net> <4CCB4658-8B54-460B-AC4B-8230EEEF54CA@hp.com> <D5D52161-1054-47C7-ABA0-724F50A6AB46@gmail.com> <E36F274013087B4EA05E08EB503750390BEE65A8@DEFTHW99EK5MSX.ww902.siemens.net> <BFE7EF21-A4B9-43CF-B5D8-399F5189BB97@ecs.soton.ac.uk> <EMEW3|78c7787d41f4cc844bef0148dec04974q6S9lr03tjc|ecs.soton.ac.uk|BFE7EF21-A4B9-43CF-B5D8-399F5189BB97@ecs.soton.ac.uk>
In-Reply-To: <EMEW3|78c7787d41f4cc844bef0148dec04974q6S9lr03tjc|ecs.soton.ac.uk|BFE7EF21-A4B9-43CF-B5D8-399F5189BB97@ecs.soton.ac.uk>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [139.22.70.31]
Content-Type: multipart/alternative; boundary="_000_E36F274013087B4EA05E08EB503750390BEE6605DEFTHW99EK5MSXw_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/SwpxCg3w_KCmaF6CSn3D3r-pBPA
Cc: "Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com>, "dnssd@ietf.org" <dnssd@ietf.org>, Douglas Otis <doug.mtview@gmail.com>, Michael Richardson <mcr@sandelman.ca>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 08:50:50 -0000
This is also exactly my understanding, thanks for clarifying this. Von: dnssd [mailto:dnssd-bounces@ietf.org] Im Auftrag von Tim Chown Gesendet: Dienstag, 29. Juli 2014 10:48 An: Albrecht, Harald Cc: Kennedy, Smith (Wireless Architect); dnssd@ietf.org; Douglas Otis; Michael Richardson Betreff: Re: [dnssd] Security through Obscurity Hi, There is some interesting discussion happening here, but we do need to focus the discussion on the elements that are important to defining scalable DNS-based service discovery, as per our group's charter. Of course if there are related topics that people think are important, those can be progressed elsewhere, such as 6man or v6ops, though we should remember that dnssd's charter is IP version agnostic. It would be useful therefore to capture what is of direct relevance to dnssd from this discussion. One point is that a comment was made at IETF90 that dnssd should not explictly care about stability of addresses, and it should work however frequently a device is renumbered or changes address. So if someone implements the 'press a button to renumber my home network' idea discussed elsewhere, dnnsd should be able to react, and, as per REQ13 should ensure information is up to date and not stale. It was also said that we should note the distinction between a service running on a device being discoverable (via dnssd), reachable (dependent on ACLs etc) and usable (via authentication). We don't want to rathole here on default home network CPE firewall settings, or the merits of RFC7217, take that to v6ops. There is some discussion of handling the scopes of discoverable devices in draft-cheshire-dnssd-hybrid-01, in Section 3.1. I suspect Stuart would be happy to receive thoughts on that text. ULAs have been discussed for homenet (in parallel to GUAs), and RFC1918 addresses are of course in wide use for IPv4 homes and enterprises. Tim
- [dnssd] Security through Obscurity RJ Atkinson
- Re: [dnssd] Security through Obscurity Tim Chown
- Re: [dnssd] Security through Obscurity Douglas Otis
- Re: [dnssd] Security through Obscurity Tom Pusateri
- [dnssd] Site deployment options RJ Atkinson
- Re: [dnssd] Security through Obscurity Tim Chown
- Re: [dnssd] Security through Obscurity RJ Atkinson
- Re: [dnssd] Security through Obscurity Kennedy, Smith (Wireless Architect)
- Re: [dnssd] Security through Obscurity Douglas Otis
- Re: [dnssd] Security through Obscurity RJ Atkinson
- Re: [dnssd] Security through Obscurity Michael Richardson
- Re: [dnssd] Security through Obscurity Michael Richardson
- Re: [dnssd] Security through Obscurity Albrecht, Harald
- Re: [dnssd] Security through Obscurity Michael Sweet
- Re: [dnssd] Security through Obscurity Kennedy, Smith (Wireless Architect)
- Re: [dnssd] Security through Obscurity Douglas Otis
- Re: [dnssd] Security through Obscurity Albrecht, Harald
- Re: [dnssd] Security through Obscurity Tim Chown
- Re: [dnssd] Security through Obscurity Albrecht, Harald
- Re: [dnssd] Security through Obscurity Michael Richardson
- Re: [dnssd] Security through Obscurity Michael Richardson