Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

At 9:19 AM +0200 9/28/07, Stephane Bortzmeyer wrote: 
On Thu, Sep 27, 2007 at 06:45:55PM -0700,
 Paul Hoffman <paul.hoffman at vpnc.org> wrote
 a message of 36 lines which said:

> It ignores one of the main reasons that many organizations purposely 
 choose to provide recursive lookup to the public, namely for their
 own roaming users.


No, it is *not* ignored. See section 4, for instance :

   o  Use TSIG [RFC2845] or SIG(0) [RFC2931] signed queries to
      authenticate the clients.  This is a less error prone method,
      which allows server operators to provide service to clients who
      change IP address frequently (e.g. roaming clients).

This is a suggestion for something that essentially no one can use today (as is admitted after the text after the quote).

VPN are another solution, although not mentioned in the I-D, may be
because it is obvious.

It is not "obvious", at least to some of the people I have spoken with. It is also not obvious to VPN vendors; otherwise, they would have easy-to-use settings to make it happen. None of the VPN client that I have seen have such settings. Listing such things in the Security Considerations section of a document is a good practice, regardless of what you think is obvious.

At 12:15 PM +0200 9/28/07, Jaap Akkerhuis wrote: 
    There are two major reasons for an organization to not want roaming
    users to trust locally-assigned DNS servers.

Open recursive servers doesn't help in against man in the middle
attacks.

Correct; no one said that they did. Open recursive name servers help against against roaming users being directed to DNS servers whose security policy is different than their organizations'.

If you want to avoid that use VPN's or (for DNS) TSIG. 

Indeed.

I seem to remember that the ID actually mentions that.

I cannot find any mentions of VPNs or IPsec. Given that the document admits that TSIG and SIG(0) are essentially unavailable today on end users systems, and IPsec is much more common, saying something about this in the Security Considerations section might be of value. As my earlier message said, this is not for Section 4, which is only talking about authentication of clients.

At 1:20 PM +0200 9/28/07, Joao Damas wrote:
Opening up your resolver so you can server roaming users, without further protection, is, at best, naive.

From the standpoint of the organization whose security policy includes the way their users do DNS resolution, it is better than nothing, and this document's "best practices" pretty much limit them to nothing. For a non-ISP, ingress filtering will not help at all (even though it should still be implemented, and customers should urge their ISPs to implement it). IP-based authentication does not work for mobile users. Interface-based authentication does not work for mobile users. TSIG and SIG(0) does not work for mobile users until it is implemented in their computers, which the draft admits it is not for the vast majority of users.

If the document doesn't want to deal with those organizations, it needs to say so in the introduction and again in the Security Considerations section.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf



Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.