Re: Last Call: 'Linklocal Multicast Name Resolution (LLMNR) ' to Proposed Standard

[Ned Freed <ned.freed@mrochek.com>]

> On 10-aug-2005, at 20:47, The IESG wrote:

> > The IESG has received a request from the DNS Extensions WG to
> > consider the
> > following document:

> > - 'Linklocal Multicast Name Resolution (LLMNR) '
> >    <draft-ietf-dnsext-mdns-42.txt> as a Proposed Standard

> > The IESG plans to make a decision in the next few weeks, and solicits
> > final comments on this action.  Please send any comments to the
> > iesg@ietf.org or ietf@ietf.org mailing lists by 2005-08-24.

> Sorry for the delay.

> After the discussion on the IETF list I thought it prudent to do a
> more thorough review of the draft.

Agreed. Although this is not gernally my area, the discussion led me to
review the document.

> This statement:

> [a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
>       address(es) defined in Section 2, and on UDP and TCP port 5355 on
>       the unicast address(es) that could be set as the source address
> (es)
>       when the responder responds to the LLMNR query.

> Seems to be in conflict with:

>     Unicast LLMNR queries MUST be done using TCP and the responses MUST
>     be sent using the same TCP connection as the query.  Senders MUST
>     support sending TCP queries, and responders MUST support listening
>     for TCP queries. If the sender of a TCP query receives a response to
>     that query not using TCP, the response MUST be silently discarded.

>     Unicast UDP queries MUST be silently discarded.

> Why would a responder be required to listen on unicast UDP and then
> have to silently discard anything that comes in?

Indeed. It certainly seems unnecessary to me.

>     Section 2.4 discusses use of TCP for LLMNR queries and
> responses.  In
>     composing an LLMNR query using TCP, the sender MUST set the Hop
> Limit
>     field in the IPv6 header and the TTL field in the IPv4 header of the
>     response to one (1).  The responder SHOULD set the TTL or Hop Limit
>     settings on the TCP listen socket to one (1) so that SYN-ACK packets
>     will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
>     prevents an incoming connection from off-link since the sender will
>     not receive a SYN-ACK from the responder.

>     For UDP queries and responses, the Hop Limit field in the IPv6
> header
>     and the TTL field in the IPV4 header MAY be set to any value.
>     However, it is RECOMMENDED that the value 255 be used for
>     compatibility with Apple Bonjour [Bonjour].

> Why not REQUIRE that UDP queries/responses have a TTL of 255. Then
> the receiver of a packet can determine with almost complete certainty
> that the packet didn't traverse any routers by checking if the
> received packet has a TTL of 255. (See (amongst others) ICMPv6 for
> how this works.)

This seems like a reasonable suggestion.

>     Since LLMNR queries can be sent when DNS server(s) do not respond, an
>     attacker can execute a denial of service attack on the DNS server(s)
>     and then poison the LLMNR cache by responding to an LLMNR query with
>     incorrect information.

> Couldn't have said it better myself.

> LLMNR takes the approach of intermingling the locally resolved
> namespace with the globally resolved namespace. This will lead to
> security problems such as the one mentioned above (the security
> considerations section is way too cavalier), but also unduly puts
> strain on both the local and the global mechanisms in the expected
> common case where a host will first try to resolve a name globally
> and failing that, try to resolve the name locally.

Quite correct. In addition, the approach of trying the global DNS then falling
back to LLMNR seems likely to create fertile ground for screwy and hard
to trace errors.

Suppose, for example, the LLMNR resolver is configured (intentionally or
otherwise) to respond to some names that are also defined in the DNS. Perhaps
this was done to provide a fallback service, perhaps it was done in error,
whatever. But since normal DNS provides the information under normal
circumstances this information ends up not being used. Soon it is forgotten,
updates aren't done, and the information goes stale. Then the DNS service
experiences a transient failure. LLNMR now provides the information, but oops,
it's way out of date. And of course by the time someone attempts to track down
the problem the DNS will no doubt be back up and nobody will be able to figure
out what happened.

Debugging name service problems is already difficult enough, thank you very
much, without this added wrinkle.

> For instance, when a user configures a name that doesn't exist in the
> global namespace on a locally reachable device, and then references
> that device by name, this will involve the global DNS unnecessarily.
> Since the intended result does materialize, the user doesn't see a
> failure condition and the situation persists.

It has been claimed elsewhere that this is not so much of an issue because DNS
servers can be configured to reject such queries. I'm afraid I don't buy this
claim, for two reasons. First and most important, implementing such a setup
requires that sites understand and implement consistent naming policies. This
rarely happens in practice. Second, while such setups aren't difficult to
implement with most nameservers, they aren't exactly trivial either. And many
admins are very reluctant to mess around with name server configurations for
fear of breaking something.

> Alternatively, whenever there is a failure in the global DNS, for
> instance because of lack of reachability, unavailability of a DNS
> server or the user typing an incorrect name, this will result in a
> local multicast query. On some links this is very undesirable. Low-
> bandwidth links such as cell phone data services are an obvious
> example. Another one is IEEE 802.11x. Due to its one-to-many nature
> broadcasts and multicasts must be sent at an artificial low bitrate
> on these links, using up an inordinate amount of link bandwidth
> relative to the packet size.

A few additional comments on the draft:

(1) Section 2.3 talks about using LLMNR and MX records to "find a local
    mail server". Trouble is, MX records are used for mail routing on the
    Internet. They are not designed for or used to locate local mail
    servers. And even if this usage made sense, IMO it is inappropriate for
    this document to talk about ways to locate a mail service, if for no
    other reason than service location is supposed to be out of scope.

(2) The abstract and to some extent the introduction talk about the goals of the
    protocol and what the protocol isn't supposed to be. They really should
    focus on what the protocol is.

(3) The entire document seems hugely convoluted and full of warnings,
    caveats, and restrictions. Perhaps this is unavoidable, but the general
    feel is that of a specification grudgingly agreed to as part of some
    sort of compromise, rather than work done to meet a real need.
    Reading the document, I cannot imagine actually wanting to implement it.

(4) Section 2.5 talks about using a TTL value of 255 "for compatibility with
    Bonjour". Given that this work is claimed to be orthogonal to mDNS
    I don't understand why this was included.

> I suggest that the IESG either send back the draft to the wg to fix
> these problems or at most approves publication as an experimental RFC
> and NOT a standards track RFC.

IMO this needs major work even before being approved as experimental. The
overlapped namespace approach in particular seems hugely problematic and IMO
needs to be replaced.

				Ned

P.S. Please note that I have taken no position on the LLMNR vs mDNS debate. I
haaven't even looked at the mDNS specifications. My comments here are solely on
having reviewed LLMNR.

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf