IETF Logo Mail Archive

Re: [dnssd] Security through Obscurity

Douglas Otis <doug.mtview@gmail.com> Tue, 29 July 2014 00:02 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C17CD1A03A2 for <dnssd@ietfa.amsl.com>; Mon, 28 Jul 2014 17:02:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmHs_V1p98kL for <dnssd@ietfa.amsl.com>; Mon, 28 Jul 2014 17:02:26 -0700 (PDT)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FEE61A0298 for <dnssd@ietf.org>; Mon, 28 Jul 2014 17:02:26 -0700 (PDT)
Received: by mail-pa0-f49.google.com with SMTP id hz1so11298008pad.22 for <dnssd@ietf.org>; Mon, 28 Jul 2014 17:02:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lJC60rwGcOuvb/pictQseVZU2IhRT19vo3WatMbT2kk=; b=qcPMByF4IoRTpgZ/XhFSf/kF2/qp+ln0sbwZXMmZoPHsBlsNUy3lpscs39Tih5Z4Fu yj/rJxRL9gKd2G3pJ+1dC61XtmTPxEaSMfH4lQKlQKsWeY4PcIdtbImNoGXDi5KKJS9c uP+WRp8lTDq+zO7ARpByEdUQH7A7nMIZ8burmflVQd+SsRZfqaSh6pnh2p2ek3OUqsEO oUtc70IRiWo1IzfFQgqGTv9TmN5Zm+FsFN9pG9qZhfHT7lhRw4Of9XGptbZecuvtViOg L+Mlg4smOhv69J2liVmDhpP9INQ7QvSWSlkun/RVTD9CrohV2b+W1/HwYIitLhIoemy2 bF4Q==
X-Received: by 10.68.245.100 with SMTP id xn4mr6344896pbc.152.1406592145900; Mon, 28 Jul 2014 17:02:25 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id ph6sm18873169pbc.38.2014.07.28.17.02.24 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Jul 2014 17:02:25 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <4CCB4658-8B54-460B-AC4B-8230EEEF54CA@hp.com>
Date: Mon, 28 Jul 2014 17:02:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <D5D52161-1054-47C7-ABA0-724F50A6AB46@gmail.com>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com> <0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <EMEW3|faec94f4ff05bea449f9614b93dae254q6NE8Q03tjc|ecs.soton.ac.uk|0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk> <E6F68BE4-7094-45AA-ADD9-4B88BBC87921@gmail.com> <8465FD60-84CD-41B3-BBE3-1BDB52DF0DDB@hp.com> <364AAF85-5FB4-4828-A5A4-11160E747BC9@gmail.com> <24377.1406225491@sandelman.ca> <3949.1406228928@sandelman.ca> <E36F274013087B4EA05E08EB503750390BEDE8DF@DEFTHW99EK5MSX.ww902.siemens.net> <4CCB4658-8B54-460B-AC4B-8230EEEF54CA@hp.com>
To: "Kennedy, Smith (Wireless Architect)" <smith.kennedy@hp.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/vxgq4GnyyRfPbzk7GjO73mycZqQ
Cc: "dnssd@ietf.org" <dnssd@ietf.org>, "Albrecht, Harald" <harald.albrecht@siemens.com>, Douglas Otis <doug.mtview@gmail.com>, Michael Richardson <mcr@sandelman.ca>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 00:02:29 -0000

On Jul 25, 2014, at 8:05 AM, Kennedy, Smith (Wireless Architect) <smith.kennedy@hp.com> wrote:

> I’m struggling to see how this is a practical example that justifies pre-assigned / predictable IPv6 addresses.
> 
> My primary worry is that this will give people a pseudo-legitimate rationale to continue their tragic antiquated habit of using raw network addresses for things like printer queue creation, which is still all too prevalent today.

Dear Smith,

Agreed.  For example, most printers do not offer user specific security measures for their basic operation.  Such user specific secure printing is normally done indirectly by accessing shared OS resources offered by a server able to establish TLS connections.  The indirectly accessed devices do not themselves authenticate for scanning, printing, or faxing in most cases.  This means publishing their IPv6 public addresses will invite abuse.  This is only one example of devices never intended to be directly accessible on the Internet, and which may be subject to abuse when DNS-SD is used indiscriminately.

This has become a bit muddled, since DNS-SD offers predictable domain assignments conveying IP addresses.  Unless a device is able to authenticate Internet originating sessions, it should not be published in DNS having directly accessible IP addresses.  It’s not a matter of using raw IP addresses - regardless how the address is characterized - it’s a matter of not allowing globally _reachable_ addresses to be published for such devices.  IPv6 firewalls in todays routers are unable to cope with filtering ranges of IPv6 addresses, and devices expected to only connect to a local network will likely have no means of protecting themselves from the large-I Internet.

Insecurely assigned prefixes and randomly assigned Interface-IDs never being publicly published still offers weak security.  Multiple off-the-shelf home routers should be expected to use dynamically assigned prefixes, since some insist dynamic prefix assignment improves privacy.  (Some providers bind prefix assignments with the MACs used by the modem where any MAC change necessitates an approval process.)  Without use of ULA overlay addressing in such a home network, firewalls will remain susceptible when unable to recognize internal IP addresses, and hence unable to block externally initiated sessions.

On the other hand, enterprise networks likely have statically assigned prefixes.  While static assignment or known router prefix assignment information allows greater use of GUA addressing, exploits may still defeat stateful src/dst firewall protections.  Use of tunneling or VPNs into ULA space still provides greater security.  Those who find using ULAs within an Enterprise environment difficult are also likely ill equipped at setting up overlays.  This inability likely means renumbering will be more difficult as well when a prefix nevertheless changes.

Regards,
Douglas Otis

> On 2014-07-25, at 1:21 AM, Albrecht, Harald <harald.albrecht@siemens.com> wrote:
> 
>>> Von: dnssd [mailto:dnssd-bounces@ietf.org] Im Auftrag von Michael
>>> Richardson
>>> Gesendet: Donnerstag, 24. Juli 2014 21:09
>>> Cc: dnssd@ietf.org
>>> Betreff: Re: [dnssd] Security through Obscurity
>>> 
>>> Three printers on the floor.
>>> One is reporting it is broken, so broken that you can't do much more than see
>>> that it exists.
>>> If the IP(v6) address is predictable, and related in some way to the EUI-64,
>>> then you can find the right unit.
>>> The printer has little privacy concerns, seldom visits internet cafes, and is
>>> never found it airport lounges.
>> 
>> In which form do the reporting come in? I would assume that these printers have some labels sticking on them that identify them in a more human-friendly way? Or am I wrong here and missing something? I'm trying to figure out how the reporting process and troubleshooting process will benefit from pre-assigned static LLAs, but I have problems doing so.
>> 
>> By the way -- my home printer has global IPv6 addresses (yes, it has two as Deutsche Telekom assigns temporary PA prefixes). But it has a snuggly firewall in front of it so it is of no concern to me; this printer can't be reached from the outside. These two additional GUAs don't eat up significantly resources, so why do I need to bother? I'm using ULA and LLA internally, so that's what I'm caring about. The GUAs aren't bad in any way ... unless there is general suspicion that GUAs are bad in any case...?
>> 
>> With best regards,
>> Harald
>> 
>> 
>> _______________________________________________
>> dnssd mailing list
>> dnssd@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnssd
> 
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd

v2.23.0 | Report a Bug | By Email