Re: [dtn-security] How do you feel about Bonjour/Avahi?
"Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com> Fri, 10 July 2009 06:39 UTC
Received: from sky.fastbighost.net (sky.fastbighost.net [76.76.22.153]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6A6d3Qj014950 for <dtn-security@maillists.intel-research.net>; Thu, 9 Jul 2009 23:39:03 -0700
Received: from dyn98-b60-access.superdsl.com.sg ([202.73.60.98] helo=[192.9.200.103]) by sky.fastbighost.net with esmtpa (Exim 4.69) (envelope-from <Graham@LeonixSolutions.com>) id 1MP9kE-0007Bb-Kv; Fri, 10 Jul 2009 02:38:07 -0400
Message-ID: <4A56E1CA.7080000@LeonixSolutions.com>
Date: Fri, 10 Jul 2009 14:38:02 +0800
From: "Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com>
Organization: Leonix Solutions Pte Ltd
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Peter Lovell <plovell@mac.com>
References: <89E48AE60E64EF4E8EB32B0B7EC74920A1B0F5@EVS-EC1-NODE2.surrey.ac.uk> <4A12195A.6000207@LeonixSolutions.com> <"3A5AA67A8B120B48825BFFCF544385613 7E0B06196"@NDJSSCC03.ndc.nasa.gov> <4A1DD73F.50000@bbn.com> <023601c9df2a$694fd5b0$3bef8110$@com> <4A2DF7FD.5020104@LeonixSolutions.com> <3A5AA67A8B120B48825BFFCF5443856137E3553C4B@NDJSSCC03.ndc.nasa.gov> <"029d01c 9e925$1e354880$5a9fd980$"@com> <4A46C257.3040006@LeonixSolutions.com> <"2009062 8050243.1566215671"@smtp.mac.com> <4A46FBB2.3080205@LeonixSolutions.com> <"2009 0628052255.640550503"@smtp.mac.com> <4A470CD7.4010502@LeonixSolutions.com> <"20 090628141313.1532044204"@smtp.mac.com> <4A4878A6.7010707@LeonixSolutions.com> <20090629123400.1726285002@smtp.mac.com> <C304DB494AC0C04C87C6A6E2FF5603DB2217B29183@NDJSSCC01.ndc.nasa.gov> <4A497B04.3070909@LeonixSolutions.com> <20090630122842.1049441707@smtp.mac.com> <4A556063.2010305@LeonixSolutions.com> <20090709041417.302976474@smtp.mac.com>
In-Reply-To: <20090709041417.302976474@smtp.mac.com>
Content-Type: multipart/mixed; boundary="------------080700040705050006030208"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sky.fastbighost.net
X-AntiAbuse: Original Domain - maillists.intel-research.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - LeonixSolutions.com
X-Source:
X-Source-Args:
X-Source-Dir:
Cc: dtn-security@maillists.intel-research.net
Subject: Re: [dtn-security] How do you feel about Bonjour/Avahi?
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2009 06:39:03 -0000
Peter Lovell wrote: > On Thu, Jul 9, 2009, Graham Keellings (Leonix Solutions Pte Ltd) > <Graham@leonixsolutions.com> wrote: > > >> From a security standpoint? >> >> How secure is it to have all of my nodes blaring "here I am, bad guys, >> come and try to connect to me"? >> >> Would I be safer just using hard coded IP address? >> >> Thanks in advance for any opinions. >> >> ~graham(); >> > > > Hi Graham, > > it depends. > > Mostly it depends upon the definition you have in mind for "security". > > In typical discussions, security encompasses integrity, confidentiality > and availability. Various organizations will prioritize those differently. > > Thanks very much for the swift reply, Peter. It came within ten minutes and I am a day late in replying :-/ I am glad that you mention "availability", because some people with whom I discuss the subject seem fixated on cryptography. As you mention later, we might decline to use Bonjour, but are still broadcasting our presence. That leaves each node open to conventional DOS attacks, but some people seem to see that as not a part of DTN, just some standard let someone else take care of it, IP" issue. > Many commercial transactions will place integrity uppermost, although > those containing sensitive personally-identifying data may have > confidentiality above all. Thinking about a personal stock trade account > as an example - my purchase instruction for a thousand shares of some > company is not very secret but the brokerage really does want to know > that it is accurate and came from me. > > If I'm the exclusive retailer for a top-selling low-priced widget, I'll > probably tolerate some fraudulent transactions but I *really* need my > web site to be up all the time, taking orders. > > If I'm part of law enforcement, I'll probably value confidentiality most > highly (although the courts may emphasize integrity and chain-of-custody > for evidence). > > And military? I would imagine that since lives are at stake that might be the defining peak of the pyramid... > Bonjour is just a service discovery protocol, not a part of a security > system. And it's localized so that only your neighbours know. It > shouldn't make any difference to integrity or confidentiality as those > should be handled by the defenses you have deployed. At a stretch, it > might make adversaries aware of your system but if they see Bonjour > advertisements then they're close to you already and can see your > network traffic. > An excellent point, and one which worries me. How does "standard" security which is not int he DTN part of the system affect the overall system of which DTN is only a part? > Bonjour and static IP addresses are solutions to different problems. An > IP address allows a system to send something to you. Bonjour allows a > nearby system to find you if it doesn't know your address. > In my idea of a "closed, secure" system, if someone does not know my IP address, then I don't even want him to know that I exist (al least, I think so ... ) > If you are sensitive about denial-of-service attacks then I would > suggest strongly that you do not use a hard-coded IP address, but > specify a dns address instead. > > And that gets resolved to an IP address how? If I have an ad-hoc network, I don't want to have a DNS server. > Regards.....Peter > > > Thanks, peter, despite 25+ years of telecoms s/w development, much of what we now discuss is strangely new to me. I am learning a lot from you. /graham
- [dtn-security] Re(2): [dtn-interest] Bundle Secur… Peter Lovell
- Re: [dtn-security] [dtn-interest] Bundle Security… Hans Kruse
- [dtn-security] Bundle Security Protocol Implement… M.Bhutta
- Re: [dtn-security] Newbie seeking some security r… Armando Caro
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Newbie seeking some security r… Jason Redi
- Re: [dtn-security] Newbie seeking some security r… Armando Caro
- Re: [dtn-security] Newbie seeking some security r… Kristian Erik Hermansen
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Stephen Farrell
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Newbie seeking some security r… Kristian Erik Hermansen
- [dtn-security] Newbie seeking some security relat… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(many): Is there a "secure" refe… Peter Lovell
- Re: [dtn-security] Re(2): Re(2): Is there a "secu… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Is there a "secure" reference … Peter Lovell
- [dtn-security] Re(2): Re(2): Re(2): Is there a "s… Peter Lovell
- [dtn-security] Re(2): Re(2): Is there a "secure" … Peter Lovell
- Re: [dtn-security] Re(2): Is there a "secure" ref… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Is there a "secure" referen… Peter Lovell
- Re: [dtn-security] Is there a "secure" reference … Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Is there a "secure" referen… Peter Lovell
- Re: [dtn-security] Is there a "secure" reference … Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Is there a "secure" reference impl… Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Newbie seeking some securit… Peter Lovell
- Re: [dtn-security] Newbie seeking some security r… Jason Redi
- Re: [dtn-security] Newbie seeking some security r… Stephen Farrell
- Re: [dtn-security] Newbie seeking some security r… Ivancic, William D. (GRC-RHN0)
- Re: [dtn-security] Newbie seeking some security r… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Encrypted IP headers Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Encrypted IP headers Peter Lovell
- Re: [dtn-security] Encrypted IP headers Graham Keellings (Leonix Solutions Pte Ltd)
- [dtn-security] Re(2): Re(2): How do you feel abou… Peter Lovell
- Re: [dtn-security] Re(2): How do you feel about B… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Re(2): Re(2): Re(2): Is there … Ivancic, William D. (GRC-RHN0)
- [dtn-security] Re(2): Re(2): Re(2): Is there a "s… Peter Lovell
- [dtn-security] Re(2): How do you feel about Bonjo… Peter Lovell
- Re: [dtn-security] How do you feel about Bonjour/… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] How do you feel about Bonjour/… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] Re(2): Re(2): Is there a "secu… Graham Keellings (Leonix Solutions Pte Ltd)
- Re: [dtn-security] How do you feel about Bonjour/… Peter Lovell
- [dtn-security] How do you feel about Bonjour/Avah… Graham Keellings (Leonix Solutions Pte Ltd)