Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
Douglas Otis <doug.mtview@gmail.com> Tue, 17 March 2015 19:32 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2ECB1A888F; Tue, 17 Mar 2015 12:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtuOBw-Pm_6n; Tue, 17 Mar 2015 12:32:20 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FF791A1B76; Tue, 17 Mar 2015 12:32:20 -0700 (PDT)
Received: by qgez64 with SMTP id z64so18072005qge.2; Tue, 17 Mar 2015 12:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v0RtKZ0VTFykhNV0msF9KvLF5fxvdnLFIFeIxKuHJ+o=; b=rRfBtNe+A1dKe1gcToN89Dv1+xDUStediQav4D2CRLwOjLcZrVL+3g1sjdhPEgI4VM mFdVWTbsWHuAECI59mnY5dml7A0mySZ2vq7R3ngEl08jtaHOmilQPjkgv7ukBDDzW2vS Kmapr632RoHItwJ5mgjN7a8wuhNeNYMiGuGiiKOb+XXNfSwPBdZ+Pil8xSjLc15of6D0 JD1JckEWtLSjKOEy2fEGt2q8j9RtCbpHq69RqMfGiOmJUttad1R0HSKCpGUbfQsRkne5 zcMDfh+mIyDHsbPbn72bFjH1je7Vly7ta+2ZK9fP+Pt+O69lwRpWNhx5unXZrIb6ViSA IDGg==
X-Received: by 10.140.81.242 with SMTP id f105mr83059591qgd.33.1426620739394; Tue, 17 Mar 2015 12:32:19 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id 132sm10235071qhf.17.2015.03.17.12.32.17 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 12:32:18 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="us-ascii"
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <AA84FD4B-1516-4CE5-BD00-5B0EC1CAC5EE@gmail.com>
Date: Tue, 17 Mar 2015 12:32:17 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <695E3CFA-B385-481E-9333-68BE1862B29F@gmail.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com> <83452A4F-D738-43D5-85FD-316B0DC8509F@gmail.com> <CABOxzu1Fq=O_4xtWUXFB82=fudhTE2Qd0FyD1wSRntsLaEiJiQ@mail.gmail.com> <9FC464C2-79E9-477D-9AFA-4C247F071677@gmail.com> <AAC2A111-A75E-48A5-8270-187DBBB109FB@bangj.com> <80E11ACB-1AE9-479E-A36A-1610C0EF307A@gmail.com> <AA84FD4B-1516-4CE5-BD00-5B0EC1CAC5EE@gmail.com>
To: Ralph Droms <rdroms.ietf@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/U46Ol0I5gwVXKf_N94h7R3eUsZs>
Cc: Kerry Lynn <kerlyn@ieee.org>, dnssd-chairs@ietf.org, draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, Chown Tim <tjc@ecs.soton.ac.uk>, The IESG <iesg@ietf.org>, Tom Pusateri <pusateri@bangj.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 19:32:22 -0000
Dear Ralph, > On Mar 17, 2015, at 10:58 AM, Ralph Droms <rdroms.ietf@gmail.com> wrote: > > Doug - Here is my summary of what I understand to be your concerns with > draft-ietf-dnssd-requirements-05: > > 1) A change from link-scope mDNS SD to a larger scope may result in the > existence and address of a device being made more widely available than > currently expected. Of course. > 2) Some devices and networks are incapable of defending themselves > against unwanted access or other attacks once the address of the device > to be attacked is known. When the _wrong_ address is published within DNS that then permits direct Internet access, this may evade desired protections. Although many mDNS devices report all such options, such reporting is only seen on the local network. > 3) Use of RFC 4193 is a way to protect against attacks enabled by the > increased scope of discovery envisioned by extended DNS-SD. Use of RFC4193 is used to protect Homenet as well as various enterprise environments. It is also used by Apple in their Back-To-My-Mac scheme. > You expressed these concerns during WG development and review of > draft-ietf-dnssd-requirements. Tim and I judged the consensus of the > WG to be in support of advancing the document to the IESG, based in part > on the following analysis: > > Points 1 and 2 are answered by the third paragraph of section 6.1. For > completeness, the last sentence of that paragraph might be extended to > include "and protection against other forms of attack". Address selection preferences represent critical security aspects that MUST BE supported by the protocol. If RFC1918 or RFC4193 addresses are reported via mDNS to the DNS-SD proxy, there MUST be a requirement for these addresses to be used over any Internet routable address. It is important these requirements make it clear mDNS is not suitable for publishing hosts on the Internet. Where safer alternatives exist, such publication MUST REQUIRE administrative intervention. Otherwise organizations making use of such schemes will be placed at great risk. > > Point 3 tries to mandate a solution through a specific deployment > mechanism and is, therefore, out of scope for a requirements document. > It may also be more broadly out of scope of the dnssd charter, which > addresses just DNS-based service discovery and does not include mandating > network deployment requirements as part of a solution. This point offers an example strategy (address preferences) that MUST be supported. Ensuring support is not the same as making this a mandate! It seems clear this group failed to develop schemes to protect devices that normally limit access to that of the local network, as provided by constraints imposed by mDNS. As such, there should have been greater review of those offered by Homenet or even Back-To-My-Mac. > If you do not agree that your concerns have been answered by this > analysis, please state the basis for your continued concern, so that we > can judge rough consensus on support for publication of the document. The requirements document remains critically flawed without justification. Ensuring an ability to offer safe deployment unfortunately does not prevent less safe schemes. Nevertheless, supporting a safe scheme should be a basic requirement. Regards, Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- [dnssd] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Kerry Lynn