Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
Douglas Otis <doug.mtview@gmail.com> Thu, 12 March 2015 18:25 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6BF1A06E9; Thu, 12 Mar 2015 11:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ezc3jq4xhzC; Thu, 12 Mar 2015 11:24:58 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A3441A03E1; Thu, 12 Mar 2015 11:24:56 -0700 (PDT)
Received: by padet14 with SMTP id et14so22470394pad.11; Thu, 12 Mar 2015 11:24:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qh4LHa//74U7i3/xJ6pKAShz7q141CNm3hop2B8+9/U=; b=hOX2bOtIUzasSJbZCVJNqGfoaiI3iO74EQhn+NwzgF6ekbo9xYevBA31YtPMy+jKKl Cl7pqtaAiKVYGwaZuDMzO50M8EXpphoff18/jxqFuRg9MIL1Pm+IcOQRputS24bapZGP W7FEcMqhwMVoPTkb0w0UlM/AefJAgyMgpO+3XVY6XCBive5l7o50XJwt0QaDFlbUkIv/ kpTMcCJP4rMiR7rGYp2zisLjoE9zdvLt40tnUfWrmepVkgX7LZ3lKYjKDiTUOZhlStUJ 9xwfuBU2jVOKgMS/85wALlAMDcqkuVq1wvTqGqF+CIceluvqdoBg/jEm0hRRTMdV3WR5 JJvA==
X-Received: by 10.66.171.199 with SMTP id aw7mr94438089pac.6.1426184695752; Thu, 12 Mar 2015 11:24:55 -0700 (PDT)
Received: from [192.168.248.115] (c-24-6-60-244.hsd1.ca.comcast.net. [24.6.60.244]) by mx.google.com with ESMTPSA id dt10sm11966227pdb.82.2015.03.12.11.24.54 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Mar 2015 11:24:55 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20150310230433.13239.32024.idtracker@ietfa.amsl.com>
Date: Thu, 12 Mar 2015 11:24:53 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <83452A4F-D738-43D5-85FD-316B0DC8509F@gmail.com>
References: <20150310230433.13239.32024.idtracker@ietfa.amsl.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/q2VCgwygph3V2ql3dtRc4PX8SpE>
Cc: draft-ietf-dnssd-requirements.all@ietf.org, dnssd@ietf.org, dnssd-chairs@ietf.org, The IESG <iesg@ietf.org>, tjc@ecs.soton.ac.uk
Subject: Re: [dnssd] Stephen Farrell's No Objection on draft-ietf-dnssd-requirements-05: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 18:25:02 -0000
X-List-Received-Date: Thu, 12 Mar 2015 18:25:02 -0000
> On Mar 10, 2015, at 4:04 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Stephen Farrell has entered the following ballot position for > draft-ietf-dnssd-requirements-05: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - section 6 intro: I'm not sure I buy that the set of relevant > threats is only a union as stated. There are often new threats > in new environments. > > - 6.6: I think one can also leak private information by > searching in too broad a scope, e.g. if the client can be > fingerprinted allowing re-identification. I think that's > different from the example given, and maybe worth noting too. Dear Stephen, I agree with your statement and, based on our tests, these concerns are very real! IPv6 can not be defended in the same manner as with IPv4. With Homenet, an effort was made to ensure address selection preferences critical when publishing addresses within DNS but omitted from the requirements documents. The statement made in Section 6.1 is poorly considered. ,-- Section 6.1 ... Note that discovery of a service does not necessarily imply that the service is reachable by, or can be connected to, or can be used by, a given client. Specific access control mechanisms are out of scope of this document. '--- Or the false statement: ,-- 6.5. Access Control ... While controlling access to an advertised service is outside the scope of DNS-SD, we note that access control today often is provided by existing site infrastructure (e.g., router access control lists, firewalls) and/or by service-specific mechanisms (e.g., user authentication to the service). For example, networked printers can control access via a user-id and password. Apple's software supports such access control for USB printers shared via Mac OS X Printer Sharing, as do many networked printers themselves. So the reliance on existing service-specific security mechanisms (i.e. outside the scope of DNS-SD) does not create new security considerations. '--- Most printers DO NOT offer user-id/password access mechanisms and often IPv6 support removes access control lists. Homenet and Apples BTMM make use of an important overlay approach being ignored both here and with the the insecure UPnP. For this protocol to safely interoperate, an overlay approach must be supported. This approach might use ULAs, for example. For this to work properly, locally defined addresses must be preferred when publishing in DNS. As previously presented, it is minor fix to correct this oversight. Regards, Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Tom Pusateri
- Re: [dnssd] Stephen Farrell's No Objection on dra… Ralph Droms
- Re: [dnssd] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- [dnssd] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [dnssd] Stephen Farrell's No Objection on dra… Douglas Otis
- Re: [dnssd] Stephen Farrell's No Objection on dra… Kerry Lynn