Re: [dtn-security] Re(2): How do you feel about Bonjour/Avahi?
"Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com> Mon, 13 July 2009 03:22 UTC
Received: from sky.fastbighost.net (sky.fastbighost.net [76.76.22.153]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6D3MsJ7006357 for <dtn-security@maillists.intel-research.net>; Sun, 12 Jul 2009 20:22:54 -0700
Received: from dyn98-b60-access.superdsl.com.sg ([202.73.60.98] helo=[192.9.200.103]) by sky.fastbighost.net with esmtpa (Exim 4.69) (envelope-from <Graham@LeonixSolutions.com>) id 1MQC6i-0002bp-4w; Sun, 12 Jul 2009 23:21:36 -0400
Message-ID: <4A5AA83C.7030400@LeonixSolutions.com>
Date: Mon, 13 Jul 2009 11:21:32 +0800
From: "Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com>
Organization: Leonix Solutions Pte Ltd
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Peter Lovell <plovell@mac.com>
References: <89E48AE60E64EF4E8EB32B0B7EC74920A1B0F5@EVS-EC1-NODE2.surrey.ac.uk> <"3A5AA67A8B120B48825BFFCF544385613 7E0B06196"@NDJSSCC03.ndc.nasa.gov> <4A1DD73F.50000@bbn.com> <023601c9df2a$694fd5b0$3bef8110$@com> <4A2DF7FD.5020104@LeonixSolutions.com> <3A5AA67A8B120B48825BFFCF5443856137E3553C4B@NDJSSCC03.ndc.nasa.gov> <"029d01c 9e925$1e354880$5a9fd980$"@com> <4A46C257.3040006@LeonixSolutions.com> <"2009062 8050243.1566215671"@smtp.mac.com> <4A46FBB2.3080205@LeonixSolutions.com> <"2009 0628052255.640550503"@smtp.mac.com> <4A470CD7.4010502@LeonixSolutions.com> <"20 090628141313.1532044204"@smtp.mac.com> <4A4878A6.7010707@LeonixSolutions.com> <20090629123400.1726285002@smtp.mac.com> <C304DB494AC0C04C87C6A6E2FF5603DB2217B29183@NDJSSCC01.ndc.nasa.gov> <4A497B04.3070909@LeonixSolutions.com> <20090630122842.1049441707@smtp.mac.com> <4A556063.2010305@LeonixSolutions.com> <20090709041417.302976474@smtp.mac.com> <4A56E1CA.7080000@LeonixSolutions.com> <20090710120958.2016629300@smtp.mac.com>
In-Reply-To: <20090710120958.2016629300@smtp.mac.com>
Content-Type: multipart/mixed; boundary="------------030806060009040706060507"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sky.fastbighost.net
X-AntiAbuse: Original Domain - maillists.intel-research.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - LeonixSolutions.com
X-Source:
X-Source-Args:
X-Source-Dir:
Cc: dtn-security@maillists.intel-research.net
Subject: Re: [dtn-security] Re(2): How do you feel about Bonjour/Avahi?
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 03:22:54 -0000
Peter Lovell wrote: > [snip] > > >>> Bonjour is just a service discovery protocol, not a part of a security >>> system. And it's localized so that only your neighbours know. It >>> shouldn't make any difference to integrity or confidentiality as those >>> should be handled by the defenses you have deployed. At a stretch, it >>> might make adversaries aware of your system but if they see Bonjour >>> advertisements then they're close to you already and can see your >>> network traffic. >>> >>> >> An excellent point, and one which worries me. How does "standard" >> security which is not int he DTN part of the system affect the overall >> system of which DTN is only a part? >> > > I'm not sure I understand your point here. DTN sits on top of various > transport mechanisms (referred to as "convergence layers" in the specs) > and these may have their own security mechanisms. These are in addition > to the dtn ones that only are invoked after coming through the lower > layers. As an example, if you are using TCP convergence layer, I would > expect that to defend against common TCP DOS attacks, such as syn-flood. > DTN doesn't have to deal with those. > > A point well made. It's not (currently) part of my remit to be concerned about TCP/IP, WEP/WPA, et al. But it surely needs to be considered in my system and I don't see who else will do it. Oh, well, that's why ssytems have v2.0 :-) > >>> Bonjour and static IP addresses are solutions to different problems. An >>> IP address allows a system to send something to you. Bonjour allows a >>> nearby system to find you if it doesn't know your address. >>> >>> >> In my idea of a "closed, secure" system, if someone does not know my IP >> address, then I don't even want him to know that I exist (al least, I >> think so ... ) >> > > You might indeed want him not to know, and it might be good to keep as > low a profile as possible. But in most cases (not all) I wouldn't > categorize that as real "security". It's like having secret crypto algorithms. > A very good point. Secret crypto is generally snake-oil and certainly not widely peer-reviewed. > Can it be one part of a layered defense? Certainly. Do I place much > reliance on it? No, with occasional exceptions. > > What about this then - is it even feasible? If I know that I have a closed universe of nodes, can I encrypt the IP headers? That might help prevent DOS by repeated pinging. Of course, there are only a limited number of public IP addresses, which could be quickly and easily tried, but it throws up one more roadblock. Or I could use "real" IP addresses - maybe IPv6 9after carefully reading http://www.seanconvery.com/ipv6.html) ... Am I on a totally wrong track here? Or could encrypted IP headers be one more layer of armour? >>> If you are sensitive about denial-of-service attacks then I would >>> suggest strongly that you do not use a hard-coded IP address, but >>> specify a dns address instead. >>> >>> >>> >> And that gets resolved to an IP address how? If I have an ad-hoc >> network, I don't want to have a DNS server. >> > > The non-Bonjour scenario uses a standard dns server -- nothing strange > there. Bonjour works in a standard local network (think of a small > office with DHCP, internet connectivity and with or without a dns server > for the local machines) or purely ad-hoc. In the ad-hoc case, the > machines self-assign link-local IP addresses in the range > 169.254.0.0/16. Discovery is done using multicast-dns. The machines > respond directly and there is no server involved. > > Thanks for clarifying. Looks like I need to re-read TCP/IP/DNS for Dummies. > Cheers.....Peter > > _______________________________________________ > dtn-security mailing list > dtn-security@maillists.intel-research.net > http://maillists.intel-research.net/mailman/listinfo/dtn-security > > -- Technical Director Leonix Solutions (Pte) Ltd 18 Boon Lay Way #09-95 TradeHub 21 Singapore 609966 Telephone:+65 6316 9968 Fax: +65 6316 9208
- [dtn-security] Re(2): [dtn-interest] Bundle Secur… Peter Lovell
- Re: [dtn-security] [dtn-interest] Bundle Security… Hans Kruse
- [dtn-security] Bundle Security Protocol Implement… M.Bhutta
- Re: [dtn-security] Newbie seeking some security r… Armando Caro
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Newbie seeking some security r… Jason Redi
- Re: [dtn-security] Newbie seeking some security r… Armando Caro
- Re: [dtn-security] Newbie seeking some security r… Kristian Erik Hermansen
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Stephen Farrell
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Newbie seeking some security r… Kristian Erik Hermansen
- [dtn-security] Newbie seeking some security relat… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(many): Is there a "secure" refe… Peter Lovell
- Re: [dtn-security] Re(2): Re(2): Is there a "secu… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Is there a "secure" reference … Peter Lovell
- [dtn-security] Re(2): Re(2): Re(2): Is there a "s… Peter Lovell
- [dtn-security] Re(2): Re(2): Is there a "secure" … Peter Lovell
- Re: [dtn-security] Re(2): Is there a "secure" ref… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Is there a "secure" referen… Peter Lovell
- Re: [dtn-security] Is there a "secure" reference … Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Is there a "secure" referen… Peter Lovell
- Re: [dtn-security] Is there a "secure" reference … Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Is there a "secure" reference impl… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Newbie seeking some securit… Peter Lovell
- Re: [dtn-security] Newbie seeking some security r… Jason Redi
- Re: [dtn-security] Newbie seeking some security r… Stephen Farrell
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Encrypted IP headers Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Encrypted IP headers Peter Lovell
- Re: [dtn-security] Encrypted IP headers Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Re(2): How do you feel abou… Peter Lovell
- Re: [dtn-security] Re(2): How do you feel about B… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Re(2): Re(2): Re(2): Is there … Ivancic, William D. (GRC-RHN0)
- [dtn-security] Re(2): Re(2): Re(2): Is there a "s… Peter Lovell
- [dtn-security] Re(2): How do you feel about Bonjo… Peter Lovell
- Re: [dtn-security] How do you feel about Bonjour/… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] How do you feel about Bonjour/… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Re(2): Re(2): Is there a "secu… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] How do you feel about Bonjour/… Peter Lovell
- [dtn-security] How do you feel about Bonjour/Avah… Graham Keellings (Leonix Solutions Pte Ltd)