Re: [dnssd] Security through Obscurity
"Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com> Thu, 24 July 2014 15:54 UTC
Return-Path: <smith.kennedy@hp.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2BA1A03EB for <dnssd@ietfa.amsl.com>; Thu, 24 Jul 2014 08:54:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAY8krFrgd-F for <dnssd@ietfa.amsl.com>; Thu, 24 Jul 2014 08:54:46 -0700 (PDT)
Received: from g4t3425.houston.hp.com (g4t3425.houston.hp.com [15.201.208.53]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B90911A03E2 for <dnssd@ietf.org>; Thu, 24 Jul 2014 08:54:46 -0700 (PDT)
Received: from G9W0364.americas.hpqcorp.net (g9w0364.houston.hp.com [16.216.193.45]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g4t3425.houston.hp.com (Postfix) with ESMTPS id 132B823C for <dnssd@ietf.org>; Thu, 24 Jul 2014 15:54:46 +0000 (UTC)
Received: from G4W6305.americas.hpqcorp.net (16.210.26.230) by G9W0364.americas.hpqcorp.net (16.216.193.45) with Microsoft SMTP Server (TLS) id 14.3.169.1; Thu, 24 Jul 2014 15:54:04 +0000
Received: from G4W3298.americas.hpqcorp.net ([169.254.4.87]) by G4W6305.americas.hpqcorp.net ([16.210.26.230]) with mapi id 14.03.0169.001; Thu, 24 Jul 2014 15:54:04 +0000
From: "Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com>
To: RJ Atkinson <rja.lists@gmail.com>
Thread-Topic: [dnssd] Security through Obscurity
Thread-Index: AQHPprfZeGKEsBCMn020p8uMqL4n0Juub3CAgADDcoCAAAvegIAAIsoA
Date: Thu, 24 Jul 2014 15:54:03 +0000
Message-ID: <8465FD60-84CD-41B3-BBE3-1BDB52DF0DDB@hp.com>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com> <0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <EMEW3|faec94f4ff05bea449f9614b93dae254q6NE8Q03tjc|ecs.soton.ac.uk|0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com>
In-Reply-To: <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [15.201.58.30]
Content-Type: multipart/signed; boundary="Apple-Mail=_B6AD405F-C77F-47EB-AD0F-1A416E49EBDC"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/Wiv9tXZTHaOB3M_DinqkPQ35H88
Cc: "dnssd@ietf.org" <dnssd@ietf.org>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 15:54:58 -0000
Hi Ran, Where you say: > Also, in many environments where DHCP is NOT used, for example > due to the costs associated with DHCP, it is STILL operationally > DESIRABLE for an IPv6-capable device (e.g. network printer) > to have the SAME PREDICTABLE IPv6 address each and every time > the printer (re)boots. Why in your opinion is it “operationally desirable” for the printer to have a predictable IPv6 address? I have my own thoughts on this subject but I want to hear yours, hopefully with examples. Smith /** Smith Kennedy Hewlett-Packard Co. */ On 2014-07-24, at 7:49 AM, RJ Atkinson <rja.lists@gmail.com> wrote: > > On 24 Jul 2014, at 09:07 , Tim Chown wrote: >> Doug, if you mean a 48-bit MAC address being embedded in the IPv6 address, >> see http://tools.ietf.org/html/rfc7217. > > > All, > > I think the notion of predictability of IPv6 Interface IDs > is not germane to the DNS-SD discussions, for the reasons > that various folks (e.g. Stuart Cheshire, Tim Chown, and > Tom Pusateri) have explained already. > > Separately, in many environments, predictability of IP > addressing of printers (or file servers or ...) is > operationally DESIRABLE. > > However, just for the record, there also are a range of other > RFCs, long predating RFC-7217, for generating IPv6 Interface IDs, > going back for more than a decade. [References at bottom] > > I believe these various alternative IPv6 IID algorithms are > widely implemented and deployed today, and that they have been > widely implemented and deployed for many years now. > > Note, in some environments, especially business environments, > the use of DHCP(v6) is operationally preferable to SLAAC > because it provides PREDICTABILITY in IP address assignment. > > Also, in many environments where DHCP is NOT used, for example > due to the costs associated with DHCP, it is STILL operationally > DESIRABLE for an IPv6-capable device (e.g. network printer) > to have the SAME PREDICTABLE IPv6 address each and every time > the printer (re)boots. IPv6 SLAAC with an embedded MAC address > thus is DESIRED in many environments -- especially for devices > providing services that would be advertised using DNS-SD > (e.g. network printer). > > Can we PLEASE get past individual hangups over *solved* problems > that belong to other IETF WGs (e.g. IPv6 Ops, IPv6 Maint, OPsec) > and instead stay on-topic for DNS-SD ? > > Thanks, > > Ran Atkinson > > > > REFERENCES: > > RFC-3041 January 2001 > Privacy Extensions for Stateless IPv6 > Address Auto-config > > RFC-3972 March 2005 > Cryptographically Generated Addresses (CGAs) > > > RFC-4941 September 2007 > Revision of RFC-3041 > > RFC-4942 July 2007 > Support for Multiple Hash Algorithms in > Cryptographically Generated Addresses (CGAs) > > RFC-5535 June 2009 > Hash-based Addresses > > RFC-7217 April 2014 > Generating Opaque Interface IDs with IPv6 SLAAC > > > _______________________________________________ > dnssd mailing list > dnssd@ietf.org > https://www.ietf.org/mailman/listinfo/dnssd
- [dnssd] Security through Obscurity RJ Atkinson
- Re: [dnssd] Security through Obscurity Tim Chown
- Re: [dnssd] Security through Obscurity Douglas Otis
- Re: [dnssd] Security through Obscurity Tom Pusateri
- [dnssd] Site deployment options RJ Atkinson
- Re: [dnssd] Security through Obscurity Tim Chown
- Re: [dnssd] Security through Obscurity RJ Atkinson
- Re: [dnssd] Security through Obscurity Kennedy, Smith (Wireless Architect)
- Re: [dnssd] Security through Obscurity Douglas Otis
- Re: [dnssd] Security through Obscurity RJ Atkinson
- Re: [dnssd] Security through Obscurity Michael Richardson
- Re: [dnssd] Security through Obscurity Michael Richardson
- Re: [dnssd] Security through Obscurity Albrecht, Harald
- Re: [dnssd] Security through Obscurity Michael Sweet
- Re: [dnssd] Security through Obscurity Kennedy, Smith (Wireless Architect)
- Re: [dnssd] Security through Obscurity Douglas Otis
- Re: [dnssd] Security through Obscurity Albrecht, Harald
- Re: [dnssd] Security through Obscurity Tim Chown
- Re: [dnssd] Security through Obscurity Albrecht, Harald
- Re: [dnssd] Security through Obscurity Michael Richardson
- Re: [dnssd] Security through Obscurity Michael Richardson