IETF Logo Mail Archive

Re: [dnssd] Security through Obscurity

"Albrecht, Harald" <harald.albrecht@siemens.com> Tue, 29 July 2014 07:26 UTC

Return-Path: <harald.albrecht@siemens.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E76881AD6B0 for <dnssd@ietfa.amsl.com>; Tue, 29 Jul 2014 00:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.55
X-Spam-Level:
X-Spam-Status: No, score=-6.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ig3VUJeL4r0g for <dnssd@ietfa.amsl.com>; Tue, 29 Jul 2014 00:26:19 -0700 (PDT)
Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC1A31AD62C for <dnssd@ietf.org>; Tue, 29 Jul 2014 00:26:18 -0700 (PDT)
Received: from mail1.sbs.de (localhost [127.0.0.1]) by gecko.sbs.de (8.14.3/8.14.3) with ESMTP id s6T7QDKE013025; Tue, 29 Jul 2014 09:26:13 +0200
Received: from DEFTHW99ERMMSX.ww902.siemens.net (defthw99ermmsx.ww902.siemens.net [139.22.70.142]) by mail1.sbs.de (8.14.3/8.14.3) with ESMTP id s6T7QDFj009939 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 29 Jul 2014 09:26:13 +0200
Received: from DEFTHW99EK5MSX.ww902.siemens.net ([169.254.6.83]) by DEFTHW99ERMMSX.ww902.siemens.net ([139.22.70.142]) with mapi id 14.03.0195.001; Tue, 29 Jul 2014 09:26:12 +0200
From: "Albrecht, Harald" <harald.albrecht@siemens.com>
To: Douglas Otis <doug.mtview@gmail.com>, "Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com>
Thread-Topic: [dnssd] Security through Obscurity
Thread-Index: AQHPprfbeCMVdoWCv0+IRw2l+oT97JuuTemAgADDcoCAAAvegIAAIsuAgAAJowCAABzGgIAAEAEAgADpzzCAAGScAIAFTO+AgACYA1A=
Date: Tue, 29 Jul 2014 07:26:12 +0000
Message-ID: <E36F274013087B4EA05E08EB503750390BEE65A8@DEFTHW99EK5MSX.ww902.siemens.net>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com> <0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <EMEW3|faec94f4ff05bea449f9614b93dae254q6NE8Q03tjc|ecs.soton.ac.uk|0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com> <8465FD60-84CD-41B3-BBE3-1BDB52DF0DDB@hp.com> <364AAF85-5FB4-4828-A5A4-11160E747BC9@gmail.com> <24377.1406225491@sandelman.ca> <3949.1406228928@sandelman.ca> <E36F274013087B4EA05E08EB503750390BEDE8DF@DEFTHW99EK5MSX.ww902.siemens.net> <4CCB4658-8B54-460B-AC4B-8230EEEF54CA@hp.com> <D5D52161-1054-47C7-ABA0-724F50A6AB46@gmail.com>
In-Reply-To: <D5D52161-1054-47C7-ABA0-724F50A6AB46@gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [139.22.70.31]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/iNSRt8A1P8TZVXYbK1flZOVZYg8
Cc: "dnssd@ietf.org" <dnssd@ietf.org>, Michael Richardson <mcr@sandelman.ca>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 07:26:21 -0000

Hello,

could it be, per chance, that there are different views on what "publishing" a device's IP address to DNS means? Maybe about what to publish where?

I have problems understanding what publishing a devices " IPv6 public address" (cit) really means? I have learnt that there are GUAs, ULA, LLAs, but what are public addresses? One could argue that publishing an address in itself constitutes public addresses, but that's most probably not helping either. I don't see that publishing an address also automatically constitute its accessibility. To me, a RR dictionary does not constitute security either. If it would, then something would be severely broken.

> -----Ursprüngliche Nachricht-----
> Von: Douglas Otis [mailto:doug.mtview@gmail.com]
> Gesendet: Dienstag, 29. Juli 2014 02:02
> An: Kennedy, Smith (Wireless Architect)
> Cc: Douglas Otis; Albrecht, Harald; dnssd@ietf.org; Michael Richardson
> Betreff: Re: [dnssd] Security through Obscurity
> 
> Agreed.  For example, most printers do not offer user specific security
> measures for their basic operation.  Such user specific secure printing is
> normally done indirectly by accessing shared OS resources offered by a
> server able to establish TLS connections.  The indirectly accessed devices do
> not themselves authenticate for scanning, printing, or faxing in most cases.
> This means publishing their IPv6 public addresses will invite abuse.

Are you talking about abuse by internal users, the users that are connected to the same network? If yes, then this is not even remotely an issue of DNS-SD, this is a network design problem. Either the devices are not suitable for the requirements of safety or the network design is not suitable to cope for end-device misdesign. Either way, DNS-SD and global addresses are wrong trees to bark up.

 >  This is
> only one example of devices never intended to be directly accessible on the
> Internet, and which may be subject to abuse when DNS-SD is used
> indiscriminately.
This is mixing things. Having a global address does not imply global accessability! What does you make believing so? As I'm typing this, my computer has its very own global IPv4 address (ups, shame on me!), yet you won't be ever able to reach it. Yes, I use a unique global IPv4 address ... inside the company intranet. And it's not a private address. So there clearly are secure setups that use global addresses and use DNS-SD and no one drops dead.

> Insecurely assigned prefixes and randomly assigned Interface-IDs never
> being publicly published still offers weak security.  Multiple off-the-shelf
> home routers should be expected to use dynamically assigned prefixes, since
> some insist dynamic prefix assignment improves privacy.  (Some providers
> bind prefix assignments with the MACs used by the modem where any MAC
> change necessitates an approval process.)  Without use of ULA overlay
> addressing in such a home network, firewalls will remain susceptible when
> unable to recognize internal IP addresses, and hence unable to block
> externally initiated sessions.

You are mixing different things here, so it's difficult to understand what your point actually is. First, what are insecurely assigned prefixes?? And yes, IIDs are not for security ... they have one clear purpose: to identify a particular IPv6 interface in a given subnet. So this is as obvious as saying that assigning your subnet routers IPv4 addresses that don't end in .1 or .254 improves security.

ULA addresses are not for security, please show me the RFC that does claim so. Over time, people have come to understand that ULAs offer stable intranet addressing. But what does stable addressing has to do with security? I can't understand why you are mixing up all these different things, it's really hard to understand for me.

> On the other hand, enterprise networks likely have statically assigned
> prefixes.  While static assignment or known router prefix assignment
> information allows greater use of GUA addressing, exploits may still defeat
> stateful src/dst firewall protections.

Should I read this as a plea to move to end-to-end transport security and authentification? If you are arguing for this, then yes, this offers better security. But from your current wording I'm really not clear about what you are trying to argue for. But again, please don't kill the GUAs for something they didn't do.

LG, Harald

v2.23.0 | Report a Bug | By Email