IETF Logo Mail Archive

Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)

Douglas Otis <doug.mtview@gmail.com> Tue, 17 March 2015 19:32 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2ECB1A888F; Tue, 17 Mar 2015 12:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtuOBw-Pm_6n; Tue, 17 Mar 2015 12:32:20 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FF791A1B76; Tue, 17 Mar 2015 12:32:20 -0700 (PDT)
Received: by qgez64 with SMTP id z64so18072005qge.2; Tue, 17 Mar 2015 12:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v0RtKZ0VTFykhNV0msF9KvLF5fxvdnLFIFeIxKuHJ+o=; b=rRfBtNe+A1dKe1gcToN89Dv1+xDUStediQav4D2CRLwOjLcZrVL+3g1sjdhPEgI4VM mFdVWTbsWHuAECI59mnY5dml7A0mySZ2vq7R3ngEl08jtaHOmilQPjkgv7ukBDDzW2vS Kmapr632RoHItwJ5mgjN7a8wuhNeNYMiGuGiiKOb+XXNfSwPBdZ+Pil8xSjLc15of6D0 JD1JckEWtLSjKOEy2fEGt2q8j9RtCbpHq69RqMfGiOmJUttad1R0HSKCpGUbfQsRkne5 zcMDfh+mIyDHsbPbn72bFjH1je7Vly7ta+2ZK9fP+Pt+O69lwRpWNhx5unXZrIb6ViSA IDGg==
X-Received: by 10.140.81.242 with SMTP id f105mr83059591qgd.33.1426620739394; Tue, 17 Mar 2015 12:32:19 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id 132sm10235071qhf.17.2015.03.17.12.32.17 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 12:32:18 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="us-ascii"
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <AA84FD4B-1516-4CE5-BD00-5B0EC1CAC5EE@gmail.com>
Date: Tue, 17 Mar 2015 12:32:17 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <695E3CFA-B385-481E-9333-68BE1862B29F@gmail.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com> <83452A4F-D738-43D5-85FD-316B0DC8509F@gmail.com> <CABOxzu1Fq=O_4xtWUXFB82=fudhTE2Qd0FyD1wSRntsLaEiJiQ@mail.gmail.com> <9FC464C2-79E9-477D-9AFA-4C247F071677@gmail.com> <AAC2A111-A75E-48A5-8270-187DBBB109FB@bangj.com> <80E11ACB-1AE9-479E-A36A-1610C0EF307A@gmail.com> <AA84FD4B-1516-4CE5-BD00-5B0EC1CAC5EE@gmail.com>
To: Ralph Droms <rdroms.ietf@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/U46Ol0I5gwVXKf_N94h7R3eUsZs>
Cc: Kerry Lynn <kerlyn@ieee.org>, dnssd-chairs@ietf.org, draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, Chown Tim <tjc@ecs.soton.ac.uk>, The IESG <iesg@ietf.org>, Tom Pusateri <pusateri@bangj.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 19:32:22 -0000

Dear Ralph,

> On Mar 17, 2015, at 10:58 AM, Ralph Droms <rdroms.ietf@gmail.com> wrote:
> 
> Doug - Here is my summary of what I understand to be your concerns with
> draft-ietf-dnssd-requirements-05:
> 
> 1) A change from link-scope mDNS SD to a larger scope may result in the
> existence and address of a device being made more widely available than
> currently expected.

Of course.

> 2) Some devices and networks are incapable of defending themselves
> against unwanted access or other attacks once the address of the device
> to be attacked is known.

When the _wrong_ address is published within DNS that then permits direct
Internet access, this may evade desired protections. Although many mDNS
devices report all such options, such reporting is only seen on the local 
network.    

> 3) Use of RFC 4193 is a way to protect against attacks enabled by the
> increased scope of discovery envisioned by extended DNS-SD.

Use of RFC4193 is used to protect Homenet as well as various enterprise
environments.  It is also used by Apple in their Back-To-My-Mac scheme.

> You expressed these concerns during WG development and review of
> draft-ietf-dnssd-requirements.  Tim and I judged the consensus of the
> WG to be in support of advancing the document to the IESG, based in part
> on the following analysis:
> 
> Points 1 and 2 are answered by the third paragraph of section 6.1.  For
> completeness, the last sentence of that paragraph might be extended to
> include "and protection against other forms of attack".

Address selection preferences represent critical security aspects that 
MUST BE supported by the protocol.  If RFC1918 or RFC4193 addresses are 
reported via mDNS to the  DNS-SD proxy, there MUST be a requirement for 
these addresses to be used over any Internet routable address.  It is 
important these requirements make it clear mDNS is not suitable for 
publishing hosts on the Internet.  Where safer alternatives exist, such 
publication MUST REQUIRE administrative intervention.  Otherwise 
organizations making use of such schemes will be placed at great risk. 

> 
> Point 3 tries to mandate a solution through a specific deployment
> mechanism and is, therefore, out of scope for a requirements document.
> It may also be more broadly out of scope of the dnssd charter, which
> addresses just DNS-based service discovery and does not include mandating
> network deployment requirements as part of a solution.

This point offers an example strategy (address preferences) that MUST be 
supported.  Ensuring support is not the same as making this a mandate!  
It seems clear this group failed to develop schemes to protect devices 
that normally limit access to that of the local network, as provided by 
constraints imposed by mDNS.  As such, there should have been greater 
review of those offered by Homenet or even Back-To-My-Mac.

> If you do not agree that your concerns have been answered by this
> analysis, please state the basis for your continued concern, so that we
> can judge rough consensus on support for publication of the document.

The requirements document remains critically flawed without justification. 
Ensuring an ability to offer safe deployment unfortunately does not prevent 
less safe schemes. Nevertheless, supporting a safe scheme should be a basic 
requirement. 

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email