On Tue, Jul 19, 2016 at 06:19:15AM -0400, Michael Richardson wrote: > I don't see the problem. > a) proxy mDNS all you like, the proxy reply is supposed to be a > link-local address, and if the mDNS was proxied, then the connection > failed.
Unless multiple devices have the same link-local addresses. Like the cheap arduino's that do not come with unique MAC addresses and where then programmed lazily (happened to me). > b) assuming that a non-link-local address was returned, and the > implementation was given a routable source address, (very possible > on an active LAN with DHCP/SLAAC available), and it connects to > the proxy. There is then an enrollment. Or there isn't. And we could explicitly ask implementations to ignore non-LL addresses because they are an attack vector (one level of security when you do not choose to use audit-token/ownership-voucher is to carefully plug new devices only into sane network sockets, so you definitely do not want to have those sockets infested by mDNS proxied proxy announcements). > b) assuming that the enrollment worked, then whatever the ACP > discovery mechanism is (is it GRASP? I don't know) would run > on the link if the new system wanted to join the ACP. > > We never suggested that this discovery would be mDNS. Yes, that would be GRASP. > > c) I can't imagine that all the IoT spaces will convege on just > > one discovery protocol as heir preference, so i think it's an > > illusion to think we can hit "one preferred" by all model. > > Multiple vendors are doing this. > We made multicast work in great part so that mDNS would work. Link-local or L3 ASM with non-standard larger than LL mDNS ? > > 3. I have never seen point 3. as a system design principle. My > background > > is in routing, and BGP and IGPs for examples are used extensively > > in the same devices running in different instances for different > > isolated domains (eg: l3vpn). Reuse of the same protocols as > > much as possible, because their security properties are understood > > and isolation between different instances is an accepted model of > > reuse and mutual isolation (shared code, no shared data). > > Most priviledge elevation exploits for Windows and Linux leverage that a > feature was added to the code base to support function X, which, when > combined with operation Y, does something unintended. > > For an example from the routing space, I point to why we can't use source > routing in most places. It has no security risks at all until you start > assuming that things behind a firewall are trusted and things outside are > not. I can't translate that into something i think would apply to our case, but if one is worrried that the eg: code-space of full blown GRASP inside the ACP could be be impacted by the insecure mode GRASP, then i think it's most easy to write the 10 lines of code to just implement the periodic insecure mode GRASP announce messages as a one-off. And the overhead to do this would IMHO compare well with risks of any other code basis. > This is the kind of thing that we are thinking about. Sure. Lots of subtle points. To me they just add up to a negative on mDNS in this circumstance. Cheers Toerless > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima