[dtn-security] Re(2): How do you feel about Bonjour/Avahi?

Peter Lovell <plovell@mac.com> Fri, 10 July 2009 12:11 UTC

Received: from asmtpout019.mac.com (asmtpout019.mac.com []) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6ACBTTt030611 for <dtn-security@maillists.intel-research.net>; Fri, 10 Jul 2009 05:11:29 -0700
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Received: from [] by asmtp019.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KMK005ZVF4MRT40@asmtp019.mac.com> for dtn-security@maillists.intel-research.net; Fri, 10 Jul 2009 05:10:04 -0700 (PDT)
From: Peter Lovell <plovell@mac.com>
To: "Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com>
Date: Fri, 10 Jul 2009 08:09:58 -0400
Message-id: <20090710120958.2016629300@smtp.mac.com>
In-reply-to: <4A56E1CA.7080000@LeonixSolutions.com>
References: <89E48AE60E64EF4E8EB32B0B7EC74920A1B0F5@EVS-EC1-NODE2.surrey.ac.uk> <4A12195A.6000207@LeonixSolutions.com> <"3A5AA67A8B120B48825BFFCF544385613 7E0B06196"@NDJSSCC03.ndc.nasa.gov> <4A1DD73F.50000@bbn.com> <023601c9df2a$694fd5b0$3bef8110$@com> <4A2DF7FD.5020104@LeonixSolutions.com> <3A5AA67A8B120B48825BFFCF5443856137E3553C4B@NDJSSCC03.ndc.nasa.gov> <"029d01c 9e925$1e354880$5a9fd980$"@com> <4A46C257.3040006@LeonixSolutions.com> <"2009062 8050243.1566215671"@smtp.mac.com> <4A46FBB2.3080205@LeonixSolutions.com> <"2009 0628052255.640550503"@smtp.mac.com> <4A470CD7.4010502@LeonixSolutions.com> <"20 090628141313.1532044204"@smtp.mac.com> <4A4878A6.7010707@LeonixSolutions.com> <20090629123400.1726285002@smtp.mac.com> <C304DB494AC0C04C87C6A6E2FF5603DB2217B29183@NDJSSCC01.ndc.nasa.gov> <4A497B04.3070909@LeonixSolutions.com> <20090630122842.1049441707@smtp.mac.com> <4A556063.2010305@LeonixSolutions.com> <20090709041417.302976474@smtp.mac.com> <4A56E1CA.7080000@LeonixSolutions.com>
X-Mailer: CTM PowerMail version 5.6.3 build 4504 English (PPC) <http://www.ctmdev.com>
Cc: dtn-security@maillists.intel-research.net
Subject: [dtn-security] Re(2): How do you feel about Bonjour/Avahi?
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2009 12:11:30 -0000

>> If I'm part of law enforcement, I'll probably value confidentiality most
>> highly (although the courts may emphasize integrity and chain-of-custody
>> for evidence).
>And military? I would imagine that since lives are at stake that might 
>be the defining peak of the pyramid...

Maybe, but let's not take the discussion in that direction.

>> Bonjour is just a service discovery protocol, not a part of a security
>> system. And it's localized so that only your neighbours know. It
>> shouldn't make any difference to integrity or confidentiality as those
>> should be handled by the defenses you have deployed. At a stretch, it
>> might make adversaries aware of your system but if they see Bonjour
>> advertisements then they're close to you already and can see your
>> network traffic.
>An excellent point, and one which worries me. How does "standard" 
>security which is not int he DTN part of the system affect the overall 
>system of which DTN is only a part?

I'm not sure I understand your point here. DTN sits on top of various
transport mechanisms (referred to as "convergence layers" in the specs)
and these may have their own security mechanisms. These are in addition
to the dtn ones that only are invoked after coming through the lower
layers. As an example, if you are using TCP convergence layer, I would
expect that to defend against common TCP DOS attacks, such as syn-flood.
DTN doesn't have to deal with those.

>> Bonjour and static IP addresses are solutions to different problems. An
>> IP address allows a system to send something to you. Bonjour allows a
>> nearby system to find you if it doesn't know your address.
>In my idea of a "closed, secure" system, if someone does not know my IP 
>address, then I don't even want him to know that I exist (al least, I 
>think so ... )

You might indeed want him not to know, and it might be good to keep as
low a profile as possible. But in most cases (not all) I wouldn't
categorize that as real "security". It's like having secret crypto algorithms.

Can it be one part of a layered defense? Certainly. Do I place much
reliance on it? No, with occasional exceptions. 

>> If you are sensitive about denial-of-service attacks then I would
>> suggest strongly that you do not use a hard-coded IP address, but
>> specify a dns address instead.
>And that gets resolved to an IP address how? If I have an ad-hoc 
>network, I don't want to have a DNS server.

The non-Bonjour scenario uses a standard dns server -- nothing strange
there. Bonjour works in a standard local network (think of a small
office with DHCP, internet connectivity and with or without a dns server
for the local machines) or purely ad-hoc. In the ad-hoc case, the
machines self-assign link-local IP addresses in the range Discovery is done using multicast-dns. The machines
respond directly and there is no server involved.