[dnssd] mDNS Proxy Security Concerns Omitted
Douglas Otis <doug.mtview@gmail.com> Sun, 09 November 2014 09:53 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF431A1A6A for <dnssd@ietfa.amsl.com>; Sun, 9 Nov 2014 01:53:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CVLbqyJspEWy for <dnssd@ietfa.amsl.com>; Sun, 9 Nov 2014 01:53:27 -0800 (PST)
Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3021A1A64 for <dnssd@ietf.org>; Sun, 9 Nov 2014 01:53:27 -0800 (PST)
Received: by mail-pa0-f50.google.com with SMTP id eu11so6305986pac.37 for <dnssd@ietf.org>; Sun, 09 Nov 2014 01:53:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :cc:to:mime-version; bh=eK+Jf7z6P0pjo/0sfzyYQpzDY7F4SSYPBPn2kNVTm7U=; b=LTMT34144q13dV3xSWjCsnF4rV/UIzKZc16SwHVSD9Uygq+Iu6fuRPDRI6tV7JPc+q NjMO24b9zrn7CX9EHeQ9gT24ToSTDwFB28ORMAoQuaRgYyiPwyKosiYjtKwT+G0wWxBD jpbPoFi2h3fiWltSwBpj3mRJo5wDHpMdPWgt7Z5IgeeRfCtjWdtHN8MIP3pgbAiEKfQo T+AaINUcqHXHo+TZU1gowKJEKN28i54Gl4Rx7bBKW31dMJGbZBSA5qWqgrmkQv9WCYat 9cxnvYZx8btCGJjKM/DO8y4f0DvfoLmUpdAdfkO6NZnHTM1jVTI9qSkq6rfh5YTkEj6k 4BhQ==
X-Received: by 10.66.241.239 with SMTP id wl15mr25073905pac.15.1415526806392; Sun, 09 Nov 2014 01:53:26 -0800 (PST)
Received: from [192.168.2.110] (c-67-188-1-12.hsd1.ca.comcast.net. [67.188.1.12]) by mx.google.com with ESMTPSA id dp3sm13445912pdb.46.2014.11.09.01.53.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 09 Nov 2014 01:53:25 -0800 (PST)
From: Douglas Otis <doug.mtview@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 09 Nov 2014 01:53:22 -0800
Message-Id: <5394C917-EDDA-4FDC-8221-1BE9CF1138DA@gmail.com>
To: dnssd@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/qMQ8asPYaK6eaKikzfDB9n7p0SA
Cc: Hosnieh Rafiee <ietf@rozanak.com>
Subject: [dnssd] mDNS Proxy Security Concerns Omitted
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Nov 2014 09:53:28 -0000
Dear Hosnieh, Sorry for the delayed response. As previously discussed on the dnssd mailing-list and at the last meeting, publishing mDNS information in DNS removes a level of protection from devices needing isolation from direct Internet access. Enterprise and modern home networks anticipate multiple Internet links with configurations unable to propagate mDNS packets or able to scale multicast within enterprise environments. Nevertheless publishing routable address in DNS introduces concerns omitted from the requirements draft. Use of overlay networks permit a safe automatic assignment strategy offering assured protection for those devices unable to handle direct Internet access. An overlay network might leverage Unique Local Unicast Addresses defined by RFC4193 such as FD00::/8. | 7 bits |1| 40 bits | 16 bits | 64 bits | +--------+-+-------------+---------------+--------------------------------------+ | Prefix |L| Global ID | Subnet ID | Interface ID | +--------+-+-------------+---------------+--------------------------------------+ There are many devices unable to handle direct Internet access and yet respond with their routable IP address over mDNS. Printers represent a large install base where such a problem exists, although some can handle such access. Most consumer grade routers either allow or disallow all IPv6 incoming connections. This restriction inhibits use of multiple Internet access links when initial incoming packets are blocked. Employing an overlay network that simplifies network boundary conditions allows border devices to be robust by enabling a lightweight filtering method, as apposed to use of cryptography, as with VPNs for example. Also, when bootstrapping an auto configuration process, it is not safe to assume necessary certificates have been deployed and coordinated by disparate manufactures when exchanging packets beyond the local network. Regards, Douglas Otis
- [dnssd] mDNS Proxy Security Concerns Omitted Douglas Otis