On 12/4/14, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On 12/04/2014 09:56 AM, Jacob Appelbaum wrote: > >> I'm currently working with a friend on a privilege separated dhcp >> client that does not need raw sockets. It is in the early stages but >> it is able to do the network lease without being root and without >> having a raw socket. It is surprising that absolutely no one has done >> this in the past. I think everyone just looked at the ISC DCHP code >> and cargo culted from that point forward. >> >>> >>> In general it might be better for security to have a derooted DHCP >>> client that does not need CAP_NET_RAW and also has less attack surface >>> then dhclient (C code + shell scripts). >> >> I completely agree. The DHCP client in Tails is a major attack vector. >> I think that we could patch the ISC daemon, for example, to do some >> tricks - if we didn't want an outright replacement. If anyone is >> interested in this and would actually use some patches. I'm wary of >> starting such a process if it will not be used. I'd rather focus on >> writing a totally different dhcp client from scratch. My experience >> with writing tlsdate really influences me on this with regard to >> Tails. >> >>> Maybe use a small replacement >>> client that does only support bare minimum needed to get an IP4/6 and >>> not the whole spec (instead of trying to fix dhclient)? Anyways, some >>> efforts for dhclient are made here [3]. >> >> I think a simple DHCP client is quite straight forward - integration >> with Network-Manager is probably more difficult than a simple DHCP >> network client. > > I'm not sure i'd characterize a simple DHCP client as "quite straight > forward", but certainly minimalist one is more straightforward than one > which handles all the possible extensions that have cluttered DHCP over > the years. >
We've already written the start of very basic non raw socket DHCP client - it doesn't yet include the parser and later stages but it does fetch leases. It is completely straight forward with the basic socket API. It is absolutely not required to use a raw socket but it requires some trickery with the rp_filter in the kernel. The parsers for any dhcp client are of course rather annoying and the rest of the hooks are too. However - remember the DHCP client that talks to the *network* does not need to do anything other than the full DHCP lease process. Thus with the right design, a minimal or a full client are something in another process anyway. > I spoke recently with Christian Huitema from Microsoft about having an > anonymity-preserving DHCP client profile -- one that leaks no additional > information about the client beyond the current MAC address of the > requesting device. He offered to spec out exactly what he wants MS to > plan to do for this; If you're working on a minimalist > anonymity-preserving client like this, it would be good to coordinate > with them, so that your client would be indistinguishable from theirs. > I'd be happy to talk with them. Please do introduce me to them in some way? > The main thrust of the profile would be to nail down things like: > > * list exactly which options will be emitted in each message sent by > the client That sounds good. > > * for each emitted option, specify its exact contents Makes sense. > > * specify a deterministic algorithm for mapping the link layer address > to a value suitable for the client identifier option That seems reasonable. > > * specify the lease renewal behavior algorithm It seems rather straight forward to use the time offered by the server - what else do you think is important to consider? > > If you're interested, i'm happy to put you and your friend in touch with > Christian and his team about this. Anonymity loves company! Sounds good! All the best, Jacob _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
