Re: [dnssd] Any review of Threat model?
Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 04 April 2016 19:13 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 914FF12D64F for <dnssd@ietfa.amsl.com>; Mon, 4 Apr 2016 12:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Co1ms-lJnE_T for <dnssd@ietfa.amsl.com>; Mon, 4 Apr 2016 12:13:18 -0700 (PDT)
Received: from mx2.yitter.info (mx2.yitter.info [IPv6:2600:3c03::f03c:91ff:fedf:cfab]) by ietfa.amsl.com (Postfix) with ESMTP id B34CA12D80C for <dnssd@ietf.org>; Mon, 4 Apr 2016 12:13:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id EDE6910B21 for <dnssd@ietf.org>; Mon, 4 Apr 2016 19:13:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WARlHWO0T9E for <dnssd@ietf.org>; Mon, 4 Apr 2016 19:13:13 +0000 (UTC)
Received: from anvilwalrusden.com (dhcp-b2a2.meeting.ietf.org [31.133.178.162]) by mx2.yitter.info (Postfix) with ESMTPSA id 86EA1106CC for <dnssd@ietf.org>; Mon, 4 Apr 2016 19:13:12 +0000 (UTC)
Date: Mon, 04 Apr 2016 15:13:09 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnssd@ietf.org
Message-ID: <20160404191306.GA36990@anvilwalrusden.com>
References: <56FFE286.9010304@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <56FFE286.9010304@rozanak.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/YttH83zK693oW_SD3vvcXcdxQvA>
Subject: Re: [dnssd] Any review of Threat model?
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2016 19:13:20 -0000
Hi, On Sat, Apr 02, 2016 at 05:17:26PM +0200, Hosnieh Rafiee wrote: > > Would you please take a look on the latest version of threat model > https://tools.ietf.org/html/draft-otis-dnssd-scalable-dns-sd-threats-03 I have (at last, apologies for the delay) read this version of the draft. It's with some distress I say I'm frustrated by this draft, because in my reading it treats as similar kinds of problems issues that are vastly different. At the same time, it isn't clear whether the document is just attempting to outline what the threats are, or whether it is trying to prescribe what should happen as a result. I think for it to be useful, it still needs an enormous amount of work Confusing treatment Different issues all seem to be treated as "threats" without any way of telling who is threatened, how, or how severely. For instance, the issue in 2.1.2.1 is really about user interface. There are for sure problems with this sort of visual spoofing on the Internet. Yet the entire problem of i18n and visual confusability and so on has literally nothing to do with whether you use IDNA or raw UTF-8 in the DNS, so that discussion is just a red herring. The basic problem is that users can be phished. If there is an argument here for why DNS-SD is somehow different in this than everything else on the Internet, I am unable to detect it. Moreover, the issue is mixed in to discussion in section 2.2 as well, where its relevance to exfiltration is at best unclear. The issue in 2.1.4, by contrast, is basically an argument that devices that already rely on security by obscurity need to remain obscure. I suppose that's true, but the proposed solution basically just says, "This feature that we desire shouldn't ever work." That seems to operate at an entirely different level than the i18n issues. Again, this security-by-obscurity issue reappears in 2.2, where I guess exfiltration comes up again; I think this is probably the split-horizon discussion, but it's not that clear. Yet a different kind of issue -- the side effects of amplification -- are in section 2.3. This is a generic issue with the DNS and increasing sizes of RRsets. It is undoubtedly an issue, but it's far from plain to me that the explanation here covers the way the issues play out on the Internet. The discussion in 3.2 about data integrity after publication as opposed to the correctness of the data at source is treated as an "Authorization Issue". It isn't clear that it is; and this is anyway a systemic problem with the DNS, so it isn't clear how this is a special threat case. What is the document for? In general, I find the document confusing, hard to follow, and not terribly consistent about whether it is reporting threats, or telling you what you're supposed to do in reaction. This ambiguity makes the document in some places contentious when it needn't be, since the problem described might well be accurate while the proposed solution is not one with which we'd all agree. As noted above, for instance, the very title of 2.1.4 basically undermines one of the obvious use cases for this protocol, so there's no way that everyone will accept the advice. What I would do if I wanted this document badly enough If I were the authors, I'd reorganize the draft. It seems to me there are several different kinds of threat here. One kind is threats that are inherited by virtue of the kind of system in use. So, you get the threat of someone taking over the global DNS registration for a name because you're using DNS. Another kind is threats that are not really new, but that are potentially made more easily available due to DNS-SD, such as so-called "internal" hosts that get their names more widely exposed in a split DNS scenario. Another kind is threats that are entirely new as a result of this technology. (If there are any of these in the document, I dont think I understand that.) Optionally, and only if the WG wants it, one might then have a section that lists various mitigation strategies for each of the threats. Some threats will not be mitigable when using the technology, and the only mitigation is, "Don't do that." Others might be mitigable by this or that action. I hope these remarks are useful. I'm sorry it's taken me so long to get them out. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [dnssd] Any review of Threat model? Hosnieh Rafiee
- Re: [dnssd] Any review of Threat model? Andrew Sullivan
- Re: [dnssd] Any review of Threat model? Hosnieh Rafiee
- Re: [dnssd] Any review of Threat model? Andrew Sullivan
- Re: [dnssd] Any review of Threat model? Hosnieh Rafiee
- Re: [dnssd] Any review of Threat model? Andrew Sullivan
- Re: [dnssd] Any review of Threat model? Tim Chown
- Re: [dnssd] Any review of Threat model? Hosnieh Rafiee