Re: [dnssd] Threat model - answer to questions

Douglas Otis <> Wed, 19 November 2014 23:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5C14C1A1B16 for <>; Wed, 19 Nov 2014 15:48:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dAeh9B3BXn0Z for <>; Wed, 19 Nov 2014 15:48:50 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 210D61A1AF3 for <>; Wed, 19 Nov 2014 15:48:50 -0800 (PST)
Received: by with SMTP id z60so1358735qgd.3 for <>; Wed, 19 Nov 2014 15:48:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pp6syO2tU+t9NQY5rP/PGLDgClbcO0V1uTl5iR/UZXA=; b=iUj12tcxpTc9XZ9EucYeIDjjQHuyeRZxLE38i2BiVZJ2Ol7sHVF3spSz6pUQGcnnp6 Ud/lvV2Z0P5fa44JOWoHlHVXKlc9enDurhzaYnT7S7FyFkzlzFuSDdBQgnDKIbNeuXEl 4M0uX8HD3Sn44jqHtveaVqdVVNSukzFYzaQn+nOrtyCe5Mphvk61AcBqhUt3Lln5/kj4 K2JgjfsrctFOI7rMcALyfKUgMj9kibrG7Si04cV6cApiDy1ZHEGuGCp2bk6aKUQSH6ev hj4iuI7CUqW6DAoOGDZhP0NCLHKTobr2neOTUVj6GY9cGf8roxC+7ZaIPejgqbOdtOFg YCGw==
X-Received: by with SMTP id d67mr32031224qgd.55.1416440929335; Wed, 19 Nov 2014 15:48:49 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id 11sm668227qab.23.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Nov 2014 15:48:48 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset=windows-1252
From: Douglas Otis <>
In-Reply-To: <>
Date: Wed, 19 Nov 2014 15:48:47 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Hosnieh Rafiee <>
X-Mailer: Apple Mail (2.1878.6)
Cc: "" <>
Subject: Re: [dnssd] Threat model - answer to questions
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Nov 2014 23:48:52 -0000

On Nov 14, 2014, at 7:08 AM, Hosnieh Rafiee <> wrote:

> 5- overlay networks and SSD (Douglas)
> Answer: I still do not understand what is the relationship of overlay networks to SSD. This was the case I did not know what to answer to your question. Why should we consider this? What will happen if we do not consider this?

Dear Hosnieh,

For resource constrained devices, security is best enforced by use of ULA address space defined by RFC4193.  Few CPE devices conforming with RFC7084 permit address specific exceptions for externally initiated sessions.  This limitation makes external exposure either a default accept or deny setting.  ULAs offer a means for resource constrained devices to make exceptions for traffic within its domain.  Otherwise, exclusion of all external initiated sessions might inhibit domain connectivity.

ULA is not an IPv6 version of RFC1918 address space normally combined with NAT/NAPT for Internet connectivity.  ULAs do not require translations since first hop communications can leverage IPv6’s default support of multiple-addresses-per-interface.  This permits network overlays rather than address translation techniques.  An overlay can be achieved by using centrally or locally assigned ULA prefixes (FC00::/8 or FD00::/8).  Apple currently represents the largest deployment of locally assigned ULA prefixes in their Back-to-My-Mac feature by making use of L2TP tunneling.

A ULA prefix is not to be advertised outside a given domain used by agreement of those networked within the domain. Administrators need to clearly set the scope of the ULAs and configure ACLs on relevant border routers to enforce their scope. If internal DNS is used, administrators should use internal-only DNS names for ULAs and might need to use split horizon DNS to ensure internal names do not resolve on the Internet as described in RFC6950.

To maintain security, address preference rules employed by a proxy device should properly consider use of ULAs as described by RFC7368.  Per section 2.4, a device should only use its ULA address within its domain. Even where multiple /48 ULA prefixes are in use within a single domain, as may occur when there are multiple Internet uplinks, utilizing a ULA source address and a ULA destination address from two disjoint internal ULA prefixes should still be preferred over use of GUAs.  When a device has not been specifically enabled to be externally accessible, mDNS proxy into DNS should not publish associated GUAs.

Omitting proper address selection rules is unlikely to obtain the desired security.  This consideration was omitted in both the Hybrid Proxy and Security Threat documents.  

Note: Last hop security depends on header compliance with RA Guard RFC7113. 

Douglas Otis