IETF Logo Mail Archive

Re: [dnssd] Any review of Threat model?

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 04 April 2016 19:13 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 914FF12D64F for <dnssd@ietfa.amsl.com>; Mon, 4 Apr 2016 12:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Co1ms-lJnE_T for <dnssd@ietfa.amsl.com>; Mon, 4 Apr 2016 12:13:18 -0700 (PDT)
Received: from mx2.yitter.info (mx2.yitter.info [IPv6:2600:3c03::f03c:91ff:fedf:cfab]) by ietfa.amsl.com (Postfix) with ESMTP id B34CA12D80C for <dnssd@ietf.org>; Mon, 4 Apr 2016 12:13:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id EDE6910B21 for <dnssd@ietf.org>; Mon, 4 Apr 2016 19:13:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WARlHWO0T9E for <dnssd@ietf.org>; Mon, 4 Apr 2016 19:13:13 +0000 (UTC)
Received: from anvilwalrusden.com (dhcp-b2a2.meeting.ietf.org [31.133.178.162]) by mx2.yitter.info (Postfix) with ESMTPSA id 86EA1106CC for <dnssd@ietf.org>; Mon, 4 Apr 2016 19:13:12 +0000 (UTC)
Date: Mon, 04 Apr 2016 15:13:09 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnssd@ietf.org
Message-ID: <20160404191306.GA36990@anvilwalrusden.com>
References: <56FFE286.9010304@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <56FFE286.9010304@rozanak.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/YttH83zK693oW_SD3vvcXcdxQvA>
Subject: Re: [dnssd] Any review of Threat model?
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2016 19:13:20 -0000

Hi,

On Sat, Apr 02, 2016 at 05:17:26PM +0200, Hosnieh Rafiee wrote:
> 
> Would you please take a look on the latest version of threat model
> https://tools.ietf.org/html/draft-otis-dnssd-scalable-dns-sd-threats-03

I have (at last, apologies for the delay) read this version of the draft.

It's with some distress I say I'm frustrated by this draft, because in
my reading it treats as similar kinds of problems issues that are
vastly different.  At the same time, it isn't clear whether the
document is just attempting to outline what the threats are, or
whether it is trying to prescribe what should happen as a result.  I
think for it to be useful, it still needs an enormous amount of work

    Confusing treatment

Different issues all seem to be treated as "threats" without any way
of telling who is threatened, how, or how severely.

For instance, the issue in 2.1.2.1 is really about user interface.
There are for sure problems with this sort of visual spoofing on the
Internet.  Yet the entire problem of i18n and visual confusability and
so on has literally nothing to do with whether you use IDNA or raw
UTF-8 in the DNS, so that discussion is just a red herring.  The basic
problem is that users can be phished.  If there is an argument here
for why DNS-SD is somehow different in this than everything else on
the Internet, I am unable to detect it.  Moreover, the issue is mixed
in to discussion in section 2.2 as well, where its relevance to
exfiltration is at best unclear.

The issue in 2.1.4, by contrast, is basically an argument that devices
that already rely on security by obscurity need to remain obscure.  I
suppose that's true, but the proposed solution basically just says,
"This feature that we desire shouldn't ever work."  That seems to
operate at an entirely different level than the i18n issues.  Again,
this security-by-obscurity issue reappears in 2.2, where I guess
exfiltration comes up again; I think this is probably the
split-horizon discussion, but it's not that clear.

Yet a different kind of issue -- the side effects of amplification --
are in section 2.3.  This is a generic issue with the DNS and
increasing sizes of RRsets.  It is undoubtedly an issue, but it's far
from plain to me that the explanation here covers the way the issues
play out on the Internet.

The discussion in 3.2 about data integrity after publication as
opposed to the correctness of the data at source is treated as an
"Authorization Issue".  It isn't clear that it is; and this is anyway
a systemic problem with the DNS, so it isn't clear how this is a
special threat case.

    What is the document for?

In general, I find the document confusing, hard to follow, and not
terribly consistent about whether it is reporting threats, or telling
you what you're supposed to do in reaction.  This ambiguity makes the
document in some places contentious when it needn't be, since the
problem described might well be accurate while the proposed solution
is not one with which we'd all agree.  As noted above, for instance,
the very title of 2.1.4 basically undermines one of the obvious use
cases for this protocol, so there's no way that everyone will accept
the advice.  

    What I would do if I wanted this document badly enough

If I were the authors, I'd reorganize the draft.  It seems to me there
are several different kinds of threat here.  One kind is threats that
are inherited by virtue of the kind of system in use.  So, you get the
threat of someone taking over the global DNS registration for a name
because you're using DNS.  Another kind is threats that are not really
new, but that are potentially made more easily available due to
DNS-SD, such as so-called "internal" hosts that get their names more
widely exposed in a split DNS scenario.  Another kind is threats that
are entirely new as a result of this technology.  (If there are any of
these in the document, I dont think I understand that.)

Optionally, and only if the WG wants it, one might then have a section
that lists various mitigation strategies for each of the threats.
Some threats will not be mitigable when using the technology, and the
only mitigation is, "Don't do that."  Others might be mitigable by
this or that action.

I hope these remarks are useful.  I'm sorry it's taken me so long to
get them out.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email