From nobody Fri Dec 5 02:51:18 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A491ACE2B for ; Fri, 5 Dec 2014 02:51:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9QhCOxtBAgZ for ; Fri, 5 Dec 2014 02:51:14 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A661ACE20 for ; Fri, 5 Dec 2014 02:51:13 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BMK15629; Fri, 05 Dec 2014 10:51:12 +0000 (GMT) Received: from LHREML513-MBB.china.huawei.com ([fe80::b810:863:a57e:3ff]) by lhreml402-hub.china.huawei.com ([10.201.5.241]) with mapi id 14.03.0158.001; Fri, 5 Dec 2014 10:51:06 +0000 From: Hosnieh Rafiee To: Douglas Otis Thread-Topic: [dnssd] Threat model - answer to questions Thread-Index: AdAAHOI1IabjPMLgS8G9/moucSe3JgENnoGAAwRu1OA= Date: Fri, 5 Dec 2014 10:51:05 +0000 Message-ID: <814D0BFB77D95844A01CA29B44CBF8A7A7DD8A@lhreml513-mbb.china.huawei.com> References: <814D0BFB77D95844A01CA29B44CBF8A7A5E576@lhreml513-mbb.china.huawei.com> In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.221.82.91] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/mfIbqDGk4E4_YAEQzwM19evbwOI Cc: "dnssd@ietf.org" Subject: Re: [dnssd] Threat model - answer to questions X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2014 10:51:16 -0000 Hi Douglas, Thanks for your comments.=20 > For resource constrained devices, security is best enforced by use of > Omitting proper address selection rules is unlikely to obtain the > desired security. This consideration was omitted in both the Hybrid > Proxy and Security Threat documents. >=20 > Note: Last hop security depends on header compliance with RA Guard > RFC7113. Thanks for the clarification. I actually removed it from the document becau= se In IETF 90 when I was presenting, some folks told me that I should only = focus on the scope of requirement documents and charter which is more relat= ed to DNSSD and a little about mDNS. So, maybe this is a good time to raise this question: What is the expectation of thread model? Shall I also evaluation the curren= t available documents which discusses also about mDNS or only focus on SD p= art? Thanks, Best, Hosnieh From nobody Fri Dec 5 07:25:46 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9B81A89A8 for ; Fri, 5 Dec 2014 07:25:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6ZY4u_GlNvM for ; Fri, 5 Dec 2014 07:25:43 -0800 (PST) Received: from mail-qa0-x22d.google.com (mail-qa0-x22d.google.com [IPv6:2607:f8b0:400d:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81CD51A1BC2 for ; Fri, 5 Dec 2014 07:25:43 -0800 (PST) Received: by mail-qa0-f45.google.com with SMTP id x12so554756qac.4 for ; Fri, 05 Dec 2014 07:25:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=LjZnft0pr+zIjq3mTtZ8QxGheAvK+K10IAF8uFLvTlw=; b=Uq6aLN+he8pOpA9H9RkdBEgHF02x1r/w//i/pTVcHct9dVyL879tG9FnzMZznDFznp fSMFDPJE2pPm25PAzO+UDgxqGzGJv7iRj9peKNNcJvc50VqjyKZZRpYhVnXe/o3l4xPR I9IQjA47vBAhkwSgB4dVbfBtzvUdsNGxXcVyqofqmyfFQH9eolQB9tar3f5i4F1jbyMT ONS8KMxEfQU17drv6TTDoGExVIKPbEC1mkLJ3x/Ton8O712e4ndYJtIGNkMO20NkSLJE SFVA/dABX3+CbAMQcO//Yw0YGwN7uPZvbiUKSx2mUN2834qcQYbOVly5enp9zj8rdSLy Lb/g== X-Received: by 10.140.43.133 with SMTP id e5mr26752507qga.10.1417793142742; Fri, 05 Dec 2014 07:25:42 -0800 (PST) Received: from [10.86.253.161] (198-135-0-233.cisco.com. [198.135.0.233]) by mx.google.com with ESMTPSA id p35sm16090956qgd.5.2014.12.05.07.25.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 05 Dec 2014 07:25:42 -0800 (PST) From: Ralph Droms Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: Date: Fri, 5 Dec 2014 07:25:41 -0800 To: dnssd@ietf.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/cEImZaaYszSjGfPbs9rxujuLYjU Subject: [dnssd] dnssd IETF-91 WG meeting minutes X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2014 15:25:45 -0000 Draft minutes have been posted at: = http://www.ietf.org/proceedings/91/minutes/minutes-91-dnssd Please review and inform the chairs of any adds/changes/deletes - Ralph From nobody Mon Dec 8 15:27:00 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4AE1A0072 for ; Mon, 8 Dec 2014 15:26:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siXZ5v1Pk6rP for ; Mon, 8 Dec 2014 15:26:51 -0800 (PST) Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 373741A0016 for ; Mon, 8 Dec 2014 15:26:51 -0800 (PST) Received: by mail-qa0-f50.google.com with SMTP id w8so4037201qac.37 for ; Mon, 08 Dec 2014 15:26:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IyVz01gmNEwtodK/mykbwecpEwSiDlORa//gXf4zHj4=; b=ZUVsJwTH2z6k6qNxL34sOOP6BjAnRXjU2ZAnEw8iFXIrwQl0pA5xTJfF84PqEjBSyy qJwUnScn4+szGZ/DpW6+XQcQxs/eZOXtGyL7j7K7s8YMkzYcFtcYuxl5QdUM46iVOup/ 5KFvzauqFtLBuw1ve3QNsskKxT2H0bTt9Ne+hq2rlIPNr8pfVHJ61YwSVgVIjG8pxv7A VOv501hIDt8SnShmOm4eAmXnRq6EBW+Em+JrehBgRu9+Yk7Aik7b2QskH0o/VQIguSQB GZb9o+v7qT6ZfHvtWckzKuHGPkBD4I0WPa3LjRrGZQwMHAYy1i+aCO/ZmDEVZ0MM9lM8 5UPQ== X-Received: by 10.224.51.193 with SMTP id e1mr44977qag.30.1418081210486; Mon, 08 Dec 2014 15:26:50 -0800 (PST) Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id k66sm24476367qgd.21.2014.12.08.15.26.49 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 08 Dec 2014 15:26:49 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Content-Type: text/plain; charset=us-ascii From: Douglas Otis In-Reply-To: <814D0BFB77D95844A01CA29B44CBF8A7A7DD8A@lhreml513-mbb.china.huawei.com> Date: Mon, 8 Dec 2014 15:26:48 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <3F7E9ABD-D110-42AD-B8FA-383FAA50A18B@gmail.com> References: <814D0BFB77D95844A01CA29B44CBF8A7A5E576@lhreml513-mbb.china.huawei.com> <814D0BFB77D95844A01CA29B44CBF8A7A7DD8A@lhreml513-mbb.china.huawei.com> To: Hosnieh Rafiee X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/RGFglMyUO2_LZG18MsAmaXWHP-0 Cc: "dnssd@ietf.org" Subject: Re: [dnssd] Threat model - answer to questions X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 23:26:56 -0000 On Dec 5, 2014, at 2:51 AM, Hosnieh Rafiee = wrote: > Hi Douglas, >=20 > Thanks for your comments.=20 >=20 >> For resource constrained devices, security is best enforced by use of > >> Omitting proper address selection rules is unlikely to obtain the >> desired security. This consideration was omitted in both the Hybrid >> Proxy and Security Threat documents. >>=20 >> Note: Last hop security depends on header compliance with RA Guard >> RFC7113. > Thanks for the clarification. I actually removed it from the document = because In IETF 90 when I was presenting, some folks told me that I = should only focus on the scope of requirement documents and charter = which is more related to DNSSD and a little about mDNS. >=20 > So, maybe this is a good time to raise this question: >=20 > What is the expectation of thread model? Shall I also evaluation the = current available documents which discusses also about mDNS or only = focus on SD part? Dear Hosnieh, The general goal for using mDNS to populate DNS is to approach = zero-config when networks are isolated on different bridges unable to = automatically propagate multicast traffic without use of protocols like = PIM-SM (RFC3569). The effects of these methods and their best = implementation should be part of related threat analysis although = draft-ietf-dnssd-requirements excluded important concerns. In essence, = these concerns should include the proper handling of RFC4193 (ULAs). =20 A statement like: ,-- DNS-SD did not consider the impact of RFC4193 that should be carefully = considered when using mDNS to populate DNS. As such, a ULA prefix is = not to be advertised outside the network domain. Administrators need to = clearly set the scope of the ULAs and configure ACLs on relevant border = routers to enforce this scope. If internal DNS is used, administrators = should use internal-only DNS names for ULAs and perhaps use split = horizon DNS to ensure internal names do not resolve on the Internet as = described in RFC6950. To maintain security, address preference rules employed by a proxy = device should properly consider use of ULAs as described by RFC7368. = Per section 2.4, a device should only use its ULA address within its = domain. Even where multiple /48 ULA prefixes are in use within a single = domain, as may occur when there are multiple Internet uplinks, utilizing = a ULA source address and a ULA destination address from two disjoint = internal ULA prefixes should still be preferred over GUAs. When a = device has not been specifically enabled to be externally accessible, = mDNS proxy into DNS should not publish associated GUAs. =20 '-- The section: 3.2.1. Home, Enterprise, Mesh networks: ,-- When ISP, home router/gateway and service provider (like a printer)=20 support IPv6 address, then service providers usually automatically=20 sets an IPv6 address. Since this address is global, this node is=20 accessible over the internet. If the address of this service provider=20 is known to the attacker, then it might be able to compromise this=20 service provider and access to this network (because service=20 providers usually supports weak security features). '-- Should be: ,-- When the ISP, home router/gateway, and a service (like a printer)=20 support IPv6 addressing, these services may automatically announce over=20= mDNS both ULA and GUA addresses. Since a GUA address is global,=20 the associated node may become accessible over the Internet.=20 When the GUA address for a service becomes known to an attacker, it=20 might grant unintended access to a service otherwise limited by=20 boundaries imposed by mDNS discovery. '-- This paragraph offers no protective strategy for devices within a = networking domain supported by DNS-SD populated by the mDNS proxy = scheme. To be better understood, this paragraph should replace the term = "service provider" with "service". Unlike IPv4, there can be multiple = IP address assignments per interface. For example, a printer might = return both GUA and ULA addresses. =46rom a security standpoint, it = becomes essential only ULAs be published in DNS-SD populated by mDNS.=20 CGA-TSIG or DNS over TLS are incongruent with the use of DNS-SD = populated by mDNS since zero-config is being sought. Omitting proper = address selection rules will not ensure basic deployments offer the = desired security. This consideration was omitted in both the Hybrid = Proxy and the requirements documents. Threat related documents should = also include header compliance requirements as specified by RA Guard = RFC7113 also omitted by this draft. Regards, Douglas Otis= From nobody Wed Dec 17 12:12:04 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534041A9045; Wed, 17 Dec 2014 12:12:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2RP0h2ZZrPd; Wed, 17 Dec 2014 12:12:01 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 32AEE1A9036; Wed, 17 Dec 2014 12:11:55 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Sender: Message-ID: <20141217201155.19208.95569.idtracker@ietfa.amsl.com> Date: Wed, 17 Dec 2014 12:11:55 -0800 Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/bUCl7zKICglCm4cpb5j_2BCDb0Y Cc: dnssd@ietf.org Subject: [dnssd] Last Call: (Requirements for Scalable DNS-SD/mDNS Extensions) to Informational RFC X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 Reply-To: ietf@ietf.org List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 20:12:02 -0000 The IESG has received a request from the Extensions for Scalable DNS Service Discovery WG (dnssd) to consider the following document: - 'Requirements for Scalable DNS-SD/mDNS Extensions' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-01-07. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract DNS-SD/mDNS is widely used today for discovery and resolution of services and names on a local link, but there are use cases to extend DNS-SD/mDNS to enable service discovery beyond the local link. This document provides a problem statement and a list of requirements. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ballot/ The following IPR Declarations may be related to this I-D: http://datatracker.ietf.org/ipr/2114/ From nobody Wed Dec 17 12:13:09 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4241F1A8715 for ; Wed, 17 Dec 2014 11:28:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_SPACE_RATIO=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_T44WtCz4H1; Wed, 17 Dec 2014 11:28:12 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 370A81A86FF; Wed, 17 Dec 2014 11:28:11 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: dnssd@ietf.org, dnssd-chairs@tools.ietf.org, draft-ietf-dnssd-requirements.all@tools.ietf.org, tjc@ecs.soton.ac.uk X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141217192811.9697.79979.idtracker@ietfa.amsl.com> Date: Wed, 17 Dec 2014 11:28:11 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/HX_OHT8f_sft-4x5DXu_jVvw2hU X-Mailman-Approved-At: Wed, 17 Dec 2014 12:13:02 -0800 Subject: [dnssd] ID Tracker State Update Notice: X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 19:28:14 -0000 IESG state changed to Last Call Requested from Publication Requested ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ From nobody Wed Dec 17 12:13:10 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72E11A907C for ; Wed, 17 Dec 2014 12:12:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDi8b4nFl3TA; Wed, 17 Dec 2014 12:12:03 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 982781A9037; Wed, 17 Dec 2014 12:11:56 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: dnssd@ietf.org, dnssd-chairs@tools.ietf.org, draft-ietf-dnssd-requirements.all@tools.ietf.org, tjc@ecs.soton.ac.uk X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141217201156.19208.89292.idtracker@ietfa.amsl.com> Date: Wed, 17 Dec 2014 12:11:56 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/EOj_oz9Jf5b4A2s7m8IlFzHCS6E X-Mailman-Approved-At: Wed, 17 Dec 2014 12:13:03 -0800 Subject: [dnssd] ID Tracker State Update Notice: X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 20:12:04 -0000 Last call has been made for draft-ietf-dnssd-requirements and state has been changed to In Last Call ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ From nobody Thu Dec 18 10:47:14 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD041A1B80; Thu, 18 Dec 2014 10:47:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYjDBJ9nA6IS; Thu, 18 Dec 2014 10:47:11 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A3731A6FD9; Thu, 18 Dec 2014 10:47:10 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Sender: Message-ID: <20141218184710.21486.41262.idtracker@ietfa.amsl.com> Date: Thu, 18 Dec 2014 10:47:10 -0800 Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/OtpJbanNRRrRFGi0sIghcs21mqc Cc: dnssd@ietf.org Subject: [dnssd] Correction: Last Call: (Requirements for Scalable DNS-SD/mDNS Extensions) to Informational RFC X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 Reply-To: ietf@ietf.org List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 18:47:12 -0000 The IESG has received a request from the Extensions for Scalable DNS Service Discovery WG (dnssd) to consider the following document: - 'Requirements for Scalable DNS-SD/mDNS Extensions' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2015-01-07. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract DNS-SD/mDNS is widely used today for discovery and resolution of services and names on a local link, but there are use cases to extend DNS-SD/mDNS to enable service discovery beyond the local link. This document provides a problem statement and a list of requirements. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ballot/ The following IPR Declarations may be related to this I-D: http://datatracker.ietf.org/ipr/2114/ From nobody Mon Dec 22 01:06:14 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 613341A8F44 for ; Thu, 18 Dec 2014 10:47:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1WR7aYO6Fbu; Thu, 18 Dec 2014 10:47:13 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C06121A1B84; Thu, 18 Dec 2014 10:47:10 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: dnssd@ietf.org, dnssd-chairs@tools.ietf.org, draft-ietf-dnssd-requirements.all@tools.ietf.org, tjc@ecs.soton.ac.uk X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141218184710.21486.37781.idtracker@ietfa.amsl.com> Date: Thu, 18 Dec 2014 10:47:10 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/z3-yU6MarNoUpauNYob8AFWoMW4 X-Mailman-Approved-At: Mon, 22 Dec 2014 01:06:13 -0800 Subject: [dnssd] ID Tracker State Update Notice: X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 18:47:14 -0000 Last call has been made for draft-ietf-dnssd-requirements and state has been changed to In Last Call ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ From nobody Mon Dec 22 12:05:42 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E05D31A6FF0 for ; Mon, 22 Dec 2014 12:05:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nim9ihyAegvK; Mon, 22 Dec 2014 12:05:39 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D15A71AC3FD; Mon, 22 Dec 2014 12:05:13 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: dnssd@ietf.org, dnssd-chairs@tools.ietf.org, draft-ietf-dnssd-requirements.all@tools.ietf.org, tjc@ecs.soton.ac.uk X-Test-IDTracker: no X-IETF-IDTracker: 5.10.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141222200510.9170.5059.idtracker@ietfa.amsl.com> Date: Mon, 22 Dec 2014 12:05:10 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/UBvjkpX8RhnOB0jMwsUmpuAMaA0 Subject: [dnssd] ID Tracker State Update Notice: X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 20:05:41 -0000 IANA review state changed to IANA OK - No Actions Needed ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ From nobody Fri Dec 26 12:45:18 2014 Return-Path: X-Original-To: dnssd@ietfa.amsl.com Delivered-To: dnssd@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E98C1A1A33; Fri, 26 Dec 2014 12:45:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZnVkj2sbUyo; Fri, 26 Dec 2014 12:45:14 -0800 (PST) Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAE591A9082; Fri, 26 Dec 2014 12:45:13 -0800 (PST) Received: by mail-ig0-f173.google.com with SMTP id r2so9142242igi.0; Fri, 26 Dec 2014 12:45:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VQ1wc9I0ZX6m2WNfVCrBsjTesBE7ignlgq2WC0dw2JA=; b=G803Qzer7IvJPSp7Yo3mpJXtmzlLjIiSVA8aAkWTN/pm7/g2X0szZO1zuS5mO2rZtW ZR+XJfrhycJYwgqvnB1SK/zOdEx6tzPcW04eCExrKvqPAHGslZdiz7EN1sDM9cwSRxCF EyN/oAeT/zFPCmPATGG2/1uzcGFN/wtGyPzqAh71iKKHHbvPvyGodueMRohIggr3iqFk oxTtF7+LPkClOAwPNdqlcYJRJ8Hzs396GYrKXeJ2CahvD4HOYvi/HKOlnEw2NlKqaM+C yjrM5/EOV7K0Xc+2NKN0dhB+32ooUf8t+YMdGIUNQtiBBK73qlvb8umiVrQYWR9uMZUL H3bA== X-Received: by 10.107.169.170 with SMTP id f42mr40112785ioj.24.1419626712965; Fri, 26 Dec 2014 12:45:12 -0800 (PST) Received: from dhcp150.priv.bungi.com (c-76-21-122-217.hsd1.ca.comcast.net. [76.21.122.217]) by mx.google.com with ESMTPSA id p198sm14437743iop.36.2014.12.26.12.45.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 26 Dec 2014 12:45:12 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Content-Type: text/plain; charset=us-ascii From: Douglas Otis In-Reply-To: <20141218184710.21486.37781.idtracker@ietfa.amsl.com> Date: Fri, 26 Dec 2014 12:45:10 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <4A3BA98A-3464-40F4-9B5E-870B49E8D3E1@gmail.com> References: <20141218184710.21486.37781.idtracker@ietfa.amsl.com> To: IETF Secretariat X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/Q1WsilL5wMdR7uJQR6Zqz0krrGQ Cc: dnssd@ietf.org, dnssd-chairs@tools.ietf.org, iesg-secretary@ietf.org, draft-ietf-dnssd-requirements.all@tools.ietf.org, Tim Chown Subject: [dnssd] Last Call draft-ietf-dnssd-requirements-04.txt X-BeenThere: dnssd@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2014 20:45:16 -0000 On Dec 18, 2014, at 10:47 AM, IETF Secretariat = wrote: > Last call has been made for draft-ietf-dnssd-requirements and state = has been changed to In Last Call > ID Tracker URL: = http://datatracker.ietf.org/doc/draft-ietf-dnssd-requirements/ The dnssd-requirements overlooks significant concerns when publishing = mDNS derived addresses. ONE: Section 5. Namespace Considerations ,--- SSD should support rich internationalized labels within Service Instance Names, as DNS-SD/mDNS does today. SSD must not negatively impact the global DNS namespace or infrastructure. '--- This added requirement to include U-Labels within DNS-SD introduces = significant risks related to spoofing domains otherwise protected by = restrictions normally imposed by registrars.=20 This added namespace requirement would be made safer by including: ,+++ mDNS being published into DNS-SD should permit administrative control of = potentially visually conflicting top level domains that would otherwise = be in compliance with RFC5895 (IDNA2008) or additional restrictions = imposed by the domain registrar. One such strategy might permit use of = configured search domains. The published configuration information = restricted to local network should have last hop packets ensured to have = IPv6 header compliance with the use of RA Guard RFC7113.=20 '+++ TWO: Dnssd-requirements overlooked concerns related to IPv6 address = selection. Unlike IPv4, an interface adapter can be assigned multiple = addresses having different scopes. The selection process of these scopes = will have a significant impact on local networks given their greater = exposure when mDNS information is used to populate DNS-SD information. =20= THREE: This requirements document assumes use of Enterprise environments but = ignores distribution of reassigned segment prefixes or those that occur = when there are multiple uplinks as may occur when a wired and cellular = provider are both being used. Section 6. Security Considerations ,--- Insofar as SSD may automatically gather DNS-SD resource records and publish them over a wide area, the security issues are likely to include the union of those discussed in the Multicast DNS [mDNS] and DNS-Based Service Discovery [DNS-SD] specifications. The following sections highlight potential threats that are posed by deploying DNS- SD over multiple links or by automating DNS-SD administration. '--- ... ,--- If the scope of the discovery is not properly set up or constrained, then information leaks will happen outside the appropriate network. '--- This statement is rather opaque and unlikely to result in providing = meaningful guidance. It makes no mention of different types of = addressing often used to limit the scope of an address, especially what = is typically offered with IPv6. Instead, this document incorrectly = assumes such security concerns related to the automated publishing of = mDNS information into DNS-SD have been covered within mDNS or DNS-SD. = They have not! DNS-SD even states it creates no additional security = concerns since this assumes such concerns are management decisions about = what to publish. Few CPE devices conforming with RFC7084 permit address = specific exceptions for externally initiated sessions. With such = limitation, acceptance of external sessions becomes either a default = accept or deny setting.=20 The scope of discovery statement should be clarified with: ,+++ DNS-SD did not consider the impact of RFC4193 which must be carefully = considered when using mDNS to populate DNS-SD. As such, a ULA prefix is = not to be advertised outside the network domain. Administrators need to = clearly set the scope of the ULAs and configure ACLs on relevant border = routers to enforce this scope. If internal DNS is used, administrators = should use internal-only DNS names for ULAs and perhaps use split = horizon DNS to ensure internal names are not resolve on the Internet as = described in RFC6950. To maintain security, address preference rules employed by publishing = within DNS-SD should properly consider use of ULAs as described by = RFC7368. Per section 2.4, a device should only use its ULA address = within its domain. Even where multiple /48 ULA prefixes are in use = within a single domain, as may occur when there are multiple Internet = uplinks, utilizing a ULA source address and a ULA destination address = from two disjoint internal ULA prefixes should still be preferred over = GUAs. When a device has not been specifically enabled to be externally = accessible, mDNS proxy into DNS should not publish associated GUAs. '+++ Regards, Douglas Otis