Re: [dnssd] Security through Obscurity

[Douglas Otis <doug.mtview@gmail.com>]

On Jul 24, 2014, at 9:07 AM, Tim Chown <tjc@ecs.soton.ac.uk> wrote:

> On 24 Jul 2014, at 02:27, Douglas Otis <doug.mtview@gmail.com> wrote:
> 
>> 
>> On Jul 23, 2014, at 4:51 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
>> 
>>> 
>>> (NOTE WELL: I am not a WG Chair, IESG member, IAB member,
>>> or authorised spokesperson for anyone other than myself.)
>>> 
>>> 
>>> Earlier Doug Otis wrote:
>>>> It is not safe to advertise such addresses in DNS, 
>>>> especially when security depends on address obscurity.
>>> 
>>> 
>>> I believe that the the vast majority of security folks
>>> would object to the notion that obscurity is a mechanism 
>>> capable of providing any meaningful security.
>>> 
>>> If a client were to ask me for advice on protecting their
>>> interior services or interior devices from the global Internet, 
>>> I would suggest at least a firewall (ranging from router ACLs 
>>> to an air-gap: depending upon their local needs and threat model) 
>>> and possibly also other measures (again, depending upon local
>>> needs and threat model).  Operational security is not 
>>> one-size-fits-all, in my experience, but relying upon 
>>> security-through-obscurity seems unwise to me.
>> 
>> I agree with that statement, but at the same time some of these devices are assigned routable addresses by the vendors.  When assigned out of a 48 bit space, it might be possible to guess the device based on common manufacturers.  When randomly assigned by the owner, it is highly unlikely such an address will ever be guessed.  Add rate limiting, and this unknown should work well at mitigating attack.  But as I said, I agree with your statement and why I think mDNS should be working with ULAs.
> 
> Doug, if you mean a 48-bit MAC address being embedded in the IPv6 address, see http://tools.ietf.org/html/rfc7217.
> 
> I agree with Tom’s comments. A question to discuss in your slot today is when a device has a LL, ULA and GUA, which of those should be advertised via the SD protocol and whether/how that choice can/should be influenced.

Dear Tim,

The comment was focused on typical operating modes regarding newer IPv6 ready printers in typical home networks.  There are ways to improve upon SLACC, as noted in RFC7217. When a printer is assigned a globally routable IP address, publishing this address in a way that can be seen by malefactors outside the network would be a bad practice.  In home environments, SLAAC rather than DHCP often provides the printer's IPv6 address.

Where there is no overlay network in a home network having multiple routers, publishing the printer's address would be detrimental. Testing determined, that when not using an overlay network, these devices were highly vulnerable to exploits that allows malefactors an ability to remotely fax, scan, print, from anywhere in the Internet without any logging being generated.  As such, it would be a bad practice to place a printer's mDNS resources into DNS.  

Answering your specific question, the address functional for DNS-SD would be the ULA address, which should be the prefix announced to the printer.  In essence, this represents a security consideration for the use of SSD and not directly an SSD mode of operation.

Regards,
Douglas Otis