IETF Logo Mail Archive

Re: [dnssd] Security through Obscurity

Tim Chown <tjc@ecs.soton.ac.uk> Thu, 24 July 2014 13:08 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2147F1A011C for <dnssd@ietfa.amsl.com>; Thu, 24 Jul 2014 06:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.221
X-Spam-Level:
X-Spam-Status: No, score=-1.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UVn8hkzDy_l for <dnssd@ietfa.amsl.com>; Thu, 24 Jul 2014 06:08:30 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 771271A023E for <dnssd@ietf.org>; Thu, 24 Jul 2014 06:08:29 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s6OD8Qlh009762; Thu, 24 Jul 2014 14:08:26 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk s6OD8Qlh009762
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=201304; t=1406207306; bh=bWJk+cwuELQboJ+N2mW6AKK7v/g=; h=Mime-Version:Subject:From:In-Reply-To:Date:Cc:References:To; b=N34yol/gkx9Jq6Mfc8y7mBwFkYD7+ZRO964J5e0vHXWxxY67glGhTBe7N0gM45p/2 2ybFhBsJDZ9cvY4NOCSQXaS//ktDqmnfTM0ED09LaQ68vo8/O5pnzzr/KFMa4Z5IxT vM0SVHcevZ7uz4S5ZXEej/xSSadyGsZMFGu31JY0=
Received: from gander.ecs.soton.ac.uk (gander.ecs.soton.ac.uk [2001:630:d0:f102::25d]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102::25e]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP (valid=N/A) id q6NE8Q0176703795zK ret-id none; Thu, 24 Jul 2014 14:08:26 +0100
Received: from wireless-v6.meeting.ietf.org (wireless-v6.meeting.ietf.org [IPv6:2001:67c:370:160:dc56:20ab:e644:c208] (may be forged)) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s6OD74AM000777 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 24 Jul 2014 14:07:06 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_543442ED-9830-47BE-BAF1-F6BC15412E04"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com>
Date: Thu, 24 Jul 2014 14:07:03 +0100
Message-ID: <EMEW3|faec94f4ff05bea449f9614b93dae254q6NE8Q03tjc|ecs.soton.ac.uk|0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk>
References: <0644A943-80B9-42E0-BF82-3E1113710FA2@gmail.com> <20E4ED19-12BD-45D4-B690-8629B552B23B@gmail.com> <0E0BC226-E68E-4BC2-99EA-AFF1AF96A5EC@ecs.soton.ac.uk>
To: Douglas Otis <doug.mtview@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=q6NE8Q017670379500; tid=q6NE8Q0176703795zK; client=relay,ipv6; mail=; rcpt=; nrcpt=3:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: s6OD8Qlh009762
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/yZlZZ5ECgLNs93pF-9ER2vOsZp0
Cc: dnssd@ietf.org, RJ Atkinson <rja.lists@gmail.com>
Subject: Re: [dnssd] Security through Obscurity
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 13:08:32 -0000

On 24 Jul 2014, at 02:27, Douglas Otis <doug.mtview@gmail.com> wrote:

> 
> On Jul 23, 2014, at 4:51 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
> 
>> 
>> (NOTE WELL: I am not a WG Chair, IESG member, IAB member,
>> or authorised spokesperson for anyone other than myself.)
>> 
>> 
>> Earlier Doug Otis wrote:
>>> It is not safe to advertise such addresses in DNS, 
>>> especially when security depends on address obscurity.
>> 
>> 
>> I believe that the the vast majority of security folks
>> would object to the notion that obscurity is a mechanism 
>> capable of providing any meaningful security.
>> 
>> If a client were to ask me for advice on protecting their
>> interior services or interior devices from the global Internet, 
>> I would suggest at least a firewall (ranging from router ACLs 
>> to an air-gap: depending upon their local needs and threat model) 
>> and possibly also other measures (again, depending upon local
>> needs and threat model).  Operational security is not 
>> one-size-fits-all, in my experience, but relying upon 
>> security-through-obscurity seems unwise to me.
> 
> I agree with that statement, but at the same time some of these devices are assigned routable addresses by the vendors.  When assigned out of a 48 bit space, it might be possible to guess the device based on common manufacturers.  When randomly assigned by the owner, it is highly unlikely such an address will ever be guessed.  Add rate limiting, and this unknown should work well at mitigating attack.  But as I said, I agree with your statement and why I think mDNS should be working with ULAs.

Doug, if you mean a 48-bit MAC address being embedded in the IPv6 address, see http://tools.ietf.org/html/rfc7217.

I agree with Tom’s comments. A question to discuss in your slot today is when a device has a LL, ULA and GUA, which of those should be advertised via the SD protocol and whether/how that choice can/should be influenced. 

Tim

v2.23.0 | Report a Bug | By Email