IETF Logo Mail Archive

Re: [dnssd] Security through Obscurity

"Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com> Thu, 24 July 2014 15:54 UTC

Return-Path: <smith.kennedy@hp.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2BA1A03EB for <dnssd@ietfa.amsl.com>; Thu, 24 Jul 2014 08:54:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAY8krFrgd-F for <dnssd@ietfa.amsl.com>; Thu, 24 Jul 2014 08:54:46 -0700 (PDT)
Received: from g4t3425.houston.hp.com (g4t3425.houston.hp.com [15.201.208.53]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B90911A03E2 for <dnssd@ietf.org>; Thu, 24 Jul 2014 08:54:46 -0700 (PDT)
Received: from G9W0364.americas.hpqcorp.net (g9w0364.houston.hp.com [16.216.193.45]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g4t3425.houston.hp.com (Postfix) with ESMTPS id 132B823C for <dnssd@ietf.org>; Thu, 24 Jul 2014 15:54:46 +0000 (UTC)
Received: from G4W6305.americas.hpqcorp.net (16.210.26.230) by G9W0364.americas.hpqcorp.net (16.216.193.45) with Microsoft SMTP Server (TLS) id 14.3.169.1; Thu, 24 Jul 2014 15:54:04 +0000
Received: from G4W3298.americas.hpqcorp.net ([169.254.4.87]) by G4W6305.americas.hpqcorp.net ([16.210.26.230]) with mapi id 14.03.0169.001; Thu, 24 Jul 2014 15:54:04 +0000
From: "Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com>
To: RJ Atkinson <rja.lists@gmail.com>
Thread-Topic: [dnssd] Security through Obscurity
Thread-Index: AQHPprfZeGKEsBCMn020p8uMqL4n0Juub3CAgADDcoCAAAvegIAAIsoA
Date: Thu, 24 Jul 2014 15:54:03 +0000
Message-ID: <8465FD60-84CD-41B3-BBE3-1BDB52DF0DDB@hp.com>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com> <0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <EMEW3|faec94f4ff05bea449f9614b93dae254q6NE8Q03tjc|ecs.soton.ac.uk|0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com>
In-Reply-To: <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [15.201.58.30]
Content-Type: multipart/signed; boundary="Apple-Mail=_B6AD405F-C77F-47EB-AD0F-1A416E49EBDC"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/Wiv9tXZTHaOB3M_DinqkPQ35H88
Cc: "dnssd@ietf.org" <dnssd@ietf.org>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 15:54:58 -0000

Hi Ran,

Where you say:

> Also, in many environments where DHCP is NOT used, for example
> due to the costs associated with DHCP, it is STILL operationally 
> DESIRABLE for an IPv6-capable device  (e.g. network printer) 
> to have the SAME PREDICTABLE IPv6 address each and every time 
> the printer (re)boots.  

Why in your opinion is it “operationally desirable” for the printer to have a predictable IPv6 address?  I have my own thoughts on this subject but I want to hear yours, hopefully with examples.

Smith

/**
    Smith Kennedy
    Hewlett-Packard Co.
*/



On 2014-07-24, at 7:49 AM, RJ Atkinson <rja.lists@gmail.com> wrote:

> 
> On 24  Jul 2014, at 09:07 , Tim Chown wrote:
>> Doug, if you mean a 48-bit MAC address being embedded in the IPv6 address,
>> see http://tools.ietf.org/html/rfc7217.
> 
> 
> All,
> 
> I think the notion of predictability of IPv6 Interface IDs
> is not germane to the DNS-SD discussions, for the reasons
> that various folks (e.g. Stuart Cheshire, Tim Chown, and 
> Tom Pusateri) have explained already.  
> 
> Separately, in many environments, predictability of IP
> addressing of printers (or file servers or ...) is 
> operationally DESIRABLE.
> 
> However, just for the record, there also are a range of other 
> RFCs, long predating RFC-7217, for generating IPv6 Interface IDs, 
> going back for more than a decade.  [References at bottom]
> 
> I believe these various alternative IPv6 IID algorithms are 
> widely implemented and deployed today, and that they have been 
> widely implemented and deployed for many years now.
> 
> Note, in some environments, especially business environments,
> the use of DHCP(v6) is operationally preferable to SLAAC
> because it provides PREDICTABILITY in IP address assignment. 
> 
> Also, in many environments where DHCP is NOT used, for example
> due to the costs associated with DHCP, it is STILL operationally 
> DESIRABLE for an IPv6-capable device  (e.g. network printer) 
> to have the SAME PREDICTABLE IPv6 address each and every time 
> the printer (re)boots.  IPv6 SLAAC with an embedded MAC address 
> thus is DESIRED in many environments -- especially for devices
> providing services that would be advertised using DNS-SD
> (e.g. network printer).
> 
> Can we PLEASE get past individual hangups over *solved* problems 
> that belong to other IETF WGs (e.g. IPv6 Ops, IPv6 Maint, OPsec)
> and instead stay on-topic for DNS-SD ?
> 
> Thanks,
> 
> Ran Atkinson
> 
> 
> 
> REFERENCES:
> 
> RFC-3041	January 2001
> 		Privacy Extensions for Stateless IPv6 
>                Address Auto-config
> 
> RFC-3972	March 2005
> 		Cryptographically Generated Addresses (CGAs)
> 
> 
> RFC-4941	September 2007
> 		Revision of RFC-3041
> 
> RFC-4942	July 2007
> 		Support for Multiple Hash Algorithms in
> 		Cryptographically Generated Addresses (CGAs)
> 
> RFC-5535	June 2009
> 		Hash-based Addresses
> 
> RFC-7217	April 2014
> 		Generating Opaque Interface IDs with IPv6 SLAAC
> 		
> 
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd

v2.23.0 | Report a Bug | By Email