RE: zeroconf security

From owner-zeroconf@merit.edu Mon May 1 18:38:17 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA07769 for ; Mon, 1 May 2000 18:38:16 -0400 (EDT) Received: by segue.merit.edu (Postfix) id B9F9A5DDEA; Mon, 1 May 2000 18:38:08 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id A80F75DDF5; Mon, 1 May 2000 18:38:08 -0400 (EDT) Received: from dns3.nec.com (dns3.nec.com [131.241.15.5]) by segue.merit.edu (Postfix) with ESMTP id 388125DDEA for ; Mon, 1 May 2000 18:38:07 -0400 (EDT) Received: from netkeeper.sj.nec.com (netkeeper.sj.nec.com [131.241.31.2]) by dns3.nec.com (ready at/) with ESMTP id PAA03733; Mon, 1 May 2000 15:38:00 -0700 (PDT) Received: from galatica.pc.sj.nec.com (localhost [127.0.0.1]) by netkeeper.sj.nec.com (8.9.1a/8.9.1) with ESMTP id PAA07842; Mon, 1 May 2000 15:37:29 -0700 (PDT) Received: by GALATICA with Internet Mail Service (5.5.2448.0) id ; Mon, 1 May 2000 15:31:36 -0700 Message-ID: From: Jim Busse To: franklin.reynolds@nokia.com, raj@cisco.com, myron.hattig@intel.com Cc: zeroconf@merit.edu Subject: RE: service discovery characteristics Date: Mon, 1 May 2000 15:31:29 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-zeroconf@merit.edu Precedence: bulk Does anyone have the concern about supporting low-bandwidth network physical layers when considering service discovery? Consider the home net with a usual stereo/TV system connected to the HomeRF network as the environment. In to this configuration walks a guy with a notebook and an Acer or Intel Bluetooth PC-card. I think all the tuner/tone/changer/channel/etc characteristics that will get reported may make the bluetooth physical layer inoperable for a significant period of time. If the characteristics get reported using a verbose XML message, that will extend the delay even further, I think. Myron, do you remember the delays we saw when getting bus-resets interconnecting 3 devices on IP/1394 plugfests? And that was a 400mbit physical layer. Or maybe we don't care about low-bandwidth physical layers? Jim Busse -----Original Message----- From: franklin.reynolds@nokia.com [mailto:franklin.reynolds@nokia.com] Sent: Friday, April 28, 2000 1:27 PM To: raj@cisco.com; myron.hattig@intel.com Cc: zeroconf@merit.edu Subject: RE: service discovery characteristics > -----Original Message----- > From: EXT Richard Johnson [mailto:raj@cisco.com] > Sent: Friday, April 28, 2000 3:51 PM > To: Hattig, Myron > Cc: 'zeroconf@merit.edu' > Subject: Re: service discovery characteristics > > > Hattig, Myron writes: > > I think characteristics SHOULD be supported. > Characteristics allow for > > refined queries so that things like color printers can be > discovered instead > > of just printers. The alternative is to discover all > printers then negotiate > > with each to determine whether it supports color printing > or not. In my > > simple view of the world this seems pretty obvious that > characteristics > > SHOULD be supported by a service discovery protocol. Can > someone enlighten > > as to why this is such a debatable topic? > > Ok, I'll try: > > Discovering that a printer *exists* and finding out the > *characteristics* of the printer could be separated. Once you start > down the road of "characteristics", there no end to what could be > done. (Does the printer have 2 or more paper trays? How much paper > is in the paper trays? What type of paper does it print on? How fast > does it print?) Afterall, what if I'm printing a large job (want > something which prints fast), on a special type of paper (want to know > what type of paper is in the trays), and I want it printed *now* (want > a printer which doesn't have any jobs running currently)? Maybe > characteristics should be done using SNMP? > > Anyway, that's an argument against including characteristics in > service discovery. (Flame retardant suit in place.) > > Of course, it's also a matter of how you define the device types. > Your list could consist of "CPU", "printer", "video recorder", etc., > or it could consist of "CPU", "color printer", "b&w printer", "hard > disk video recorder", "VCR". > > /raj I guess I still don't understand. Assuming a device is free to to advertise only its name, what difference does it make whether other devices choose to advertise a large number of characteristics? One argument related to yours is that the query language for characteristic-enabled queries is too complex for simple devices. These days this is only true for the most simple of devices and the most complex of query languages. It seems likely to me that any device that can handle an IP stack has the computational power to handle resonable query processing. Perhaps I am getting old, but I think I have heard this debate many times before. It seems like everytime someone invents a successful, scalable (more than a couple hundred nodes) namespace, they discover that a flat name space is too hard to navigate. "Characteristics" aren't the only approach, but they are a good one. Franklin Reynolds From owner-zeroconf@merit.edu Tue May 2 12:07:37 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04081 for ; Tue, 2 May 2000 12:07:36 -0400 (EDT) Received: by segue.merit.edu (Postfix) id C123B5DE22; Tue, 2 May 2000 12:07:28 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id AF4C45DE10; Tue, 2 May 2000 12:07:28 -0400 (EDT) Received: from mgw-x1.nokia.com (mgw-x1.nokia.com [131.228.20.21]) by segue.merit.edu (Postfix) with ESMTP id DD5C85DE0A for ; Tue, 2 May 2000 12:07:26 -0400 (EDT) Received: from mgw-i2.ntc.nokia.com (mgw-i2.ntc.nokia.com [131.228.118.61]) by mgw-x1.nokia.com (8.9.3/8.9.3/o) with ESMTP id TAA10632; Tue, 2 May 2000 19:07:11 +0300 (EETDST) From: franklin.reynolds@nokia.com Received: from daebh01nok.americas.nokia.com (daebh01nok.americas.nokia.com [172.18.242.182]) by mgw-i2.ntc.nokia.com (8.9.3/8.9.3) with ESMTP id TAA02622; Tue, 2 May 2000 19:07:08 +0300 (EETDST) Received: by daebh01nok with Internet Mail Service (5.5.2448.0) id ; Tue, 2 May 2000 11:05:44 -0500 Message-ID: To: JIM@pc.sj.nec.com, raj@cisco.com, myron.hattig@intel.com Cc: zeroconf@merit.edu Subject: RE: service discovery characteristics Date: Tue, 2 May 2000 11:04:04 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-zeroconf@merit.edu Precedence: bulk I am quite concerned about low-bandwidth networks, especially bluetooth. However, I am not sure I understand the basis for your concern. It sounds to me like you are suggesting either: a) that the arrival of a new host would trigger a flood of XML-based, advertisement messages from each device/service. b) the ability to send a query that matches all devices and returns all the characteristics of any matching device could cause a network flood. In the first case, I don't understand why an SLP-like approach to characteristic enhanced queries results in advertizement induced overload. In the second case, this is not a low bandwidth network problem, this is a scaling problem which would show up in fast networks, if there were a large number or devices. Characteristic reporting for a large number of devices relative to available message processing power, will always be expensive. The question is whether you allow wildcards or you force the client to ask each device to report their characteristics individually. This is separate from using characteristics (like SLP) to modify selection. Selection without characteristic reporting is less likely (though it is still possible) to overwhelm a network. Franklin > -----Original Message----- > From: EXT Jim Busse [mailto:JIM@pc.sj.nec.com] > Sent: Monday, May 01, 2000 6:31 PM > To: franklin.reynolds@nokia.com; raj@cisco.com; myron.hattig@intel.com > Cc: zeroconf@merit.edu > Subject: RE: service discovery characteristics > > > Does anyone have the concern about supporting low-bandwidth > network physical > layers when considering service discovery? > > Consider the home net with a usual stereo/TV system connected > to the HomeRF > network as the environment. In to this configuration walks a > guy with a > notebook and an Acer or Intel Bluetooth PC-card. I think all the > tuner/tone/changer/channel/etc characteristics that will get > reported may > make the bluetooth physical layer inoperable for a > significant period of > time. If the characteristics get reported using a verbose > XML message, that > will extend the delay even further, I think. > > Myron, do you remember the delays we saw when getting bus-resets > interconnecting 3 devices on IP/1394 plugfests? And that was > a 400mbit > physical layer. > > Or maybe we don't care about low-bandwidth physical layers? > > Jim Busse > From owner-zeroconf@merit.edu Tue May 2 12:34:25 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04643 for ; Tue, 2 May 2000 12:34:25 -0400 (EDT) Received: by segue.merit.edu (Postfix) id DDE635DE07; Tue, 2 May 2000 12:34:18 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id CE1D45DE00; Tue, 2 May 2000 12:34:18 -0400 (EDT) Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by segue.merit.edu (Postfix) with ESMTP id E1DBC5DDB4 for ; Tue, 2 May 2000 12:34:12 -0400 (EDT) Received: from engmail1.Eng.Sun.COM ([129.146.1.13]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA16990; Tue, 2 May 2000 10:23:41 -0600 (MDT) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [129.146.122.19]) by engmail1.Eng.Sun.COM (8.9.1b+Sun/8.9.1/ENSMAIL,v1.6) with ESMTP id JAA14912; Tue, 2 May 2000 09:23:40 -0700 (PDT) Received: from nasnfs.Eng.Sun.COM (pacrimapp2.Singapore.Sun.COM [129.158.124.41]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with ESMTP id JAA07895; Tue, 2 May 2000 09:23:14 -0700 (PDT) From: James Kempf Message-Id: <200005021623.JAA07895@nasnfs.eng.sun.com> Date: Tue, 2 May 2000 09:26:02 -0700 To: Cc: Reply-To: Subject: RE: service discovery characteristics X-Mailer: Sun NetMail 2.3 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >I am quite concerned about low-bandwidth networks, especially >bluetooth. However, I am not sure I understand the basis for your >concern. It sounds to me like you are suggesting either: > >a) that the arrival of a new host would trigger a flood of >XML-based, advertisement messages from each device/service. > >b) the ability to send a query that matches all devices and >returns all the characteristics of any matching device could >cause a network flood. > >In the first case, I don't understand why an SLP-like approach >to characteristic enhanced queries results in advertizement >induced overload. > For a system based on client-query like SLP, the delay would only happen if the the arriving client made a blanket query upon arrival rather than performing the query on demand, as applications required access to the services. In addition, the actual amount of data will depend, as Jim originally noted, on the the data format in which the advertisments are transmitted. Something verbose like XML will place a heavier load than a more compact representation. jak From owner-zeroconf@merit.edu Wed May 3 11:12:11 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03968 for ; Wed, 3 May 2000 11:12:10 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 47FC95DD97; Wed, 3 May 2000 11:11:55 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 310F25DDA9; Wed, 3 May 2000 11:11:55 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 06F7A5DD97 for ; Wed, 3 May 2000 11:11:54 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id IAA26708 for ; Wed, 3 May 2000 08:11:51 -0700 (PDT) Received: from vayne (muc-isdn-17 [129.157.164.117]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id RAA29536; Wed, 3 May 2000 17:11:48 +0200 (MET DST) Date: Wed, 3 May 2000 17:20:33 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: zeroconf security - conclusions To: zeroconf@merit.edu Cc: erik.guttman@germany.sun.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk I have reviewed the thread on home networking security. There has been some excellent discussion. This is an attempt to see what the concensus was. Remember that the primary goal of security work in the ZEROCONF WG is to not make IP networking any less secure than it already is. 0 Scope of discussion: 0.1) The ZEROCONF WG is working on 4 protocol areas - host configuration, service discovery, name to address resolution and multicast address allocation. Application level protocols (including device control) are out of scope. 0.2) The threats which have been discussed and broadly agreed upon are: . masquerading (A host uses zeroconf protocols to fool others by sending messages it shouldn't) . hoarding (A host subverts zeroconf protocols by pretending to have resources it doesn't have) . antagonistic server (This server undermines hosts because it uses a protocol which automatically configures hosts which use 'zeroconf protocols') Additional threats which were mentioned were: . Inventory attack - ZeroConf protocols (especially service discovery) would allow thieves to take inventory very easily. . Evesdropping attack - Capturing ZC protocol messages issued by hosts use could inform about what the network is used for, how much it is used, etc. . Denial of service attack - But is there anything specific to Zero Configuration networking here? 0.3) The scenario in which these threats occur is 'remote access.' As Jeff Schiller pointed out in Adelaide, there are social mechanisms for security at home and between neighbors. The real threat is the anonymous stranger attacking from afar. Configuration for such networks can be very simple (such as a group key) since we don't have to differentiate between users and devices on a zeroconf network. We have to assume that an attacker can send and receive messages on the local network since in important cases Zero Configuration protocols will be used on shared access links (RF, power line, 'neighborhood area network' cable subnets, etc.) 1 Conclusions of discussion: 1.1) Punting is not an option. Security does require configuration. So, we have to consider the best, minimal configuration requirements. The ZEROCONF charter includes the following text: ZEROCONF requirements will make networking as easy as possible, but no easier. In some cases other considerations may dominate ease of use. For example, network security requires some configuration which may not be as easy as the unacceptable alternative of 'no security.' 1.2) We are only discussing security for ZC protocols and transitions to 'configured' protocol behavior. Security for application level (device control) protocols is out of scope. It may be that app level protocols can share the same mechanisms, but that is not a requirement. 1.3) There is concern about the default value. - Security enabled means nothing works until it is configured. - Security disabled means many systems will be vulnerable (as one cannot expect all users to do security configuration). It was suggested that there can't be a hard and fast rule - for some applications 'ease of use' demands no security by default. In other cases, safety demands security by default. 1.4) It was suggested that the ability to authenticate messages as having come from a peer with a shared secret may not be enough. Encryption capability, to provide privacy, was suggested as being important. 2 Requirements arising from discussion: 2.1) Hosts MUST implement a security mechanism (or mechanisms) to protect against the following threats: + Hoarding attack. A host MUST be able to determine whether a multicast address allocation claim (used in a claim and defend protocol) is legitimate or not. Protecting against IP address hoarding is NOT a requirement for IPv4, since it would mean securing ARP. That is the concensus of the DHC WG. + Masquerading attack. Service discovery, name to address resolution and multicast address allocation services MUST support a mechanism so that legitimate and illigitimate responses can be differentiated. (Note that in the case of name to address resolution, this protects against a 'hoarding attack.' A malevolent host couldn't respond to all names to prevent 'nameless' host from picking a unique name.) + Antagonistic server attack. The host MUST be able to determine whether a discovered DHCP server, DNS server, SLP DA (or whatever) or MADCAP server is to be used or not. NOTE: This requirement *looks good,* but how many systems in practice are enabled to use DHCP authentication, DNSSec, SLP authentication and MADCAP security? We are 'raising the bar' by requiring this, not avoiding 'making IP less secure' which is our guiding principal. Hosts MAY implement security mechanism to protect them against the following threats: + Evesdropping attack. The host MAY be able to encrypt service discovery, name to address resolution messages. Host configuration (ie. ARP and DHCP) and multicast address allocation messages (ie. MADCAP) do not require encryption as there is little to be learned from them. 2.2) Hosts MUST be configurable to use that security, as easily as possible. 2.3) It is not specified in the requirements whether security is on by default or not. Note that if security is on by default and the host is unconfigured that implies that the host is not usable *until it has been configured.* Some devices (such as those which are dangerous) should require a priori configuration. It is out of the scope of the WG to do more than point this out. 2.4) Security mechanisms used for the four protocol areas covered by Zero Configuration requirements should be the same if possible so they can: + share common implementation + share common configuration + be as easily administered as possible Please send your feedback. If there is broad agreement, I will turn this into an internet draft. Whether we ultimately separate out the security requirements for ZC networking from the current document or not, I would like to focus attention on it so we can make rapid progress. Once we complete our 'requirements' work, we can work on defining the security mechanisms to fulfill the requirements. Whether this should take place in the current ZEROCONF WG or a new WG needs to be chartered is a separate discussion. Stay tuned. Erik From owner-zeroconf@merit.edu Wed May 3 11:13:38 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA04025 for ; Wed, 3 May 2000 11:13:37 -0400 (EDT) Received: by segue.merit.edu (Postfix) id C2DF05DDBD; Wed, 3 May 2000 11:13:30 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id B1CBB5DDBB; Wed, 3 May 2000 11:13:30 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 3E1F75DDA9 for ; Wed, 3 May 2000 11:13:29 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id IAA27527; Wed, 3 May 2000 08:13:24 -0700 (PDT) Received: from vayne (muc-isdn-17 [129.157.164.117]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id RAA29631; Wed, 3 May 2000 17:13:21 +0200 (MET DST) Date: Wed, 3 May 2000 17:22:06 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: Re: home networking security To: zeroconf@merit.edu Cc: erik.guttman@germany.sun.com, Daniel Senie Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk At 10:57 PM 04/09/2000 -0400, Daniel Senie wrote: >Before we continue down this path of figuring out security for accessing >these various devices in the house, can we figure out where the >addresses assigned to your water heater came from? Daniel, Thanks for your many comments on this thread. At 10:57 PM 04/09/2000 -0400, Daniel Senie wrote: >Before we continue down this path of figuring out security for accessing >these various devices in the house, Just to be clear, protecting devices from being accessed is beyond the scope of the working group. Protecting the infrastructure by which devices are configured (or autoconfigure) is within scope. > can we figure out where the addresses assigned to your water heater > came from? Zeroconf protocols are independent. That is, a host could have a configured global address but still use ZC mechanisms for service discovery, name resolution and multicast address allocation. Further, even if addresses were assigned as link-local, it doesn't mean that hosts remote to the link don't have access to it. (The link may be shared access media). Finally, the zeroconf water heater may be given a routable address by a hostile DHCP server as part of making accessible to an attack. Erik From owner-zeroconf@merit.edu Wed May 3 12:54:54 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA06105 for ; Wed, 3 May 2000 12:54:53 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 2B0925DDC2; Wed, 3 May 2000 12:54:42 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 1AE8A5DDC0; Wed, 3 May 2000 12:54:42 -0400 (EDT) Received: from monitor.internaut.com (mg-206253200-16.ricochet.net [206.253.200.16]) by segue.merit.edu (Postfix) with ESMTP id 1FC8F5DDBE for ; Wed, 3 May 2000 12:54:38 -0400 (EDT) Received: from vaiobean (vaiobean.ntdev.microsoft.com [204.57.137.66] (may be forged)) by monitor.internaut.com (8.9.2/8.8.8) with SMTP id JAA88778; Wed, 3 May 2000 09:39:25 -0700 (PDT) Reply-To: From: "Bernard Aboba" To: "'Erik Guttman'" , Subject: RE: zeroconf security - conclusions Date: Wed, 3 May 2000 09:56:24 -0700 Message-ID: <000c01bfb520$85093fa0$428939cc@ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-Reply-To: Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >Antagonistic server attack. The host MUST be able to determine >whether a discovered DHCP server, DNS server, SLP DA (or >whatever) or MADCAP server is to be used or not. >NOTE: This requirement *looks good,* but how many systems in > practice are enabled to use DHCP authentication, DNSSec, SLP > authentication and MADCAP security? If one assumes that all of these services reside on a home gateway, it may be quite reasonable to come up with a relatively simple way of securing all of them. However, saying that the host MUST be able to use it seems like raising the bar too high, given that very few hosts can do this today. From owner-zeroconf@merit.edu Wed May 3 14:44:21 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA08847 for ; Wed, 3 May 2000 14:44:20 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 3260B5DDA9; Wed, 3 May 2000 14:44:09 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0CF715DDAC; Wed, 3 May 2000 14:44:09 -0400 (EDT) Received: from ganymede.or.intel.com (ganymede.or.intel.com [134.134.248.3]) by segue.merit.edu (Postfix) with ESMTP id 712A45DDA9 for ; Wed, 3 May 2000 14:44:07 -0400 (EDT) Received: from SMTP (orsmsxvs02-1.jf.intel.com [192.168.65.201]) by ganymede.or.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.22 2000/04/06 17:58:51 dmccart Exp $) with SMTP id LAA02027; Wed, 3 May 2000 11:43:58 -0700 (PDT) Received: from orsmsx29.jf.intel.com ([192.168.70.29]) by 192.168.70.201 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 03 May 2000 18:43:57 0000 (GMT) Received: by orsmsx29.jf.intel.com with Internet Mail Service (5.5.2448.0) id ; Wed, 3 May 2000 11:43:56 -0700 Message-ID: <392A357CE6FFD111AC3E00A0C99848B002FE962D@hdsmsx31.hd.intel.com> From: "Walker, Jesse" To: "'Erik Guttman'" Cc: zeroconf@merit.edu Subject: RE: zeroconf security - conclusions Date: Wed, 3 May 2000 11:43:52 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-zeroconf@merit.edu Precedence: bulk Erik: Very nice summary. I agree with most of it, and so raise questions about only a handful of the statements from your text. 0.3) The scenario in which these threats occur is 'remote access.' As Jeff Schiller pointed out in Adelaide, there are social mechanisms for security at home and between neighbors. The real threat is the anonymous stranger attacking from afar. Wireless is changing this, unless people install their wireless LANs outside their home firewalls. It is a very large leap of faith to assume people will do this. Configuration for such networks can be very simple (such as a group key) since we don't have to differentiate between users and devices on a zeroconf network. It is not evident that group keys can provide any kind of a useful solution for many problems, especially because of the emergence of wireless. Use of group keys means LAN users need to reconfigure all the devices relying on these keys to reestablish security in the event of divorce or betrayal by a previously trusted friend. If wireless indeed makes easy revocation a requirement, as I think it does, then it is unfortunately hard to imagine anything short of a credentials management scheme being part of the solution. If this is the case, the proper requirement is that the credentials management scheme has to be simple to use. 2.1) Hosts MUST implement a security mechanism (or mechanisms) to protect against the following threats: + Hoarding attack. A host MUST be able to determine whether a multicast address allocation claim (used in a claim and defend protocol) is legitimate or not. Depending on your assumptions about overall network size and credentials management schemes deployed, this might not be feasible except by using asymmetric key techniques. My guess is the low end market will be unwilling to pay the computational and administrative costs associated with existing asymmetric key techniques for a very long time. Perhaps this requirement should be a MAY; or it may simply require more discussion to narrow the requirement sufficiently to something vendors can implement and users will actually deploy. 2.2) Hosts MUST be configurable to use that security, as easily as possible. My concern with this is we need to specify what we means by "security". Without doing that, this is a very open-ended requirement, and we will never be able to determine when implementations do or do not conform. Jesse Walker Intel Corporation 2111 N.E. 25th Avenue Hillsboro, OR 97214-5961 (503) 712-1849 jesse.walker@intel.com From owner-zeroconf@merit.edu Thu May 4 01:59:10 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA23261 for ; Thu, 4 May 2000 01:59:09 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 84B2A5DDC0; Thu, 4 May 2000 01:58:53 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 6A7545DDB8; Thu, 4 May 2000 01:58:53 -0400 (EDT) Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by segue.merit.edu (Postfix) with ESMTP id 985D65DDA5 for ; Thu, 4 May 2000 01:58:51 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FU000BFYTS4SA@mta5.snfc21.pbi.net> for ZeroConf@Merit.edu; Wed, 3 May 2000 22:55:16 -0700 (PDT) Date: Wed, 03 May 2000 22:52:35 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000503225235.00968bf0@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" Sender: owner-zeroconf@merit.edu Precedence: bulk At 05:20 PM 5/3/00 +0200, Erik Guttman wrote: <<2.3) It is not specified in the requirements whether security is on by default or not. Note that if security is on by default and the host is unconfigured that implies that the host is not usable *until it has been configured.* Some devices (such as those which are dangerous) should require a priori configuration. It is out of the scope of the WG to do more than point this out.>> I think a useful zero configuration draft is going to have to do more than make the observation that, "Well, you can have security enabled or you can have it disabled." The key element is informed consent of the user. If I buy a device labeled "SECURE" or "INSECURE" there need to be some minimal behavioral expectations upon which I can rely. I don't single out this WG for criticism---I think the problem of inadequate disclosure of security risks is rampant in the current rush to deploy broadband---but I don't think the working gruop can punt on this one, either. I'm sorry I don't have a ready-made solution, but I do think more discussion will be needed on this issue, that it's not sufficient to describe the pros and cons. Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Thu May 4 01:59:16 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA23272 for ; Thu, 4 May 2000 01:59:15 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 19ACA5DDA9; Thu, 4 May 2000 01:58:54 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id E5A935DDA5; Thu, 4 May 2000 01:58:53 -0400 (EDT) Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by segue.merit.edu (Postfix) with ESMTP id BEDF15DDA9 for ; Thu, 4 May 2000 01:58:51 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FU000BFYTS4SA@mta5.snfc21.pbi.net> for ZeroConf@Merit.edu; Wed, 3 May 2000 22:55:17 -0700 (PDT) Date: Wed, 03 May 2000 22:52:17 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000503225217.00958cd0@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" Sender: owner-zeroconf@merit.edu Precedence: bulk At 05:20 PM 5/3/00 +0200, Erik Guttman wrote: <> If I have been tripped up by some subtle meaning of the word "remote" above (and consequently misunderstand the conclusion) please excuse me. But if I read it correctly, I don't feel at all secure that I have adequate social mechanisms for addressing security transgressions by my neighbors! Adequate "social mechanisms" work just fine when the problem is as minor as your neighbor's annoying, constantly barking dog or incessant wind chime---no lasting harm is done in the interval that social mechanisms yield a resolution. If the social mechanisms fail, the continuing harm done is of a relatively minor scale. But if we're talking about my private and sensitive data, I am not willing to wait to apply "social mechanisms" until after a sociopathic neighbor has made off with the goods! or regularly and consistently denied me use of my system! So, someone, please tell me I've completely misunderstood what has been said. Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Thu May 4 10:22:07 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA06575 for ; Thu, 4 May 2000 10:22:06 -0400 (EDT) Received: by segue.merit.edu (Postfix) id F1C615DDE8; Thu, 4 May 2000 10:21:57 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id D9E3F5DDE4; Thu, 4 May 2000 10:21:57 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id ADABB5DE0B for ; Thu, 4 May 2000 10:21:55 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id HAA16105; Thu, 4 May 2000 07:21:51 -0700 (PDT) Received: from vayne (muc-isdn-19 [129.157.164.119]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id QAA03399; Thu, 4 May 2000 16:21:49 +0200 (MET DST) Date: Thu, 4 May 2000 16:30:33 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: RE: zeroconf security - conclusions To: aboba@internaut.com Cc: "'Erik Guttman'" , zeroconf@merit.edu In-Reply-To: "Your message with ID" <000c01bfb520$85093fa0$428939cc@ntdev.microsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk > >Antagonistic server attack. The host MUST be able to determine > >whether a discovered DHCP server, DNS server, SLP DA (or > >whatever) or MADCAP server is to be used or not. > > >NOTE: This requirement *looks good,* but how many systems in > > practice are enabled to use DHCP authentication, DNSSec, SLP > > authentication and MADCAP security? > > If one assumes that all of these services reside on a home > gateway, it may be quite reasonable to come up with a > relatively simple way of securing all of them. However, > saying that the host MUST be able to use it seems like > raising the bar too high, given that very few hosts can > do this today. SHOULD? MAY? Or is this really out of scope? Would we be specifying requirements for clients of *non-zeroconf* protocols? Erik From owner-zeroconf@merit.edu Thu May 4 10:33:43 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA06787 for ; Thu, 4 May 2000 10:33:42 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 1B9405DDFA; Thu, 4 May 2000 10:33:01 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 05FE15DE0C; Thu, 4 May 2000 10:33:00 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 82D5C5DDFA for ; Thu, 4 May 2000 10:32:59 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id HAA20147; Thu, 4 May 2000 07:32:57 -0700 (PDT) Received: from vayne (muc-isdn-19 [129.157.164.119]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id QAA03866; Thu, 4 May 2000 16:32:53 +0200 (MET DST) Date: Thu, 4 May 2000 16:41:37 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: Re: zeroconf security - conclusions To: Peter Johansson Cc: Zero Configuration In-Reply-To: "Your message with ID" <3.0.5.32.20000503225217.00958cd0@PacBell.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk Peter Johansson wrote: > At 05:20 PM 5/3/00 +0200, Erik Guttman wrote: > < Schiller pointed out in Adelaide, there are social mechanisms for security > at home and between neighbors. The real threat is the anonymous stranger > attacking from afar.>> > > If I have been tripped up by some subtle meaning of the word "remote" above > (and consequently misunderstand the conclusion) please excuse me. > > But if I read it correctly, I don't feel at all secure that I have adequate > social mechanisms for addressing security transgressions by my neighbors! ... > I am not willing to wait to apply "social mechanisms" until after a > sociopathic neighbor has made off with the goods! ... > > So, someone, please tell me I've completely misunderstood what has been said. You didn't misunderstand. Is your claim is that normal social mechanisms are OK for noise, smells and so on, as they 'stay on the other side of the fence (are clearly coming from your neighbor's place, etc)?' But with shared access media (wireless, power line, network area cable subnets) we have no 'walls' between us an our neighbors? In this case, should we modify the scenario to be a binary 'insider' / 'outsider' model. Like those who you give a housekey to, and those you don't? (Is the problem with the 'close' / 'remote' model is that trust and effective reprisal mechanisms aren't 'proximity' based, they're more 'who knows which flower pot the house key is hidden in' based? Erik From owner-zeroconf@merit.edu Thu May 4 10:52:11 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA07224 for ; Thu, 4 May 2000 10:52:10 -0400 (EDT) Received: by segue.merit.edu (Postfix) id B34CA5DE03; Thu, 4 May 2000 10:52:02 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id A22F85DE00; Thu, 4 May 2000 10:52:02 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 407275DDFD for ; Thu, 4 May 2000 10:52:01 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id HAA27054; Thu, 4 May 2000 07:51:58 -0700 (PDT) Received: from vayne (muc-isdn-19 [129.157.164.119]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id QAA04846; Thu, 4 May 2000 16:51:55 +0200 (MET DST) Date: Thu, 4 May 2000 17:00:39 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: RE: zeroconf security - conclusions To: "Walker, Jesse" Cc: "'Erik Guttman'" , zeroconf@merit.edu, dan.mcdonald@eng.sun.com In-Reply-To: "Your message with ID" <392A357CE6FFD111AC3E00A0C99848B002FE962D@hdsmsx31.hd.intel.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk Walker, > >> Configuration for such networks can be very simple (such as >> a group key) since we don't have to differentiate between users >> and devices on a zeroconf network. > > Use of group keys means LAN users need to reconfigure all > the devices relying on these keys to reestablish security in the event > of divorce or betrayal by a previously trusted friend. If wireless > indeed makes easy revocation a requirement, as I think it does, then > it is unfortunately hard to imagine anything short of a credentials > management scheme being part of the solution. If this is the case, > the proper requirement is that the credentials management scheme has > to be simple to use. Is easy revocation a requirement? Or does easy configuration (and reconfiguration, say contingent upon physical access to the device) satisfy this? After a break up, just call the locksmith. You don't need restraining orders, revised contracts, etc. normally. I am concerned that if the security requirements are complicated we won't make any headway. If they really are complicated, good to know. But maybe we can keep this simple. > 2.1) Hosts MUST implement a security mechanism (or mechanisms) to > protect against the following threats: > > + Hoarding attack. A host MUST be able to determine whether a > multicast address allocation claim (used in a claim and defend > protocol) is legitimate or not. > > Depending on your assumptions about overall network size and credentials > management schemes deployed, this might not be feasible except by using > asymmetric key techniques. My guess is the low end market will be > unwilling to pay the computational and administrative costs associated > with existing asymmetric key techniques for a very long time. Perhaps > this requirement should be a MAY; or it may simply require more > discussion to narrow the requirement sufficiently to something vendors > can implement and users will actually deploy. Or can we drop this requirement? The DHC WG agreed that ARP security was a non-starter. Service discovery and name to address resolution aren't subject to hoarding attacks. How vital is it to protect networks from multicast allocation hoarding attacks? I did not mention that some work has gone into protecting neighbor discovery in IPv6 (which would defend against hoarding attacks as a result). Dan, do you want to say something about this? > 2.2) Hosts MUST be configurable to use that security, as easily > as possible. > > My concern with this is we need to specify what we means by "security". > Without doing that, this is a very open-ended requirement, and we will > never be able to determine when implementations do or do not conform. > That's what I'm trying to specify in section 2.1. These are requirements we are discussing, so the specification is necessarily high level. If there are too few or too many security features in that list - let's discuss it now. Erik From owner-zeroconf@merit.edu Thu May 4 11:33:32 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08581 for ; Thu, 4 May 2000 11:33:31 -0400 (EDT) Received: by segue.merit.edu (Postfix) id DA2655DDE4; Thu, 4 May 2000 11:30:27 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id BCD0A5DDE9; Thu, 4 May 2000 11:30:27 -0400 (EDT) Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by segue.merit.edu (Postfix) with ESMTP id 5CB255DDE4 for ; Thu, 4 May 2000 11:30:25 -0400 (EDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id JAA07737 for ; Thu, 4 May 2000 09:30:23 -0600 (MDT) Received: from sunlabs.East.Sun.COM (sunlabs.East.Sun.COM [129.148.75.250]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id LAA14562; Thu, 4 May 2000 11:00:52 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id LAA26677; Thu, 4 May 2000 11:00:49 -0400 (EDT) Message-ID: <39118FD7.42999E37@sun.com> Date: Thu, 04 May 2000 10:57:27 -0400 From: Steve Hanna Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Erik Guttman Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Thanks for a good summary, Erik. Clearly, there are still some unresolved issues. But agreeing on which protocols are in scope and providing a list of generally agreed-upon threats is a good start. > 0.3) The scenario in which these threats occur is 'remote access.' > As Jeff Schiller pointed out in Adelaide, there are social > mechanisms for security at home and between neighbors. The > real threat is the anonymous stranger attacking from afar. > > Configuration for such networks can be very simple (such as > a group key) since we don't have to differentiate between users > and devices on a zeroconf network. > > We have to assume that an attacker can send and receive messages > on the local network since in important cases Zero Configuration > protocols will be used on shared access links (RF, power line, > 'neighborhood area network' cable subnets, etc.) If an attacker can send and receive messages on the local network (and I agree with that), that's the important thing from a security perspective. Whether the attacker is a neighbor or not is not important. I suggest you drop the first paragraph here, unless you can explain some way in which it changes the security analysis. > Protecting against IP address hoarding is NOT a requirement > for IPv4, since it would mean securing ARP. That is the > concensus of the DHC WG. ... > + Antagonistic server attack. The host MUST be able to determine > whether a discovered DHCP server, DNS server, SLP DA (or > whatever) or MADCAP server is to be used or not. > > NOTE: This requirement *looks good,* but how many systems in > practice are enabled to use DHCP authentication, DNSSec, SLP > authentication and MADCAP security? We are 'raising the bar' > by requiring this, not avoiding 'making IP less secure' which > is our guiding principal. If we don't protect against IP address hoarding and we don't protect against an antagonistic server attack, we're leaving two big holes in our security system. I agree that securing ARP and authenticating servers isn't easy. But we can't just stick our heads in the sand. What about a simple solution like link-level encryption using a shared key (such as 802.11 WEP)? Or layer 3 crypto with a shared key (IPsec without IKE)? This would secure all network access with a single mechanism. Admittedly, it doesn't have all of the features of protocol-specific security, but it *is* fairly simple! And it addresses all of the threats we have listed. -Steve From owner-zeroconf@merit.edu Thu May 4 13:58:46 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA12788 for ; Thu, 4 May 2000 13:58:46 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 6C9FD5E01C; Thu, 4 May 2000 13:57:21 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 4DD5B5DE86; Thu, 4 May 2000 13:57:21 -0400 (EDT) Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by segue.merit.edu (Postfix) with ESMTP id 8FD1E5E01C for ; Thu, 4 May 2000 13:57:19 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FU1001Q9P6W0L@mta5.snfc21.pbi.net> for ZeroConf@merit.edu; Thu, 4 May 2000 10:13:44 -0700 (PDT) Date: Thu, 04 May 2000 10:12:45 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: X-Sender: Celeborn@PacBell.net To: Erik Guttman Cc: Zero Configuration Message-id: <3.0.5.32.20000504101245.00952100@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" References: <"Your message with ID <3.0.5.32.20000503225217.00958cd0"@PacBell.net> Sender: owner-zeroconf@merit.edu Precedence: bulk At 04:41 PM 5/4/00 +0200, Erik Guttman wrote: <> Yes, just so. <> Yes, the "neighbor" defined by proximity is not necessarily manageable. But the "neighbor" that I can pick and choose, can elect to tell the location of the digital flower pot that holds the key, is manageable. And, as Jesse Walker observed, one can always call the "locksmith" ... Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Fri May 5 09:34:53 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA18432 for ; Fri, 5 May 2000 09:34:52 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 9F9AA5DE50; Fri, 5 May 2000 09:34:40 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 695445DE53; Fri, 5 May 2000 09:34:40 -0400 (EDT) Received: from monitor.internaut.com (mg-206253200-16.ricochet.net [206.253.200.16]) by segue.merit.edu (Postfix) with ESMTP id 4F8BC5DE50 for ; Fri, 5 May 2000 09:34:36 -0400 (EDT) Received: from vaiobean (vaiobean.ntdev.microsoft.com [204.57.137.66] (may be forged)) by monitor.internaut.com (8.9.2/8.8.8) with SMTP id GAA91103; Fri, 5 May 2000 06:18:56 -0700 (PDT) Reply-To: From: "Bernard Aboba" To: "'Steve Hanna'" , "'Erik Guttman'" Cc: , Subject: RE: zeroconf security - conclusions Date: Fri, 5 May 2000 06:36:20 -0700 Message-ID: <004f01bfb696$e7bf0b30$428939cc@ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <39118FD7.42999E37@sun.com> X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >What about a simple solution like link-level encryption using a shared >key (such as 802.11 WEP)? This can work as long as you assume that the hosts all attach to a central bridge, as with 802.11 access points. However, if it is possible for outsiders to attach to the same LAN segment as insiders, without an intervening bridge, then this will not help. This is one of the reasons that I am uncomfortable with powerline and phoneline networks -- particularly since the cost of 802.11 is declining so rapidly. This makes the security risks seem hardly worth the delta in cost (which may soon be zero or even negative). >Or layer 3 crypto with a shared key (IPsec >without IKE)? I think you actually mean manual keying. Pre-shared keying does require IKE. While I've always liked the idea of securing hosts via IPSEC, I don't know how reasonable it is to require that devices secure themselves this way. From owner-zeroconf@merit.edu Fri May 5 09:58:23 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA19187 for ; Fri, 5 May 2000 09:58:23 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 827FB5DE68; Fri, 5 May 2000 09:58:16 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 6C8E75DE65; Fri, 5 May 2000 09:58:16 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 0C7C25DE67 for ; Fri, 5 May 2000 09:58:15 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id GAA20345; Fri, 5 May 2000 06:58:12 -0700 (PDT) Received: from vayne (muc-isdn-4 [129.157.164.104]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id PAA26955; Fri, 5 May 2000 15:58:10 +0200 (MET DST) Date: Fri, 5 May 2000 16:06:55 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: RE: zeroconf security - conclusions To: aboba@internaut.com Cc: "'Steve Hanna'" , "'Erik Guttman'" , zeroconf@merit.edu, steve.hanna@Sun.COM In-Reply-To: "Your message with ID" <004f01bfb696$e7bf0b30$428939cc@ntdev.microsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk Bernard, Steve, > >What about a simple solution like link-level encryption using a shared > >key (such as 802.11 WEP)? > > This can work as long as you assume that the hosts all attach to a > central bridge, as with 802.11 access points. However, if it is > possible for outsiders to attach to the same LAN segment as > insiders, without an intervening bridge, then this will not help. I am concerned about proposals for L2 security ZC requirements. The IETF works at L3 and above. Also, many link layers are not secure (and never will be). > >Or layer 3 crypto with a shared key (IPsec > >without IKE)? > > I think you actually mean manual keying. Pre-shared keying > does require IKE. > > While I've always liked the idea of securing hosts via IPSEC, > I don't know how reasonable it is to require that devices > secure themselves this way. > Let's pursue this. Would it be feasible to counter the identified threats and meet our goals with a L3 layer security mechanism (IPSec)? Erik From owner-zeroconf@merit.edu Fri May 5 10:55:32 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA20617 for ; Fri, 5 May 2000 10:55:32 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 3AA115DE1B; Fri, 5 May 2000 10:55:26 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 271FB5DE1C; Fri, 5 May 2000 10:55:26 -0400 (EDT) Received: from garlic.amaranth.net (garlic.amaranth.net [216.235.243.195]) by segue.merit.edu (Postfix) with ESMTP id 5B80A5DE1B for ; Fri, 5 May 2000 10:55:24 -0400 (EDT) Received: from senie.com (garlic.amaranth.net [216.235.243.195]) (authenticated) by garlic.amaranth.net (8.10.0/8.10.0) with ESMTP id e45Et5Z03532; Fri, 5 May 2000 10:55:05 -0400 Message-ID: <3912E0C8.C09E2A1B@senie.com> Date: Fri, 05 May 2000 10:55:04 -0400 From: Daniel Senie Organization: Amaranth Networks Inc. X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Erik Guttman Cc: aboba@internaut.com, "'Steve Hanna'" , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Erik Guttman wrote: > > Bernard, Steve, > > > >What about a simple solution like link-level encryption using a shared > > >key (such as 802.11 WEP)? > > > > This can work as long as you assume that the hosts all attach to a > > central bridge, as with 802.11 access points. However, if it is > > possible for outsiders to attach to the same LAN segment as > > insiders, without an intervening bridge, then this will not help. > > I am concerned about proposals for L2 security ZC requirements. The > IETF works at L3 and above. Also, many link layers are not secure > (and never will be). The IETF most certainly works on problems below layer 3. PPP, for example, is not a layer 3 item. There are many other examples. I am not in favor of mandating IPSec in ZC. It would be an admission of defeat for this WG, since IPSec will require configuration. I believe wired Ethernets are secure enough if physical security is maintained. 802.11 networks with WEP is being pitched as safe. After all, that WEP is "wire equivalent privacy." Can someone tap your wires? The question here is whether ZC should specify the minimum required capabilities for the link layer. This is not below IETF's venue. Look at the PILC working group for an example. Phil Karn and company are producing a document to explain to link layer technology developers the kinds of facilities that must be present to run IP successfully. Recommendations that 802.11 WEP be employed in ZC networks seems to be in a similar vein. > > > >Or layer 3 crypto with a shared key (IPsec > > >without IKE)? > > > > I think you actually mean manual keying. Pre-shared keying > > does require IKE. > > > > While I've always liked the idea of securing hosts via IPSEC, > > I don't know how reasonable it is to require that devices > > secure themselves this way. > > > > Let's pursue this. Would it be feasible to counter the > identified threats and meet our goals with a L3 layer > security mechanism (IPSec)? Sure. With configuration. Runs counter to the name of the working group, me thinks. -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com From owner-zeroconf@merit.edu Fri May 5 11:29:39 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA21500 for ; Fri, 5 May 2000 11:29:38 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 771C35DD95; Fri, 5 May 2000 11:29:32 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 5E8745DD96; Fri, 5 May 2000 11:29:32 -0400 (EDT) Received: from monitor.internaut.com (mg-206253200-16.ricochet.net [206.253.200.16]) by segue.merit.edu (Postfix) with ESMTP id B7C015DD95 for ; Fri, 5 May 2000 11:29:28 -0400 (EDT) Received: from vaiobean (vaiobean.ntdev.microsoft.com [204.57.137.66] (may be forged)) by monitor.internaut.com (8.9.2/8.8.8) with SMTP id IAA91209; Fri, 5 May 2000 08:14:01 -0700 (PDT) Reply-To: From: "Bernard Aboba" To: "'Erik Guttman'" Cc: "'Steve Hanna'" , Subject: RE: zeroconf security - conclusions Date: Fri, 5 May 2000 08:31:27 -0700 Message-ID: <007d01bfb6a6$fbb6f0c0$428939cc@ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >Let's pursue this. Would it be feasible to counter the >identified threats and meet our goals with a L3 layer >security mechanism (IPSec)? IPSEC solves a lot of the threats that you described, plus a bunch of other ones that are out of scope but still important. Personally, I would rather we look at IPSEC than worrying about multicast address hoarding attacks, for example. Since we're talking about some subset of IPSEC functionality, it's probably appropriate to have some discussion of what it is possible to do on what devices. On a host, I would argue that there is no need for a subset; a consumer machine can do IPSEC with IKE as easily as IPSEC with manual keying and the former is more secure, so there's little point in reducing functionality. However, on a device there may be issues. I'm curious to understand what these are exactly before we start chopping. For example are there issues with implementation of cert handling, cryptosuites, IKE, etc. Some set of base assumptions would be helpful. From owner-zeroconf@merit.edu Fri May 5 12:07:28 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA22589 for ; Fri, 5 May 2000 12:07:28 -0400 (EDT) Received: by segue.merit.edu (Postfix) id DAF285DDAB; Fri, 5 May 2000 12:07:20 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C2D7E5DD96; Fri, 5 May 2000 12:07:20 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 53AEE5DD96 for ; Fri, 5 May 2000 12:07:19 -0400 (EDT) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id JAA18236; Fri, 5 May 2000 09:07:16 -0700 (PDT) Received: from vayne (muc-isdn-13 [129.157.164.113]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.7) with SMTP id SAA14397; Fri, 5 May 2000 18:07:14 +0200 (MET DST) Date: Fri, 5 May 2000 18:15:59 +0200 (MET DST) From: Erik Guttman Reply-To: Erik Guttman Subject: Re: zeroconf security - conclusions To: Daniel Senie Cc: Erik Guttman , aboba@internaut.com, "'Steve Hanna'" , zeroconf@merit.edu In-Reply-To: "Your message with ID" <3912E0C8.C09E2A1B@senie.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-zeroconf@merit.edu Precedence: bulk > > Let's pursue this. Would it be feasible to counter the > > identified threats and meet our goals with a L3 layer > > security mechanism (IPSec)? > > Sure. With configuration. Runs counter to the name of the working group, > me thinks. The charter says: ZEROCONF requirements will make networking as easy as possible, but no easier. In some cases other considerations may dominate ease of use. For example, network security requires some configuration which may not be as easy as the unacceptable alternative of 'no security.' Erik From owner-zeroconf@merit.edu Fri May 5 13:08:04 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA24274 for ; Fri, 5 May 2000 13:08:04 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 4561A5DE12; Fri, 5 May 2000 13:07:48 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 296875DE1D; Fri, 5 May 2000 13:07:48 -0400 (EDT) Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by segue.merit.edu (Postfix) with ESMTP id B1D865DE12 for ; Fri, 5 May 2000 13:07:43 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FU3006KBINEHM@mta5.snfc21.pbi.net> for ZeroConf@Merit.edu; Fri, 5 May 2000 09:47:39 -0700 (PDT) Date: Fri, 05 May 2000 09:39:44 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000505093944.009734c0@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" References: <"Your message with ID <3912E0C8.C09E2A1B"@senie.com> Sender: owner-zeroconf@merit.edu Precedence: bulk The charter says: "ZEROCONF requirements will make networking as easy as possible, but no easier. In some cases other considerations may dominate ease of use. For example, network security requires some configuration which may not be as easy as the unacceptable alternative of 'no security.'" Let's face it, marketing-think and marketing-speak have surreptitiously co-opted our habits in many other fields of endeavor. As the charter states, the real goal is "minimal configuration"---but MINCONF just ain't as catchy, sexy or snappy as ZEROCONF. Even though it's more accurate. What customer wouldn't prefer to buy a "zero configuration kit" for anything rather than a "minimal configuration kit"? Maybe only a customer who's been educated to understand there is no such thing as a free lunch. Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Fri May 5 17:07:36 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA28955 for ; Fri, 5 May 2000 17:07:36 -0400 (EDT) Received: by segue.merit.edu (Postfix) id A1D2F5DDA2; Fri, 5 May 2000 17:07:31 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 80DCC5DDAF; Fri, 5 May 2000 17:07:31 -0400 (EDT) Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by segue.merit.edu (Postfix) with ESMTP id 1C90C5DDA2 for ; Fri, 5 May 2000 17:07:30 -0400 (EDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id PAA23058; Fri, 5 May 2000 15:07:21 -0600 (MDT) Received: from sunlabs.East.Sun.COM (sunlabs.East.Sun.COM [129.148.75.250]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id RAA29231; Fri, 5 May 2000 17:07:20 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id RAA14007; Fri, 5 May 2000 17:07:15 -0400 (EDT) Message-ID: <39133738.D3A35613@sun.com> Date: Fri, 05 May 2000 17:03:52 -0400 From: Steve Hanna Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: aboba@internaut.com Cc: "'Erik Guttman'" , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: <007d01bfb6a6$fbb6f0c0$428939cc@ntdev.microsoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Bernard Aboba wrote: > > >Let's pursue this. Would it be feasible to counter the > >identified threats and meet our goals with a L3 layer > >security mechanism (IPSec)? > > IPSEC solves a lot of the threats that you described, > plus a bunch of other ones that are out of scope but > still important. Personally, I would rather we look > at IPSEC than worrying about multicast address > hoarding attacks, for example. > > Since we're talking about some subset of IPSEC > functionality, it's probably appropriate to have > some discussion of what it is possible to do > on what devices. On a host, I would argue that > there is no need for a subset; a consumer machine > can do IPSEC with IKE as easily as IPSEC with > manual keying and the former is more secure, so > there's little point in reducing functionality. > > However, on a device there may be issues. > I'm curious to understand what these are > exactly before we start chopping. For example > are there issues with implementation of cert > handling, cryptosuites, IKE, etc. Some set > of base assumptions would be helpful. I would be pleased to use IPSEC for ZC, if possible. I have two primary concerns: performance and configuration. First, performance. Public key crypto is too slow for most low-end devices. Performing a single public key operation can take hours or days on a slow 8-bit controller with no hardware crypto assist. And moving to a faster processor or one with hardware assist will increase cost too much for a low-end device. I think we need to stick with symmetric key crypto for this application. For IPSEC, I guess that means manual keying, probably using a group key shared by all zeroconf devices in the zeroconf domain. Second, configuration. We want to keep things as close to zero configuration as possible. Configuring a group key will be painful, but maybe we can explore a few ideas for making that configuration easier. One big plus with IPSEC is that it can span multiple links. Also, there are lots of libraries available. -Steve From owner-zeroconf@merit.edu Fri May 5 17:25:49 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA29253 for ; Fri, 5 May 2000 17:25:49 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 2885E5DDFC; Fri, 5 May 2000 17:25:42 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0B42C5DDEA; Fri, 5 May 2000 17:25:42 -0400 (EDT) Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by segue.merit.edu (Postfix) with ESMTP id AC89B5DDAF for ; Fri, 5 May 2000 17:25:40 -0400 (EDT) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id PAA04350; Fri, 5 May 2000 15:25:26 -0600 (MDT) Received: from locked.eng.sun.com (locked.Eng.Sun.COM [129.146.85.189]) by engmail3.Eng.Sun.COM (8.9.1b+Sun/8.9.1/ENSMAIL,v1.6) with ESMTP id OAA14750; Fri, 5 May 2000 14:25:25 -0700 (PDT) Received: (from mohanp@localhost) by locked.eng.sun.com (8.10.1+Sun/8.10.1) id e45LOpO10577; Fri, 5 May 2000 14:24:51 -0700 (PDT) From: Mohan Parthasarathy Message-Id: <200005052124.e45LOpO10577@locked.eng.sun.com> Subject: Re: zeroconf security - conclusions In-Reply-To: <39133738.D3A35613@sun.com> from Steve Hanna at "May 5, 2000 05:03:52 pm" To: Steve Hanna Date: Fri, 5 May 2000 14:24:50 -0700 (PDT) Cc: aboba@internaut.com, "'Erik Guttman'" , zeroconf@merit.edu X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit > > I would be pleased to use IPSEC for ZC, if possible. I have two primary > concerns: performance and configuration. > Does IPsec has everything what ZC needs ? I am referring to the Erik's mail where he had listed the threats. -mohan > First, performance. Public key crypto is too slow for most low-end > devices. Performing a single public key operation can take hours or days > on a slow 8-bit controller with no hardware crypto assist. And moving to > a faster processor or one with hardware assist will increase cost too > much for a low-end device. I think we need to stick with symmetric key > crypto for this application. For IPSEC, I guess that means manual > keying, probably using a group key shared by all zeroconf devices in the > zeroconf domain. > > Second, configuration. We want to keep things as close to zero > configuration as possible. Configuring a group key will be painful, but > maybe we can explore a few ideas for making that configuration easier. > > One big plus with IPSEC is that it can span multiple links. Also, there > are lots of libraries available. > > -Steve > From owner-zeroconf@merit.edu Fri May 5 18:03:56 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA29928 for ; Fri, 5 May 2000 18:03:56 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 45E305DE4B; Fri, 5 May 2000 18:02:27 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 354435DE4A; Fri, 5 May 2000 18:02:27 -0400 (EDT) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by segue.merit.edu (Postfix) with ESMTP id 313EE5DE39 for ; Fri, 5 May 2000 18:02:26 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FU3005SFWFUJD@mta6.snfc21.pbi.net> for ZeroConf@Merit.edu; Fri, 5 May 2000 14:45:30 -0700 (PDT) Date: Fri, 05 May 2000 14:44:43 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: <39133738.D3A35613@sun.com> X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000505144443.00905cb0@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" References: <007d01bfb6a6$fbb6f0c0$428939cc@ntdev.microsoft.com> Sender: owner-zeroconf@merit.edu Precedence: bulk At 05:03 PM 5/5/00 -0400, Steve Hanna wrote: <> What does "manual keying" implicitly require of a low-end device's user interface capabilities? Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Mon May 8 21:04:52 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA24496 for ; Mon, 8 May 2000 21:04:50 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 4EFCA5DF09; Mon, 8 May 2000 21:04:31 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id DD3735E57E; Mon, 8 May 2000 21:04:30 -0400 (EDT) Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by segue.merit.edu (Postfix) with ESMTP id 03BFB5DF09 for ; Mon, 8 May 2000 21:04:28 -0400 (EDT) Received: from mailgate2.apple.com (A17-129-100-225.apple.com [17.129.100.225]) by mail-out1.apple.com (8.9.3/8.9.3) with ESMTP id SAA05978 for ; Mon, 8 May 2000 18:04:28 -0700 (PDT) Received: from scv2.apple.com (scv2.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id for ; Mon, 08 May 2000 18:04:18 -0700 Received: from [17.201.23.37] (chesh1.apple.com [17.201.23.37]) by scv2.apple.com (8.9.3/8.9.3) with SMTP id SAA02482 for ; Mon, 8 May 2000 18:04:17 -0700 (PDT) Message-Id: <200005090104.SAA02482@scv2.apple.com> Subject: Re: 169.254/16 IP addresses Date: Mon, 8 May 2000 18:04:18 -0700 x-sender: cheshire@mail.apple.com x-mailer: Claris Emailer 2.0v3, January 22, 1998 From: Stuart Cheshire To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-zeroconf@merit.edu Precedence: bulk >Of course, as others have pointed out, declaring that one MUST NOT NAT >such addresses is probably out-of-scope and pointless (i.e., it will >be ignored). What would be good of course, is to document the >potential dangers that lurk when NATting such addresses. Wow! I've been away, and it took me a while to catch up. Here is the key question about whether you can use NAT with 169.254/16 IP addresses: Can a packet with a 169.254 source address *EVER* be sent to a non-169.254 destination address? As currently written, draft-cheshire-ipv4-linklocal-00.txt says not. It says: >A host SHOULD NOT establish communications from a global source >address to a link-local destination address, or vice versa. >Link-local addresses should only be used for communication with >other link-local addresses on the same link. A host complying with this requirement would simply refuse to generate a packet with a 169.254 source address and a global destination address, so the NAT gateway would simply not get the opportunity to translate the packet, because the packet would never exist. This is a tricky question. How does the host know that there's a NAT gateway out there? If a host sends out a packet from 169.254.1.2 to 17.254.0.91, and there is no NAT gateway, then the host will never get a reply. On the other hand, does it really hurt to try? On considering all the arguments, I think I'll revise draft-cheshire-ipv4-linklocal-00.txt to say that a multi-homed host should always *prefer* a non-169.254 source address when sending to a non-169.254 destination, but if a host *only* has a 169.254 address, then it MAY use ARP to resolve all addresses, and send packets with 169.254 source addresses to any destination address for which it gets an ARP reply. This means that a vendor could make a NAT gateway that issues proxy-ARP replies for all (non-169.254) addresses, and a host using self-configured link-local addresses would transparently work that that device. It also means that a device which doesn't have a 169.254 address can still communicate with 169.254 devices on the same physical link, as long as it is prepared to answer ARP requests from 169.254 devices, and send IP packets to 169.254 destination addresses. Stuart Cheshire * Wizard Without Portfolio, Apple Computer From owner-zeroconf@merit.edu Mon May 8 21:10:12 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA24577 for ; Mon, 8 May 2000 21:10:12 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 6D0555E587; Mon, 8 May 2000 21:10:04 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 4D1015E590; Mon, 8 May 2000 21:10:04 -0400 (EDT) Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by segue.merit.edu (Postfix) with ESMTP id E40FA5E587 for ; Mon, 8 May 2000 21:10:02 -0400 (EDT) Received: from mailgate2.apple.com (A17-129-100-225.apple.com [17.129.100.225]) by mail-out1.apple.com (8.9.3/8.9.3) with ESMTP id SAA06938 for ; Mon, 8 May 2000 18:10:02 -0700 (PDT) Received: from scv2.apple.com (scv2.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id for ; Mon, 08 May 2000 18:10:00 -0700 Received: from [17.201.23.37] (chesh1.apple.com [17.201.23.37]) by scv2.apple.com (8.9.3/8.9.3) with SMTP id SAA04452 for ; Mon, 8 May 2000 18:09:59 -0700 (PDT) Message-Id: <200005090109.SAA04452@scv2.apple.com> Subject: RE: zeroconf and non-zeroconf scenarios Date: Mon, 8 May 2000 18:10:00 -0700 x-sender: cheshire@mail.apple.com x-mailer: Claris Emailer 2.0v3, January 22, 1998 From: Stuart Cheshire To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-zeroconf@merit.edu Precedence: bulk >Not sure what the use of this would be, since the purpose of the NAT >box probably is to connect the network to the Internet. It would >make more sense for the NAT box to assign itself a private IP >address (say from 192.168/16), and start up a mini-DHCP server to >re-address the zeroconf workstations. In the process the zeroconf >workstations will also configure themselves with the default >gateway address and whatever else they need, via the mini-DHCP. Although I said in my last message that a vendor COULD make a NAT gateway to work with self-configured link-local devices, that doesn't necessarily mean that I'm endorsing the idea. Bernard is right that if you're building a NAT gateway, it makes more sense to put a simple DHCP server into it. Stuart Cheshire * Wizard Without Portfolio, Apple Computer From owner-zeroconf@merit.edu Mon May 8 21:27:14 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA24855 for ; Mon, 8 May 2000 21:27:13 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 9E4445E5C5; Mon, 8 May 2000 21:27:06 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 846005E5C2; Mon, 8 May 2000 21:27:06 -0400 (EDT) Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by segue.merit.edu (Postfix) with ESMTP id F26965E5C5 for ; Mon, 8 May 2000 21:27:04 -0400 (EDT) Received: from mailgate2.apple.com (A17-129-100-225.apple.com [17.129.100.225]) by mail-out1.apple.com (8.9.3/8.9.3) with ESMTP id SAA08979 for ; Mon, 8 May 2000 18:27:04 -0700 (PDT) Received: from scv3.apple.com (scv3.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id ; Mon, 08 May 2000 18:26:59 -0700 Received: from [17.201.23.37] (chesh1.apple.com [17.201.23.37]) by scv3.apple.com (8.9.3/8.9.3) with SMTP id SAA15778; Mon, 8 May 2000 18:26:58 -0700 (PDT) Message-Id: <200005090126.SAA15778@scv3.apple.com> Subject: RE: 169.254/16 IP addresses Date: Mon, 8 May 2000 18:26:59 -0700 x-sender: cheshire@mail.apple.com x-mailer: Claris Emailer 2.0v3, January 22, 1998 From: Stuart Cheshire To: "Ralph Droms" , "Zero Configuration" MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-zeroconf@merit.edu Precedence: bulk >Well, you've answered part of my question - do we have consensus that >169.254/16 addresses are *auto-configured link-local* addresses, and not >simply link-local addresses? I think we can safely say that DHCP servers SHOULD NOT allocate 169.254 addresses. However, if the administrator configures the DHCP server to allocate these addresses, how much harm will it do? You could make the argument that draft-cheshire-ipv4-linklocal-00.txt says that the algorithm for selecting a link-local address is implementation-dependent, and asking a DHCP server is a valid implementation-dependent way of selecting an address. If an address collision is detected, then the client will send a DECLINE to the DHCP server and then request a new address. I agree that it would be pretty odd to configure a DHCP server to allocate 169.254 addresses instead of something else, like 192.168, but I don't see why it wouldn't work. Stuart Cheshire * Wizard Without Portfolio, Apple Computer From owner-zeroconf@merit.edu Mon May 8 21:44:30 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA25029 for ; Mon, 8 May 2000 21:44:30 -0400 (EDT) Received: by segue.merit.edu (Postfix) id DB3165E5C2; Mon, 8 May 2000 21:44:21 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C15A35E5FF; Mon, 8 May 2000 21:44:21 -0400 (EDT) Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by segue.merit.edu (Postfix) with ESMTP id 7479F5E5C2 for ; Mon, 8 May 2000 21:44:20 -0400 (EDT) Received: from mailgate2.apple.com (A17-129-100-225.apple.com [17.129.100.225]) by mail-out1.apple.com (8.9.3/8.9.3) with ESMTP id SAA11159 for ; Mon, 8 May 2000 18:44:20 -0700 (PDT) Received: from scv2.apple.com (scv2.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id for ; Mon, 08 May 2000 18:44:11 -0700 Received: from [17.201.23.37] (chesh1.apple.com [17.201.23.37]) by scv2.apple.com (8.9.3/8.9.3) with SMTP id SAA10692 for ; Mon, 8 May 2000 18:44:10 -0700 (PDT) Message-Id: <200005090144.SAA10692@scv2.apple.com> Subject: Re: home network security Date: Mon, 8 May 2000 18:44:11 -0700 x-sender: cheshire@mail.apple.com x-mailer: Claris Emailer 2.0v3, January 22, 1998 From: Stuart Cheshire Cc: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-zeroconf@merit.edu Precedence: bulk >Incoming connections are NOT the issue. Beyond the technical >issues, the contracts for cable modems and many DSL services >specifically forbid hosting services. I'm talking about end >users who sit in their houses and look to the outside. Connections to the global Internet are outside the scope of ZEROCONF, but I have to disagree with this idea that incoming connections are not important. One of the most important things about the Internet is that it is NOT a unidirectional infrastructure, like television, radio, newspapers, AOL, and most of the other communication schemes of the last century. In its uncorrupted form, the Internet is a pure peer-to-peer network, where any host can send packets to any other host. Here's just one example. My computer at home is always on. My DSL line is always on. Like most people, my computer is continually polling a POP server 24 hours a day to see if there is any mail. Everyone's computer continually polling mail servers is a huge stupid waste of network bandwidth. Why couldn't the POP server just tell my computer when mail arrives? In fact, why do I need a POP server at all? Why doesn't the sending computer just open a direct SMTP connection to my computer and send the mail to it? Answer: because that would mean I was running a SERVER (!) at home, and that's not allowed. Only Pacific Bell is allowed to run servers. You may have heard in the news that Pacific Bell is averaging a twelve-hour delay on incoming mail, because their mail servers are so overloaded. Isn't the irony beautiful? Pacific Bell insists that they have to run all the "servers", and then they can't cope with the load. Slowly, we will outgrow these stupidities. I wonder which will be the first email client to offer a DirectMail(TM)* SMTP listener for users with always-on Internet connections? (* Note: I made up the name "DirectMail". It's not a real trade mark :-) Stuart Cheshire * Wizard Without Portfolio, Apple Computer From owner-zeroconf@merit.edu Mon May 8 21:58:19 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA26123 for ; Mon, 8 May 2000 21:58:19 -0400 (EDT) Received: by segue.merit.edu (Postfix) id CC5325E606; Mon, 8 May 2000 21:58:11 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id AEBC15E617; Mon, 8 May 2000 21:58:11 -0400 (EDT) Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51]) by segue.merit.edu (Postfix) with ESMTP id 6362C5E606 for ; Mon, 8 May 2000 21:58:10 -0400 (EDT) Received: from mailgate2.apple.com (A17-129-100-225.apple.com [17.129.100.225]) by mail-out2.apple.com (8.9.3/8.9.3) with ESMTP id SAA07942 for ; Mon, 8 May 2000 18:58:09 -0700 (PDT) Received: from scv3.apple.com (scv3.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id ; Mon, 08 May 2000 18:58:03 -0700 Received: from [17.201.23.37] (chesh1.apple.com [17.201.23.37]) by scv3.apple.com (8.9.3/8.9.3) with SMTP id SAA22720; Mon, 8 May 2000 18:58:03 -0700 (PDT) Message-Id: <200005090158.SAA22720@scv3.apple.com> Subject: Re: 169.254/16 IP addresses Date: Mon, 8 May 2000 18:58:03 -0700 x-sender: cheshire@mail.apple.com x-mailer: Claris Emailer 2.0v3, January 22, 1998 From: Stuart Cheshire To: "Ralph Droms" , MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-zeroconf@merit.edu Precedence: bulk >There is a small issue with DHCP server discovery related to zeroconf >addresses - after a host chooses a link-local autoconfig address, should >the host's DHCP client use 0.0.0.0 or the host's link-local address when >broadcasting to find a DHCP server? > >My guess would be 0.0.0.0 - either way, the choice ought to be documented >somewhere... > >- Ralph The problem here is not so much sending out the packet as it is receiving the reply. It is fairly easy with most IP stacks to spoof the outgoing source address, so that if the interface has address 169.254.1.2, you can nevertheless send out a packet that appears to come from source address 0.0.0.0. The problem is that when the DHCP server then unicasts a reply to address 17.1.2.3, most IP implementations will discard the packet because the destination address in the packet does not match the interface address. When the machine is booting and running DHCP and the interface has no address yet (i.e. the interface address is 0.0.0.0), the IP stack knows that 0.0.0.0 is "special", and it ought to be looking for DHCP replies even though they are apparently addressed to some other unknown destination address. When the machine trying to run DHCP on a "live" interface, this special hack in the IP code is no longer active. The workaround that Mac OS currently uses is to set the "broadcast reply" bit in the request, because broadcasts are received no matter what the interface address is, but some DHCP servers and some BOOTP relay agents do not honour the "broadcast reply" bit. I did try setting ciaddr in the DISCOVER packet to the current interface address, in the hope that the DHCP server might unicast its OFFER to that address instead, but to no avail. The only workaround I can think of is that the core IP stack need to know that UDP port 68 is "special", and if there is a listening client (or clients) on UDP port 68, packets addressed to that port need to be received, no matter what the destination IP address says. Stuart Cheshire * Wizard Without Portfolio, Apple Computer From owner-zeroconf@merit.edu Tue May 9 16:51:56 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00694 for ; Tue, 9 May 2000 16:51:55 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 53D115DDD8; Tue, 9 May 2000 16:51:27 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 002385DE08; Tue, 9 May 2000 16:51:26 -0400 (EDT) Received: from proxy2.ba.best.com (proxy2.ba.best.com [206.184.139.14]) by segue.merit.edu (Postfix) with ESMTP id 1F4F75DDD8 for ; Tue, 9 May 2000 16:51:22 -0400 (EDT) Received: from kaipara.live.com (kaipara.live.com [206.86.37.12]) by proxy2.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id NAA00571 for ; Tue, 9 May 2000 13:50:46 -0700 (PDT) Message-Id: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> X-Sender: rsf@shell7.ba.best.com X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 09 May 2000 13:04:28 -0700 To: zeroconf@merit.edu From: Ross Finlayson Subject: Re: zeroconf security - conclusions In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-zeroconf@merit.edu Precedence: bulk At 08:20 AM 5/3/00, Erik Guttman wrote: > 0.3) The scenario in which these threats occur is 'remote access.' > As Jeff Schiller pointed out in Adelaide, there are social > mechanisms for security at home and between neighbors. The > real threat is the anonymous stranger attacking from afar. Jeff also made another good point at Adelaide: It may be acceptable (in some cases) for zeroconf systems be without security *initially*, but then require some minimal configuration soon afterwards to set security parameters. E.g., consider how a a user might set up a new, 'shrink-wrapped' network appliance (that he just bought from Wal-Mart, e.g.). One can imagine the user plugging the appliance into his home network and turning it on, and having it then be automatically reachable from his home's control center - i.e., "zeroconf". However, in order to continue to use the appliance, the user could then be required to 'configure' it from his control center - e.g., to set up keys. Only then would he be able to use the appliance's full functionality. I.e., "zeroconf" in this case would apply only to the device's ability to announce itself to the rest of the network after initially being turned on, and start up in "Here I am, but now I need to be configured" mode. Now it's true that this creates a window of vulnerability (between turning the device on and configuring it for security) where an attacker could intervene and (mis)configure the device for himself, but this may often be an acceptable threat. (This was the essence of Jeff's comment, I think.) Stepping back now and taking a wider view: I'm worried that this group may be biting off more than it can chew. I thought that one of the initial motivations for this working group (at least, as Stuart Cheshire described it) was the ability to easily, and without explicit configuration, form "ad hoc" networks of nodes that *aren't* connected to the global Internet - e.g., two or more friends meeting in a coffee shop with their wireless laptops and wanting to share data. In this sort of scenario, security is less of an issue. Perhaps we should begin by defining (& documenting) how non-Internet-connected "ad hoc" networks would work. This seems like a much easier task. Having done this, we could *then* continue on to defining how such networks could become connected to the global Internet... Ross. From owner-zeroconf@merit.edu Tue May 9 17:38:42 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA01357 for ; Tue, 9 May 2000 17:38:42 -0400 (EDT) Received: by segue.merit.edu (Postfix) id C64205DF22; Tue, 9 May 2000 17:36:49 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id BFBB35DE52; Tue, 9 May 2000 17:35:54 -0400 (EDT) Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by segue.merit.edu (Postfix) with ESMTP id D93515E29D for ; Tue, 9 May 2000 17:33:43 -0400 (EDT) Received: from mailgate2.apple.com (A17-129-100-225.apple.com [17.129.100.225]) by mail-out1.apple.com (8.9.3/8.9.3) with ESMTP id OAA10461 for ; Tue, 9 May 2000 14:33:41 -0700 (PDT) Received: from scv3.apple.com (scv3.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id for ; Tue, 09 May 2000 14:28:50 -0700 Received: from [17.201.23.37] (chesh1.apple.com [17.201.23.37]) by scv3.apple.com (8.9.3/8.9.3) with SMTP id OAA25739 for ; Tue, 9 May 2000 14:28:49 -0700 (PDT) Message-Id: <200005092128.OAA25739@scv3.apple.com> Subject: Re: zeroconf security - conclusions Date: Tue, 9 May 2000 14:28:48 -0700 x-sender: cheshire@mail.apple.com x-mailer: Claris Emailer 2.0v3, January 22, 1998 From: Stuart Cheshire To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-zeroconf@merit.edu Precedence: bulk >I.e., "zeroconf" in this case would apply only to the device's >ability to announce itself to the rest of the network after >initially being turned on, and start up in "Here I am, but >now I need to be configured" mode. This is a good point. I think one of the big uses of zeroconf is bootstrapping. My little 3COM router at home has physical security -- it is configured using a VT100 terminal plugged into its serial port. This is slow and clumsy and the serial port adds hardware cost to the device. My AirPort base station at home doesn't have a serial port. It is configured in the obvious sensible way -- using SNMP packets, over IP over wired (or wireless) Ethernet. Of course the first thing I did was configure a password to protect it. How did I communicate with it to set the password in the first place? Via zeroconf IP. If the thing had not arrived speaking IP out-of-the-box, then I would have needed some other way to communicate with it to set the password -- like the serial port on the 3COM router. Stuart Cheshire * Wizard Without Portfolio, Apple Computer From owner-zeroconf@merit.edu Tue May 9 17:40:17 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA01391 for ; Tue, 9 May 2000 17:40:17 -0400 (EDT) Received: by segue.merit.edu (Postfix) id D98395DDD4; Tue, 9 May 2000 17:39:03 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 4CE955DE21; Tue, 9 May 2000 17:38:59 -0400 (EDT) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by segue.merit.edu (Postfix) with ESMTP id D24BD5DDE5 for ; Tue, 9 May 2000 17:37:01 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FUB00I30AGGKP@mta6.snfc21.pbi.net> for ZeroConf@Merit.edu; Tue, 9 May 2000 14:31:28 -0700 (PDT) Date: Tue, 09 May 2000 14:28:07 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000509142807.0096fd90@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" References: Sender: owner-zeroconf@merit.edu Precedence: bulk At 01:04 PM 5/9/00 -0700, Ross Finlayson wrote: <> If there's some way for the "proper" source of configuration to detect whether or not tampering has occurred in that window and if there's some easy way for a consumer to reset the device so as to undo the tampering, then this might be workable. In an ideal world, it would be useful for a user to be able to temporarily "quarantine" her home network while configuring a new purchase. The concept of such a "sterile procedure" should not be too hard to explain in the user's guide that comes with the new product. I think that the ability, at times, to sever one's connection with the larger Internet (perhaps to run a diagnostic from the "zero" configuration control center) would be useful. Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Tue May 9 22:37:24 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA06078 for ; Tue, 9 May 2000 22:37:24 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 9615B5DDA1; Tue, 9 May 2000 22:37:17 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 7741A5DDD2; Tue, 9 May 2000 22:37:17 -0400 (EDT) Received: from ids2.idsonline.com (ids2.idsonline.com [205.177.236.32]) by segue.merit.edu (Postfix) with ESMTP id 1B3C85DDA1 for ; Tue, 9 May 2000 22:37:16 -0400 (EDT) Received: from 21rst-century.com (dc-csesp92.idsonline.com [207.176.21.92]) by ids2.idsonline.com (8.9.1/8.6.9) with ESMTP id WAA27652; Tue, 9 May 2000 22:47:49 -0400 Message-ID: <3918CB4D.EEC6D50D@21rst-century.com> Date: Tue, 09 May 2000 22:37:00 -0400 From: Thomas Marshall Eubanks Reply-To: tme@21rst-century.com X-Mailer: Mozilla 4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC) X-Accept-Language: en MIME-Version: 1.0 To: Ross Finlayson Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Ross Finlayson wrote: > At 08:20 AM 5/3/00, Erik Guttman wrote: > > 0.3) The scenario in which these threats occur is 'remote access.' > > As Jeff Schiller pointed out in Adelaide, there are social > > mechanisms for security at home and between neighbors. The > > real threat is the anonymous stranger attacking from afar. I can just wait for the divorce cases where, in addition to cleaning out the bank account, the disaffected spouse sets the radio to change channels every 30 seconds, the TV to only play porn, and all of the kitchen appliances to fail at 1:30 in the afternoon on Thanksgiving, (I have seen worse happen in real divorce cases...) > > > Jeff also made another good point at Adelaide: It may be acceptable (in > some cases) for zeroconf systems be without security *initially*, but then > require some minimal configuration soon afterwards to set security parameters. > > E.g., consider how a a user might set up a new, 'shrink-wrapped' network > appliance (that he just bought from Wal-Mart, e.g.). One can imagine the > user plugging the appliance into his home network and turning it on, and > having it then be automatically reachable from his home's control center - > i.e., "zeroconf". However, in order to continue to use the appliance, the > user could then be required to 'configure' it from his control center - > e.g., to set up keys. Only then would he be able to use the appliance's > full functionality. This would definitely fail the "my mother" test (i.e., a zero config device should be simple enough for < insert name of favorite older relative > to use). I suspect that my actual mother would either not do it, or would call in an expert. Also, does this mean that such a device would require reconfiguration every time it was moved from one net to another ? If I take my radio on vacation, I have to re-enter a password ?!? > > > I.e., "zeroconf" in this case would apply only to the device's ability to > announce itself to the rest of the network after initially being turned on, > and start up in "Here I am, but now I need to be configured" mode. Now > it's true that this creates a window of vulnerability (between turning the > device on and configuring it for security) where an attacker could > intervene and (mis)configure the device for himself, but this may often be > an acceptable threat. (This was the essence of Jeff's comment, I think.) > > Stepping back now and taking a wider view: I'm worried that this group may > be biting off more than it can chew. I thought that one of the initial > motivations for this working group (at least, as Stuart Cheshire described > it) was the ability to easily, and without explicit configuration, form "ad > hoc" networks of nodes that *aren't* connected to the global Internet - > e.g., two or more friends meeting in a coffee shop with their wireless > laptops and wanting to share data. In this sort of scenario, security is > less of an issue. > > Perhaps we should begin by defining (& documenting) how > non-Internet-connected "ad hoc" networks would work. This seems like a > much easier task. Having done this, we could *then* continue on to > defining how such networks could become connected to the global Internet... > I would agree with this, especially as I suspect that the real security concerns will only become obvious with time. > > Ross. -- Regards Marshall Eubanks T.M. Eubanks Multicast Technologies, Inc 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@21rst-century.com From owner-zeroconf@merit.edu Wed May 10 02:37:40 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA19822 for ; Wed, 10 May 2000 02:37:40 -0400 (EDT) Received: by segue.merit.edu (Postfix) id CDB165DDD6; Wed, 10 May 2000 02:37:30 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id A5DDF5DDD4; Wed, 10 May 2000 02:37:30 -0400 (EDT) Received: from motgate2.mot.com (motgate2.mot.com [136.182.1.10]) by segue.merit.edu (Postfix) with ESMTP id 9A9065DE9F for ; Wed, 10 May 2000 02:37:26 -0400 (EDT) Received: [from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate2.mot.com (motgate2 2.1) with ESMTP id XAA26528; Tue, 9 May 2000 23:37:25 -0700 (MST)] Received: [from homer.arc.corp.mot.com (homer.arc.corp.mot.com [217.1.10.38]) by pobox.mot.com (MOT-pobox 2.0) with ESMTP id XAA23719; Tue, 9 May 2000 23:37:22 -0700 (MST)] Received: from motorola.com (swerve.arc.corp.mot.com [217.1.10.63]) by homer.arc.corp.mot.com (8.9.3/8.9.3) with ESMTP id QAA21299; Wed, 10 May 2000 16:37:10 +1000 (EST) Message-ID: <39190395.33882114@motorola.com> Date: Wed, 10 May 2000 16:37:09 +1000 From: Aidan Williams X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Peter Johansson Cc: Zero Configuration Subject: Re: zeroconf security - conclusions References: <007d01bfb6a6$fbb6f0c0$428939cc@ntdev.microsoft.com> <3.0.5.32.20000505144443.00905cb0@PacBell.net> Content-Type: multipart/mixed; boundary="------------EDDC3EE334D6D0F107ABD576" Sender: owner-zeroconf@merit.edu Precedence: bulk This is a multi-part message in MIME format. --------------EDDC3EE334D6D0F107ABD576 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Johansson wrote: > > At 05:03 PM 5/5/00 -0400, Steve Hanna wrote: > > < For IPSEC, I guess that means manual keying, probably using a group key > shared by all zeroconf devices in the zeroconf domain.>> > > What does "manual keying" implicitly require of a low-end device's user > interface capabilities? > For symmetric keys, you need a way of getting the key to your devices without other people being about to snarf a copy as it goes by. If you have lots of devices on a network sharing the same symmetric key, and you transfer the key over the network each time you configure a new device, the risk of someone grabbing a copy of the key goes up. It becomes a waiting game, and someone will write the equivalent of a password sniffer which will do the waiting for you. My feeling is that manual keying really means that device devices will use contact/touch/a wire or a really short range wireless link to provide an out-of-band channel over which manual keying can be performed. People aren't going to type in strings of hex digits, and besides, where's the keyboard? regards aidan ____ :wq! --------------EDDC3EE334D6D0F107ABD576 Content-Type: text/x-vcard; charset=us-ascii; name="Aidan.Williams.vcf" Content-Description: Card for Aidan Williams Content-Disposition: attachment; filename="Aidan.Williams.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Williams;Aidan tel;fax:+61 2 9666 0501 tel;work:+61 2 9666 0649 x-mozilla-html:FALSE url:http://www.arc.corp.mot.com/ org:Motorola Australian Research Centre;Scalable Commodity Internet Laboratory version:2.1 email;internet:Aidan.Williams@motorola.com title:Senior Research Engineer adr;quoted-printable:;;(Not mailing address)=0D=0ALevel 3, 12 Lord Street;Botany;NSW;2019;Australia note;quoted-printable:Mailing address is:=0D=0A=0D=0AAidan Williams=0D=0ALocked Bag 5028=0D=0ABotany NSW 1455=0D=0A fn:Aidan Williams end:vcard --------------EDDC3EE334D6D0F107ABD576-- From owner-zeroconf@merit.edu Wed May 10 02:56:16 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA19932 for ; Wed, 10 May 2000 02:56:15 -0400 (EDT) Received: by segue.merit.edu (Postfix) id C81D85DE99; Wed, 10 May 2000 02:55:33 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id AFFA15DE98; Wed, 10 May 2000 02:55:33 -0400 (EDT) Received: from motgate2.mot.com (motgate2.mot.com [136.182.1.10]) by segue.merit.edu (Postfix) with ESMTP id B4C9C5DE92 for ; Wed, 10 May 2000 02:55:30 -0400 (EDT) Received: [from mothost.mot.com (mothost.mot.com [129.188.137.101]) by motgate2.mot.com (motgate2 2.1) with ESMTP id XAA03390; Tue, 9 May 2000 23:55:29 -0700 (MST)] Received: [from homer.arc.corp.mot.com (homer.arc.corp.mot.com [217.1.10.38]) by mothost.mot.com (MOT-mothost 2.0) with ESMTP id XAA16043; Tue, 9 May 2000 23:55:26 -0700 (MST)] Received: from motorola.com (swerve.arc.corp.mot.com [217.1.10.63]) by homer.arc.corp.mot.com (8.9.3/8.9.3) with ESMTP id QAA21676; Wed, 10 May 2000 16:55:13 +1000 (EST) Message-ID: <391907D0.80C1C21F@motorola.com> Date: Wed, 10 May 2000 16:55:12 +1000 From: Aidan Williams X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Stuart Cheshire Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: <200005092128.OAA25739@scv3.apple.com> Content-Type: multipart/mixed; boundary="------------ED22DFF04F80762CBA59BF52" Sender: owner-zeroconf@merit.edu Precedence: bulk This is a multi-part message in MIME format. --------------ED22DFF04F80762CBA59BF52 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stuart Cheshire wrote: > My AirPort base station at home doesn't have a serial port. It is > configured in the obvious sensible way -- using SNMP packets, over IP > over wired (or wireless) Ethernet. Of course the first thing I did was > configure a password to protect it. How did I communicate with it to set > the password in the first place? Via zeroconf IP. If the thing had not > arrived speaking IP out-of-the-box, then I would have needed some other > way to communicate with it to set the password -- like the serial port on > the 3COM router. > I take your point that it is better not to need an out-of-band configuration mechanism (like a terminal+cable). However, it still seems to be the case that someone with a wavelan card can see all your packets, and can therefore grab your SNMP community string, and can therefore reconfigure your gateway (assuming of course that you have reason to talk to the thing after you set it up). Doing the setup over a wire gives you physical security as you allude to. Doing it over wireless reduces or removes that security. Do you use L2 encryption? If so, how was that configured? regards aidan ____ :wq! --------------ED22DFF04F80762CBA59BF52 Content-Type: text/x-vcard; charset=us-ascii; name="Aidan.Williams.vcf" Content-Description: Card for Aidan Williams Content-Disposition: attachment; filename="Aidan.Williams.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Williams;Aidan tel;fax:+61 2 9666 0501 tel;work:+61 2 9666 0649 x-mozilla-html:FALSE url:http://www.arc.corp.mot.com/ org:Motorola Australian Research Centre;Scalable Commodity Internet Laboratory version:2.1 email;internet:Aidan.Williams@motorola.com title:Senior Research Engineer adr;quoted-printable:;;(Not mailing address)=0D=0ALevel 3, 12 Lord Street;Botany;NSW;2019;Australia note;quoted-printable:Mailing address is:=0D=0A=0D=0AAidan Williams=0D=0ALocked Bag 5028=0D=0ABotany NSW 1455=0D=0A fn:Aidan Williams end:vcard --------------ED22DFF04F80762CBA59BF52-- From owner-zeroconf@merit.edu Wed May 10 08:50:06 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA24819 for ; Wed, 10 May 2000 08:50:06 -0400 (EDT) Received: by segue.merit.edu (Postfix) id EA8A55DD90; Wed, 10 May 2000 08:49:16 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id AAEA95DDE5; Wed, 10 May 2000 08:49:16 -0400 (EDT) Received: from relay1.trustworks.com (zuka.trustworks.com [212.114.5.147]) by segue.merit.edu (Postfix) with ESMTP id 9970F5DD90 for ; Wed, 10 May 2000 08:49:14 -0400 (EDT) Received: by relay1.trustworks.com (8.8.5/1.5) id QAA28722; Wed, 10 May 2000 16:49:10 +0400 (MSD) Message-Id: <200005101249.QAA28722@relay1.trustworks.com> Received: from svan-pc(212.114.5.100) by zuka via smap (V2.0) id xma028669; Wed, 10 May 00 16:48:28 +0400 From: "Valery Smyslov" Organization: TWS To: zeroconf@merit.edu Date: Wed, 10 May 2000 16:48:20 +0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: draft-cheshire-ipv4-linklocal-00.txt X-mailer: Pegasus Mail for Win32 (v3.12b) Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7BIT Hi, I have some doubts whether configuration with hosts having same IP addresses on the different links described on page 7 (figure 2) is workable. The problem is that even TCP connections can unambiguously be distinguished in this case by the source and destination addresses and port numbers, the outgoing interface for packets leaving host A will still be determined using destination IP address only (by consulting host's A routing table) in IP stacks exploiting "weak end system" model (in RFC1122 terms). So, host A will always send its packets destined to address R to only one host, either B or C depending on its routing table content and independent on which interface packets from R were received and to which address, P or Q they were destined. This configuration might work with "strong end system" model, but it is a bit different than simply distinguishing TCP connections based on both local and remote addresses and ports and, I think, it should be mentioned in the draft. BTW, most of OS I am aware about exploit "weak end system" model. Sorry if this was discussed before. Regards, Valera. From owner-zeroconf@merit.edu Wed May 10 13:06:16 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA00076 for ; Wed, 10 May 2000 13:06:16 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 906685DE63; Wed, 10 May 2000 13:01:59 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 2B78A5DE39; Wed, 10 May 2000 13:01:29 -0400 (EDT) Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by segue.merit.edu (Postfix) with ESMTP id B55AA5DDA9 for ; Wed, 10 May 2000 12:58:23 -0400 (EDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA07851; Wed, 10 May 2000 10:58:18 -0600 (MDT) Received: from sunlabs.East.Sun.COM (sunlabs-74.East.Sun.COM [129.148.74.250]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id MAA29357; Wed, 10 May 2000 12:58:14 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id MAA15543; Wed, 10 May 2000 12:58:11 -0400 (EDT) Message-ID: <39199453.7BE534A4@sun.com> Date: Wed, 10 May 2000 12:54:43 -0400 From: Steve Hanna Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Johansson Cc: Zero Configuration Subject: Re: zeroconf security - conclusions References: <3.0.5.32.20000509142807.0096fd90@PacBell.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Peter Johansson wrote: > In an ideal world, it would be useful for a user to be able to temporarily > "quarantine" her home network while configuring a new purchase. The concept > of such a "sterile procedure" should not be too hard to explain in the > user's guide that comes with the new product. I think that the ability, at > times, to sever one's connection with the larger Internet (perhaps to run a > diagnostic from the "zero" configuration control center) would be useful. Quarantining a *wireless* network isn't easy. As Aidan Williams wrote, > For symmetric keys, you need a way of getting the key > to your devices without other people being about to > snarf a copy as it goes by. > > > > My feeling is that manual keying really means that > device devices will use contact/touch/a wire or a really > short range wireless link to provide an out-of-band channel > over which manual keying can be performed. > > People aren't going to type in strings of hex digits, > and besides, where's the keyboard? Establishing keys on a temporary secure net (like a wire) is a good idea. You bring home your toaster, plug the AC plug into your home controller's special outlet, and it gives the manual key to the toaster. Alternatively, the toaster could come with a sealed slip of paper printed with a barcoded secret. You scan the barcode into your home controller, which encrypts the manual key with the barcoded secret and sends the result to the toaster. This transmission can happen in the clear. This makes it easy to rekey (when merging nets or when the manual key has been compromised) and it also avoids the need for the temporary secure net (the wire), which may reduce cost by reducing the number of interfaces needed. The barcoded secret acts as a device master key. -Steve From owner-zeroconf@merit.edu Wed May 10 13:11:29 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA00154 for ; Wed, 10 May 2000 13:11:29 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 089175DF67; Wed, 10 May 2000 13:01:59 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id BAD4A5DE3F; Wed, 10 May 2000 13:01:28 -0400 (EDT) Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by segue.merit.edu (Postfix) with ESMTP id 361955DE39 for ; Wed, 10 May 2000 12:57:59 -0400 (EDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA07353; Wed, 10 May 2000 10:57:44 -0600 (MDT) Received: from sunlabs.East.Sun.COM (sunlabs.East.Sun.COM [129.148.75.250]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id MAA29219; Wed, 10 May 2000 12:57:39 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id MAA15518; Wed, 10 May 2000 12:57:35 -0400 (EDT) Message-ID: <3919942F.25D4A259@sun.com> Date: Wed, 10 May 2000 12:54:07 -0400 From: Steve Hanna Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Ross Finlayson Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Ross Finlayson wrote: > ... two or more friends meeting in a coffee shop with their wireless > laptops and wanting to share data. In this sort of scenario, security is > less of an issue. Not if there are any nasty folks lurking about, using their own wireless laptops to snoop traffic. -Steve From owner-zeroconf@merit.edu Wed May 10 14:33:40 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA01883 for ; Wed, 10 May 2000 14:33:40 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 58D2F5DE1C; Wed, 10 May 2000 14:32:54 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 45D395DE1B; Wed, 10 May 2000 14:32:54 -0400 (EDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id D30AA5DDBB for ; Wed, 10 May 2000 14:32:52 -0400 (EDT) Received: from eastmail2.East.Sun.COM ([129.148.1.241]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA16432; Wed, 10 May 2000 11:32:47 -0700 (PDT) Received: from sunlabs.East.Sun.COM (sunlabs.East.Sun.COM [129.148.75.250]) by eastmail2.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id OAA27097; Wed, 10 May 2000 14:32:45 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id OAA23115; Wed, 10 May 2000 14:32:39 -0400 (EDT) Message-ID: <3919AB60.E5B9A4F8@sun.com> Date: Wed, 10 May 2000 14:33:04 -0400 From: Steve Hanna Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: tme@21rst-century.com Cc: Ross Finlayson , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> <3918CB4D.EEC6D50D@21rst-century.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Thomas Marshall Eubanks wrote: > Ross Finlayson wrote: > > Jeff also made another good point at Adelaide: It may be acceptable (in > > some cases) for zeroconf systems be without security *initially*, but then > > require some minimal configuration soon afterwards to set security parameters. > > > > E.g., consider how a a user might set up a new, 'shrink-wrapped' network > > appliance (that he just bought from Wal-Mart, e.g.). One can imagine the > > user plugging the appliance into his home network and turning it on, and > > having it then be automatically reachable from his home's control center - > > i.e., "zeroconf". However, in order to continue to use the appliance, the > > user could then be required to 'configure' it from his control center - > > e.g., to set up keys. Only then would he be able to use the appliance's > > full functionality. > > This would definitely fail the "my mother" test (i.e., a zero config device > should be simple enough for < insert name of favorite older relative > to > use). I suspect that my actual mother would either not do it, or > would call in an expert. I believe that we will need to accept that some (most?) devices will ship with zeroconf security turned off. And many users will not turn on zeroconf security until they see a need (after they are burned, probably). Some devices (especially safety-critical devices) may disable zeroconf networking until security has been configured (allowing only direct control of the devices), but many devices (such as radios) will probably allow non-secured zeroconf by default. Most people don't read manuals. They pick up a device and plug it in. If it doesn't work (or they can't figure out how to use it), they return it. Zeroconf networking will have to work the same way or only nerds will use it. Security requires *some* configuration (as we've seen). So security will need to be off by default or the devices won't sell. -Steve From owner-zeroconf@merit.edu Wed May 10 15:25:45 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA02697 for ; Wed, 10 May 2000 15:25:44 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 766F15DDB8; Wed, 10 May 2000 15:25:33 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 64C235DDA9; Wed, 10 May 2000 15:25:33 -0400 (EDT) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by segue.merit.edu (Postfix) with ESMTP id 47E825DDA1 for ; Wed, 10 May 2000 15:25:32 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FUC00IKSYQG9D@mta6.snfc21.pbi.net> for ZeroConf@Merit.edu; Wed, 10 May 2000 12:13:29 -0700 (PDT) Date: Wed, 10 May 2000 12:09:24 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: <3919AB60.E5B9A4F8@sun.com> X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000510120924.0097a760@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" References: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> <3918CB4D.EEC6D50D@21rst-century.com> Sender: owner-zeroconf@merit.edu Precedence: bulk At 02:33 PM 5/10/00 -0400, Steve Hanna wrote: <> While I can't disagree with your premises, I very much disagree with your conclusion. We have an obligation not to expose users to hazards, whether the user is naive or not. Setting security off by default is an invitation to product liability lawsuits. One such has already been initiated against Pacific Bell / Pacific Bell Internet for its alleged failure to warn customers of the security risks inherent in a 24/7 DSSL connection. Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Wed May 10 18:07:00 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA04328 for ; Wed, 10 May 2000 18:07:00 -0400 (EDT) Received: by segue.merit.edu (Postfix) id EF3B55DDAF; Wed, 10 May 2000 18:06:52 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id DDB7F5DDAC; Wed, 10 May 2000 18:06:52 -0400 (EDT) Received: from thalia.fm.intel.com (thalia.fm.intel.com [132.233.247.11]) by segue.merit.edu (Postfix) with ESMTP id 8026F5DDAB for ; Wed, 10 May 2000 18:06:51 -0400 (EDT) Received: from SMTP (fmsmsxvs05-1.fm.intel.com [132.233.42.205]) by thalia.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.28 2000/05/06 00:07:11 dmccart Exp $) with SMTP id WAA08048 for ; Wed, 10 May 2000 22:07:39 GMT Received: from fmsmsx28.FM.INTEL.COM ([132.233.48.28]) by 132.233.48.205 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 10 May 2000 22:06:50 0000 (GMT) Received: by fmsmsx28.fm.intel.com with Internet Mail Service (5.5.2448.0) id ; Wed, 10 May 2000 15:06:49 -0700 Message-ID: <4148FEAAD879D311AC5700A0C969E8904F299F@orsmsx35.jf.intel.com> From: "Hattig, Myron" To: zeroconf@merit.edu Subject: RE: 169.254/16 IP addresses Date: Wed, 10 May 2000 15:06:43 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-zeroconf@merit.edu Precedence: bulk Hi Stuart, I'm not sure your question below is the key question or not because it does not provide any insight as to why we should or should not NAT link-local IP addresses. Sorry but I don't see how your suggested mod to your draft ;-) adds any weight (pro or con) to the debate. There has been no clearly stated reason to preclude NATing link-local addresses. NATing link-local addresses does not harm end-points nor end-to-end communication any more or less than any other NATed address. -myron > -----Original Message----- > From: Stuart Cheshire [mailto:cheshire@apple.com] > Sent: Monday, May 08, 2000 6:04 PM > To: zeroconf@merit.edu > Subject: Re: 169.254/16 IP addresses > > > >Of course, as others have pointed out, declaring that one > MUST NOT NAT > >such addresses is probably out-of-scope and pointless (i.e., it will > >be ignored). What would be good of course, is to document the > >potential dangers that lurk when NATting such addresses. > > Wow! I've been away, and it took me a while to catch up. > > Here is the key question about whether you can use NAT with > 169.254/16 IP > addresses: Can a packet with a 169.254 source address *EVER* > be sent to a > non-169.254 destination address? As currently written, > draft-cheshire-ipv4-linklocal-00.txt says not. It says: > > >A host SHOULD NOT establish communications from a global source > >address to a link-local destination address, or vice versa. > >Link-local addresses should only be used for communication with > >other link-local addresses on the same link. > > A host complying with this requirement would simply refuse to > generate a > packet with a 169.254 source address and a global destination > address, so > the NAT gateway would simply not get the opportunity to translate the > packet, because the packet would never exist. > > This is a tricky question. How does the host know that there's a NAT > gateway out there? If a host sends out a packet from 169.254.1.2 to > 17.254.0.91, and there is no NAT gateway, then the host will > never get a > reply. On the other hand, does it really hurt to try? > > On considering all the arguments, I think I'll revise > draft-cheshire-ipv4-linklocal-00.txt to say that a multi-homed host > should always *prefer* a non-169.254 source address when sending to a > non-169.254 destination, but if a host *only* has a 169.254 > address, then > it MAY use ARP to resolve all addresses, and send packets > with 169.254 > source addresses to any destination address for which it gets an ARP > reply. > > This means that a vendor could make a NAT gateway that issues > proxy-ARP > replies for all (non-169.254) addresses, and a host using > self-configured > link-local addresses would transparently work that that device. > > It also means that a device which doesn't have a 169.254 address can > still communicate with 169.254 devices on the same physical > link, as long > as it is prepared to answer ARP requests from 169.254 > devices, and send > IP packets to 169.254 destination addresses. > > Stuart Cheshire > * Wizard Without Portfolio, Apple Computer > > > From owner-zeroconf@merit.edu Wed May 10 19:02:07 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA04741 for ; Wed, 10 May 2000 19:02:06 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 970D25DDBB; Wed, 10 May 2000 19:01:23 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 533565DDDA; Wed, 10 May 2000 19:01:23 -0400 (EDT) Received: from baucis.sc.intel.com (baucis.sc.intel.com [143.183.152.22]) by segue.merit.edu (Postfix) with ESMTP id 6A37C5DDBB for ; Wed, 10 May 2000 19:01:20 -0400 (EDT) Received: from SMTP (fmsmsxvs03-1.fm.intel.com [132.233.42.203]) by baucis.sc.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.28 2000/05/06 00:07:11 dmccart Exp $) with SMTP id QAA06756; Wed, 10 May 2000 16:01:18 -0700 (PDT) Received: from fmsmsx19.fm.intel.com ([132.233.48.19]) by 132.233.48.203 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 10 May 2000 23:01:18 0000 (GMT) Received: by fmsmsx19.fm.intel.com with Internet Mail Service (5.5.2448.0) id ; Wed, 10 May 2000 16:01:16 -0700 Message-ID: <4148FEAAD879D311AC5700A0C969E8904F29A0@orsmsx35.jf.intel.com> From: "Hattig, Myron" To: "'zeroconf@merit.edu'" , DHCPv4 discussion list Subject: RE: zeroconf and non-zeroconf scenarios Date: Wed, 10 May 2000 16:01:00 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-zeroconf@merit.edu Precedence: bulk Sorry for the cross posting but ... > Although I said in my last message that a vendor COULD make a > NAT gateway > to work with self-configured link-local devices, that doesn't > necessarily > mean that I'm endorsing the idea. Bernard is right that if you're > building a NAT gateway, it makes more sense to put a simple > DHCP server > into it. Here's why I'm hesitating on assuming a home gateway will have a DHCP server: There is no such thing as a simple DHCP server. DHCP in home networks requires a server-to-server mechanism to choose which DHCP server is the "best". The current drafts on "mini-DHCP" and "server-to-sever" options are far too insufficient. Whatever options get defined may also require support on the DHCP client. For example, how will the client know to start using a new DHCP server unless it watches for the "server-to-server" option. Modifying the DHCP client makes one of the arguments for DHCP null-and-avoid, the argument is that using DHCP in home networks does not involve modifying DHCP clients. The alternative argument is that if you must modify clients, then just modify them to support a ZC autonet protocol. Here is the scenario to show why server-to-server negotiation is required: Someone hooks up two computers at home through shared internet access PC software such as Microsoft ICS, Intel Anypoint ISS, Winproxy. Two of these products include DHCP servers. One includes an install tool that configures link-local addresses (to be compatible with "autonet"ed addresses). Now someone purchases an xDSL gateway which also has a DHCP server but the person does know enough to uninstall the PC software. All the machines on the network continue to use the default route configured from DHCP server running on the PC, thus no traffic is ever routed through the xDSL gateway. Power-cycling the PCs ;-) may not even fix the problem. This will be a very common scenario that all gateway vendors (hardware and PC software) will have to address. An alternative is to only use link-local addresses on the LAN, then NAT them. At this point, I'm not strongly advocating one approach over another, (I'd like to see a clearly articulated home networking DHCP solution that also accounts for interaction between DNS server and DHCP server) but I think it is too soon to preclude NATing link-local addresses. I just want us to proceed cautiously. -myron From owner-zeroconf@merit.edu Wed May 10 19:18:39 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA04863 for ; Wed, 10 May 2000 19:18:39 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 58BF15DDBC; Wed, 10 May 2000 19:16:03 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 3856C5DDD5; Wed, 10 May 2000 19:16:03 -0400 (EDT) Received: from ganymede.or.intel.com (ganymede.or.intel.com [134.134.248.3]) by segue.merit.edu (Postfix) with ESMTP id 706D15DDBC for ; Wed, 10 May 2000 19:16:01 -0400 (EDT) Received: from SMTP (orsmsxvs01-1.jf.intel.com [192.168.65.200]) by ganymede.or.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.28 2000/05/06 00:07:11 dmccart Exp $) with SMTP id QAA03852; Wed, 10 May 2000 16:16:00 -0700 (PDT) Received: from orsmsx28.jf.intel.com ([192.168.70.28]) by 192.168.70.200 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 10 May 2000 23:15:59 0000 (GMT) Received: by orsmsx28.jf.intel.com with Internet Mail Service (5.5.2448.0) id ; Wed, 10 May 2000 16:15:58 -0700 Message-ID: <4148FEAAD879D311AC5700A0C969E8904F29A1@orsmsx35.jf.intel.com> From: "Hattig, Myron" To: "'zeroconf@merit.edu'" , DHCPv4 discussion list Subject: RE: zeroconf and non-zeroconf scenarios Date: Wed, 10 May 2000 16:15:49 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-zeroconf@merit.edu Precedence: bulk Typo on last msg. The text was: > Now someone purchases an xDSL gateway which also has a DHCP server > but the person does know enough to uninstall the PC software. The text should be: "but the person does NOT know" -myron From owner-zeroconf@merit.edu Thu May 11 08:34:46 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA25984 for ; Thu, 11 May 2000 08:34:45 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 4EF2E5DDA9; Thu, 11 May 2000 08:34:28 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 3C1135DD9C; Thu, 11 May 2000 08:34:28 -0400 (EDT) Received: from garlic.amaranth.net (garlic.amaranth.net [216.235.243.195]) by segue.merit.edu (Postfix) with ESMTP id EEC445DD92 for ; Thu, 11 May 2000 08:34:26 -0400 (EDT) Received: from senie.com (garlic.amaranth.net [216.235.243.195]) (authenticated) by garlic.amaranth.net (8.10.1/8.10.1) with ESMTP id e4BCYPx08205; Thu, 11 May 2000 08:34:25 -0400 Message-ID: <391AA8D0.DAF95543@senie.com> Date: Thu, 11 May 2000 08:34:24 -0400 From: Daniel Senie Organization: Amaranth Networks Inc. X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Hattig, Myron" Cc: zeroconf@merit.edu Subject: Re: 169.254/16 IP addresses References: <4148FEAAD879D311AC5700A0C969E8904F299F@orsmsx35.jf.intel.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit "Hattig, Myron" wrote: > > Hi Stuart, > > I'm not sure your question below is the key question or not because it does > not provide any insight as to why we should or should not NAT link-local IP > addresses. Sorry but I don't see how your suggested mod to your draft ;-) > adds any weight (pro or con) to the debate. I'm not sure if it really does. But he raises one issue we've discussed before... how to FIND the gateway. Stuart suggests the gateway could proxy-arp for addresses off the local LAN. This could be rather hostile to end-stations, I would think... the gateway would have to generate a proxy-arp for EVERY address an end station tries to reach that's off 169.254/16. This could result in a fairly large amount of traffic, and large ARP tables. It seems even uglier than using ICMP router discovery... > > There has been no clearly stated reason to preclude NATing link-local > addresses. NATing link-local addresses does not harm end-points nor > end-to-end communication any more or less than any other NATed address. It does, however, prevent the gateway from giving the end node any configuration information that may be required. This includes: - no default gateway (which is why we're talking about proxy arp and ICMP router discovery) - no name server information. It's going to be hard to browse the Internet with no DNS server. Some sort of service location protocol could, of course, help here. DHCP or manual configuration can convey many other parameters as well. The issue is that by trying to devise a method for using NAT on a block of IP addresses which are self-assigned, we lose access to a great deal of useful and needed information. The question I would ask is whether doing NAT on 169.254/16 is sufficiently important a function that we should also re-invent or substantially alter other mechanisms to attain this goal? Given every NAT box out there has DHCP server capabilities, it's not at all clear why it's worth the re-engineering effort. > > -----Original Message----- > > From: Stuart Cheshire [mailto:cheshire@apple.com] > > Sent: Monday, May 08, 2000 6:04 PM > > To: zeroconf@merit.edu > > Subject: Re: 169.254/16 IP addresses > > > > > > >Of course, as others have pointed out, declaring that one > > MUST NOT NAT > > >such addresses is probably out-of-scope and pointless (i.e., it will > > >be ignored). What would be good of course, is to document the > > >potential dangers that lurk when NATting such addresses. > > > > Wow! I've been away, and it took me a while to catch up. > > > > Here is the key question about whether you can use NAT with > > 169.254/16 IP > > addresses: Can a packet with a 169.254 source address *EVER* > > be sent to a > > non-169.254 destination address? As currently written, > > draft-cheshire-ipv4-linklocal-00.txt says not. It says: > > > > >A host SHOULD NOT establish communications from a global source > > >address to a link-local destination address, or vice versa. > > >Link-local addresses should only be used for communication with > > >other link-local addresses on the same link. > > > > A host complying with this requirement would simply refuse to > > generate a > > packet with a 169.254 source address and a global destination > > address, so > > the NAT gateway would simply not get the opportunity to translate the > > packet, because the packet would never exist. > > > > This is a tricky question. How does the host know that there's a NAT > > gateway out there? If a host sends out a packet from 169.254.1.2 to > > 17.254.0.91, and there is no NAT gateway, then the host will > > never get a > > reply. On the other hand, does it really hurt to try? > > > > On considering all the arguments, I think I'll revise > > draft-cheshire-ipv4-linklocal-00.txt to say that a multi-homed host > > should always *prefer* a non-169.254 source address when sending to a > > non-169.254 destination, but if a host *only* has a 169.254 > > address, then > > it MAY use ARP to resolve all addresses, and send packets > > with 169.254 > > source addresses to any destination address for which it gets an ARP > > reply. > > > > This means that a vendor could make a NAT gateway that issues > > proxy-ARP > > replies for all (non-169.254) addresses, and a host using > > self-configured > > link-local addresses would transparently work that that device. > > > > It also means that a device which doesn't have a 169.254 address can > > still communicate with 169.254 devices on the same physical > > link, as long > > as it is prepared to answer ARP requests from 169.254 > > devices, and send > > IP packets to 169.254 destination addresses. > > > > Stuart Cheshire > > * Wizard Without Portfolio, Apple Computer > > > > > > -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com From owner-zeroconf@merit.edu Thu May 11 10:27:36 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA28825 for ; Thu, 11 May 2000 10:27:35 -0400 (EDT) Received: by segue.merit.edu (Postfix) id A6B635DDA5; Thu, 11 May 2000 10:27:25 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 94C5B5DD9D; Thu, 11 May 2000 10:27:25 -0400 (EDT) Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by segue.merit.edu (Postfix) with ESMTP id 5C3135DD90 for ; Thu, 11 May 2000 10:27:24 -0400 (EDT) Received: [from mothost.mot.com (mothost.mot.com [129.188.137.101]) by motgate.mot.com (motgate 2.1) with ESMTP id HAA08656 for ; Thu, 11 May 2000 07:27:23 -0700 (MST)] Received: [from noah.dma.isg.mot.com (noah.dma.isg.mot.com [150.21.2.29]) by mothost.mot.com (MOT-mothost 2.0) with ESMTP id HAA01390 for ; Thu, 11 May 2000 07:27:22 -0700 (MST)] Received: from dma.isg.mot.com (nrlab-10.dma.isg.mot.com [150.21.50.48]) by noah.dma.isg.mot.com (8.8.8+Sun/8.8.8) with ESMTP id KAA16925 for ; Thu, 11 May 2000 10:27:22 -0400 (EDT) Message-Id: <200005111427.KAA16925@noah.dma.isg.mot.com> To: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-reply-to: Your message of "Wed, 10 May 2000 14:33:04 EDT." <3919AB60.E5B9A4F8@sun.com> Date: Thu, 11 May 2000 10:27:22 -0400 From: "Donald E. Eastlake 3rd" Sender: owner-zeroconf@merit.edu Precedence: bulk I think this is an oversimplification. You can get better security with more configuration but some threats can be defeated with lower levels of security. You can defend against passive eavesdropping with unauthenticated Diffie-Hellman and it even helps a lot against spoofing if it is difficult for the attacker to achieve a man-in-the-middle status. How much "configuration" is impractical for "my mother"? Would an alert when a new device appears on the net asking the yes/no question of whether you just turned on or plugged in such a device be too much? I wouldn't think so. Donald From: Steve Hanna Message-ID: <3919AB60.E5B9A4F8@sun.com> Date: Wed, 10 May 2000 14:33:04 -0400 Organization: Sun Microsystems, Inc. References: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> <3918CB4D.EEC6D50D@21 rst-century.com> >> ... >> >> This would definitely fail the "my mother" test (i.e., a zero config device >> should be simple enough for < insert name of favorite older relative > to >> use). I suspect that my actual mother would either not do it, or >> would call in an expert. > >I believe that we will need to accept that some (most?) devices will >ship with zeroconf security turned off. And many users will not turn on >zeroconf security until they see a need (after they are burned, >probably). Some devices (especially safety-critical devices) may disable >zeroconf networking until security has been configured (allowing only >direct control of the devices), but many devices (such as radios) will >probably allow non-secured zeroconf by default. > >Most people don't read manuals. They pick up a device and plug it in. If >it doesn't work (or they can't figure out how to use it), they return >it. Zeroconf networking will have to work the same way or only nerds >will use it. Security requires *some* configuration (as we've seen). So >security will need to be off by default or the devices won't sell. > >-Steve From owner-zeroconf@merit.edu Thu May 11 18:43:31 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA09717 for ; Thu, 11 May 2000 18:43:31 -0400 (EDT) Received: by segue.merit.edu (Postfix) id CB8505DE16; Thu, 11 May 2000 18:43:22 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id B4FB75DE17; Thu, 11 May 2000 18:43:22 -0400 (EDT) Received: from ids2.idsonline.com (ids2.idsonline.com [205.177.236.32]) by segue.merit.edu (Postfix) with ESMTP id 53E3D5DE16 for ; Thu, 11 May 2000 18:43:21 -0400 (EDT) Received: from 21rst-century.com (dc-csesp179.idsonline.com [207.176.21.179]) by ids2.idsonline.com (8.9.1/8.6.9) with ESMTP id SAA15644; Thu, 11 May 2000 18:53:49 -0400 Message-ID: <391B3783.367DC18C@21rst-century.com> Date: Thu, 11 May 2000 18:43:16 -0400 From: Thomas Marshall Eubanks Reply-To: tme@21rst-century.com X-Mailer: Mozilla 4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC) X-Accept-Language: en MIME-Version: 1.0 To: "Donald E. Eastlake 3rd" Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions References: <200005111427.KAA16925@noah.dma.isg.mot.com> Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit "Donald E. Eastlake 3rd" wrote: > I think this is an oversimplification. You can get better security > with more configuration but some threats can be defeated with lower > levels of security. You can defend against passive eavesdropping with > unauthenticated Diffie-Hellman and it even helps a lot against > spoofing if it is difficult for the attacker to achieve a > man-in-the-middle status. > > How much "configuration" is impractical for "my mother"? Would an > alert when a new device appears on the net asking the yes/no question > of whether you just turned on or plugged in such a device be too much? > I wouldn't think so. > No, especially if it was an audible request and she could respond verbally :) It sounds like you assume the existence of a home "console" with (presumably) some sort of GUI. The people who have "12:00 " blinking on their VCRs will not pay attention to a home console. My (late) father NEVER read manuals - never. If it couldn't be figured out by inspection, it never got used. I agree with the sentiment that this group has bitten off more than it can (should) chew. I would suggest that : > zero config is not suitable for any home security device or any really non-benign device < and, conversely, > any non-benign device or home security gizmo will require some config < and > for some people, that will mean that they will have to call in an installer or other expert help. There is no way that you can have manual config so simple that some will not balk at it. < I would therefore suggest that security be put off till the next round. Regards Marshall P.S. I am convinced that there will be a major local industry of home device installation and configuration. I currently have a leaky pipe in my kitchen. I could (I hope) fix it, given some free hours. I could also make a mess. What I will do is call a plumber. I configured my own ISDN line, though. Having spent 3+ hours at a time on the phone with Bell Atlantic more than once in the process, I would certainly consider calling in a digital plumber if such existed. I give this about 3-4 years to become commonplace. Having a standardized "minimum-config" would really help this develop, and, therefore, will help people like my Mother to get web-enabled appliances. > > Donald > > From: Steve Hanna > Message-ID: <3919AB60.E5B9A4F8@sun.com> > Date: Wed, 10 May 2000 14:33:04 -0400 > Organization: Sun Microsystems, Inc. > References: <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> <3918CB4D.EEC6D50D@21 > rst-century.com> > >> ... > >> > >> This would definitely fail the "my mother" test (i.e., a zero config device > >> should be simple enough for < insert name of favorite older relative > to > >> use). I suspect that my actual mother would either not do it, or > >> would call in an expert. > > > >I believe that we will need to accept that some (most?) devices will > >ship with zeroconf security turned off. And many users will not turn on > >zeroconf security until they see a need (after they are burned, > >probably). Some devices (especially safety-critical devices) may disable > >zeroconf networking until security has been configured (allowing only > >direct control of the devices), but many devices (such as radios) will > >probably allow non-secured zeroconf by default. > > > >Most people don't read manuals. They pick up a device and plug it in. If > >it doesn't work (or they can't figure out how to use it), they return > >it. Zeroconf networking will have to work the same way or only nerds > >will use it. Security requires *some* configuration (as we've seen). So > >security will need to be off by default or the devices won't sell. > > > >-Steve T.M. Eubanks Multicast Technologies, Inc 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@21rst-century.com From owner-zeroconf@merit.edu Fri May 12 10:59:22 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03384 for ; Fri, 12 May 2000 10:59:21 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 27AC35DDEA; Fri, 12 May 2000 10:58:43 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0E79C5DDF1; Fri, 12 May 2000 10:58:42 -0400 (EDT) Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by segue.merit.edu (Postfix) with ESMTP id D14185DDEA for ; Fri, 12 May 2000 10:58:40 -0400 (EDT) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA22386; Fri, 12 May 2000 10:58:39 -0400 Received: from ludwigia.raleigh.ibm.com (ludwigia.raleigh.ibm.com [9.37.60.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA29828; Fri, 12 May 2000 10:58:38 -0400 Received: from localhost.localdomain (IDENT:root@hygro.raleigh.ibm.com [9.37.60.90]) by ludwigia.raleigh.ibm.com (8.9.3/8.7/RTP-ral-1.0) with ESMTP id KAA00485; Fri, 12 May 2000 10:56:36 -0400 Received: from localhost.localdomain (IDENT:narten@localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.9.3/8.9.3) with ESMTP id NAA00751; Thu, 11 May 2000 13:49:49 -0400 Message-Id: <200005111749.NAA00751@localhost.localdomain> To: Ross Finlayson Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-Reply-To: Message from Ross Finlayson of "Tue, 09 May 2000 13:04:28 PDT." <4.3.1.20000509124250.00bcb540@shell7.ba.best.com> Date: Thu, 11 May 2000 13:49:49 -0400 From: Thomas Narten Sender: owner-zeroconf@merit.edu Precedence: bulk > At 08:20 AM 5/3/00, Erik Guttman wrote: > > 0.3) The scenario in which these threats occur is 'remote access.' > > As Jeff Schiller pointed out in Adelaide, there are social > > mechanisms for security at home and between neighbors. The > > real threat is the anonymous stranger attacking from afar. > Jeff also made another good point at Adelaide: It may be acceptable > (in some cases) for zeroconf systems be without security > *initially*, but then require some minimal configuration soon > afterwards to set security parameters. > E.g., consider how a a user might set up a new, 'shrink-wrapped' > network appliance (that he just bought from Wal-Mart, e.g.). One > can imagine the user plugging the appliance into his home network > and turning it on, and having it then be automatically reachable > from his home's control center - i.e., "zeroconf". However, in > order to continue to use the appliance, the user could then be > required to 'configure' it from his control center - e.g., to set up > keys. Only then would he be able to use the appliance's full > functionality. This approach would seem to make sense because I can imagine it being usable by a real consumers. No, it is not "zero config", but I think we all understand the "zeroconfig" and "real security" don't go together. Of course, the 'configuration' that has to be done needs to be really easy for the end-user, but I think we (as protocol designers) can make this step easy enough that a GUI can do the rest. For example, your home LAN might have a "security manager". When the new device first connects things might go something like: 1) new device finds this manager, opens a connection to it, negotiates a session key (so that all remaining communication is encrypted and not sniffable), then the new device says "hi, I'm your new TV, may I connect to your network?". 2) A message appears somewhere on the users window saying "this new TV just appeared and wants you to allow it to connect to your network. Do you agree?" 3) User must click either "OK" or "No". All the grubby details about keys and such are hidden from the user. The user just clicks yes or no. Do folks think this can pass the "my mother" test? I think it can. There will of course be some education involved, but folks can be (indeed, must be) made to understand that "clicking OK" is the equivalent of giving out the combination to the lock on your network and all the machines connected to it. If you haven't bought a TV lately, click "no". Thomas From owner-zeroconf@merit.edu Fri May 12 10:59:24 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03395 for ; Fri, 12 May 2000 10:59:24 -0400 (EDT) Received: by segue.merit.edu (Postfix) id DD3BF5DDCD; Fri, 12 May 2000 10:58:42 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C738E5DDCC; Fri, 12 May 2000 10:58:42 -0400 (EDT) Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by segue.merit.edu (Postfix) with ESMTP id 95F195DDCD for ; Fri, 12 May 2000 10:58:40 -0400 (EDT) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA25712; Fri, 12 May 2000 10:58:39 -0400 Received: from ludwigia.raleigh.ibm.com (ludwigia.raleigh.ibm.com [9.37.60.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA04224; Fri, 12 May 2000 10:58:38 -0400 Received: from localhost.localdomain (IDENT:root@hygro.raleigh.ibm.com [9.37.60.90]) by ludwigia.raleigh.ibm.com (8.9.3/8.7/RTP-ral-1.0) with ESMTP id KAA00480; Fri, 12 May 2000 10:56:35 -0400 Received: from localhost.localdomain (IDENT:narten@localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.9.3/8.9.3) with ESMTP id NAA00786; Thu, 11 May 2000 13:55:50 -0400 Message-Id: <200005111755.NAA00786@localhost.localdomain> To: Erik Guttman Cc: zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-Reply-To: Message from Erik Guttman of "Wed, 03 May 2000 17:20:33 +0200." Date: Thu, 11 May 2000 13:55:50 -0400 From: Thomas Narten Sender: owner-zeroconf@merit.edu Precedence: bulk > 2.1) Hosts MUST implement a security mechanism (or mechanisms) to > protect against the following threats: > + Hoarding attack. A host MUST be able to determine whether a > multicast address allocation claim (used in a claim and defend > protocol) is legitimate or not. > Protecting against IP address hoarding is NOT a requirement > for IPv4, since it would mean securing ARP. That is the > concensus of the DHC WG. One thing I don't follow here. Why is securing ARP a requirement to protect against address hoarding? Protecting against address hoarding would seem to require that the DHCP server have a way to distinguish bogus from legitimate requests for addresses. I'm not sure how to do that absent realy crypto authentication whereby legitimate clients authenticate themselves when requesting addresses. Having said that, I'm not disagreeing with the basic point that protecting against address hoarding need not be a requirement. > 2.3) It is not specified in the requirements whether security is > on by default or not. Note that if security is on by default > and the host is unconfigured that implies that the host is not > usable *until it has been configured.* Some devices (such > as those which are dangerous) should require a priori > configuration. It is out of the scope of the WG to do more > than point this out. I'm not sure it makes complete sense to talk about security being on or off by default. If a home user decides he wants his network to be secure, new devices shouldn't just work when plugged in until they have been properly secured. This is regardless of whether the new device is configured to be secure or not out of the box. An alternate way of looking at this is that by defualt all new devices MUST be able to determine whether security is enabled or not (on the network to which it is connected) and if so, do the necessary things to configure itself to operate in a secure environment. I.e., the device doesn't get to decide, the network to which it attaches has presumably already decided. Thomas From owner-zeroconf@merit.edu Fri May 12 10:59:30 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03406 for ; Fri, 12 May 2000 10:59:30 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 99B6A5DDCC; Fri, 12 May 2000 10:58:54 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 81C955DDF8; Fri, 12 May 2000 10:58:43 -0400 (EDT) Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by segue.merit.edu (Postfix) with ESMTP id 3E76F5DDEF for ; Fri, 12 May 2000 10:58:41 -0400 (EDT) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA14968; Fri, 12 May 2000 10:58:39 -0400 Received: from ludwigia.raleigh.ibm.com (ludwigia.raleigh.ibm.com [9.37.60.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA35714; Fri, 12 May 2000 10:58:38 -0400 Received: from localhost.localdomain (IDENT:root@hygro.raleigh.ibm.com [9.37.60.90]) by ludwigia.raleigh.ibm.com (8.9.3/8.7/RTP-ral-1.0) with ESMTP id KAA00488; Fri, 12 May 2000 10:56:36 -0400 Received: from localhost.localdomain (IDENT:narten@localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.9.3/8.9.3) with ESMTP id NAA00741; Thu, 11 May 2000 13:48:07 -0400 Message-Id: <200005111748.NAA00741@localhost.localdomain> To: Aidan Williams Cc: Peter Johansson , Zero Configuration Subject: Re: zeroconf security - conclusions In-Reply-To: Message from Aidan Williams of "Wed, 10 May 2000 16:37:09 +1000." <39190395.33882114@motorola.com> Date: Thu, 11 May 2000 13:48:07 -0400 From: Thomas Narten Sender: owner-zeroconf@merit.edu Precedence: bulk > If you have lots of devices on a network sharing the same > symmetric key, and you transfer the key over the network > each time you configure a new device, the risk of someone > grabbing a copy of the key goes up. It becomes a waiting > game, and someone will write the equivalent of a password > sniffer which will do the waiting for you. The key doesn't get transferred in the clear. Ever. There are standard ways of generating session keys (e.g., diffie-hellman) that allow two unknowns to create a private channel over which they can communicate secretly. So this should be a non-problem in practice. Thomas From owner-zeroconf@merit.edu Fri May 12 10:59:38 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03417 for ; Fri, 12 May 2000 10:59:37 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 8BF2F5DDF3; Fri, 12 May 2000 10:58:59 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id AD3395DDFB; Fri, 12 May 2000 10:58:50 -0400 (EDT) Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by segue.merit.edu (Postfix) with ESMTP id 1C7225DDEF for ; Fri, 12 May 2000 10:58:44 -0400 (EDT) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA23180; Fri, 12 May 2000 10:58:43 -0400 Received: from ludwigia.raleigh.ibm.com (ludwigia.raleigh.ibm.com [9.37.60.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA29852; Fri, 12 May 2000 10:58:43 -0400 Received: from localhost.localdomain (IDENT:root@hygro.raleigh.ibm.com [9.37.60.90]) by ludwigia.raleigh.ibm.com (8.9.3/8.7/RTP-ral-1.0) with ESMTP id KAA00505; Fri, 12 May 2000 10:56:40 -0400 Received: from localhost.localdomain (IDENT:narten@localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.9.3/8.9.3) with ESMTP id NAA00766; Thu, 11 May 2000 13:53:16 -0400 Message-Id: <200005111753.NAA00766@localhost.localdomain> To: "Walker, Jesse" Cc: "'Erik Guttman'" , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-Reply-To: Message from "Walker, Jesse" of "Wed, 03 May 2000 11:43:52 PDT." <392A357CE6FFD111AC3E00A0C99848B002FE962D@hdsmsx31.hd.intel.com> Date: Thu, 11 May 2000 13:53:16 -0400 From: Thomas Narten Sender: owner-zeroconf@merit.edu Precedence: bulk > 0.3) The scenario in which these threats occur is 'remote access.' > As Jeff Schiller pointed out in Adelaide, there are social > mechanisms for security at home and between neighbors. The > real threat is the anonymous stranger attacking from afar. I think the point Jeff is making is that the real threats people are dealing with today are not folks *physically* close by, but random hackers at random places in the network that target addresses at random (i.e., probing) looking for vulnerabilities. zeroconf absolutely can't be vulnerable to random attacks from outside. Note that in these scenarios, remote hackers don't see the packets going back and forth on the wire. > Wireless is changing this, unless people install their wireless LANs > outside their home firewalls. It is a very large leap of faith to > assume people will do this. I agree that wireless will change the rules. But I believe the two cases are still somewhat different. With wireless LANs, targetted attacks from folks physically nearby become feasible. But this is a different kind of threat and in many (most?) cases won't be a problem. But it likely will be enough of a problem in specific cases that just ignoring it isn't acceptable. I'm thinking that one of the potential big unacceptables will be having arbitratry traffic be sent in the clear on the wire. Do you trust your software and protocols to not accidentally make it possible for neighbors with sniffers to read your credit card reports, tax returns, bank statements, everything sent to your printer, etc.? Protecting against this kind of threat I think needs some thinking. Perhaps this is a new type of threat that zeroconf will need to deal with *not* because it is *caused* by zeroconf, but because wireless is assumed to be a big part of zeroconf deployment, so it becomes a concern in the zeroconf environment. I wonder if zeroconf (or another WG) should look specifically at the problem of securing a "LAN" (where I mean "LAN" in the sense of a set of nodes, maybe even involving a few LANs segments). That is, developing the protocols necessary to make it straightforward to build a network in which everyone *inside* the network trusts each other (i.e., they aren't attacking each other), but trusts no one outside of the "trusted" network. All intra-LAN traffic could be encrypted/authenticated. This is probably doable with IPsec and symetric keys (multicasting will be a bit tricky). Key distribution would also be interesting, since this needs to be as close to zeroconf as possible. But it seems like we have a problem here that just can't responsibly be ignored. Thomas From owner-zeroconf@merit.edu Fri May 12 10:59:48 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03431 for ; Fri, 12 May 2000 10:59:48 -0400 (EDT) Received: by segue.merit.edu (Postfix) id BFF905DDF8; Fri, 12 May 2000 10:59:06 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 05B0F5DDEF; Fri, 12 May 2000 10:58:53 -0400 (EDT) Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by segue.merit.edu (Postfix) with ESMTP id 2BD215DDF3 for ; Fri, 12 May 2000 10:58:47 -0400 (EDT) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA14984; Fri, 12 May 2000 10:58:42 -0400 Received: from ludwigia.raleigh.ibm.com (ludwigia.raleigh.ibm.com [9.37.60.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA04244; Fri, 12 May 2000 10:58:42 -0400 Received: from localhost.localdomain (IDENT:root@hygro.raleigh.ibm.com [9.37.60.90]) by ludwigia.raleigh.ibm.com (8.9.3/8.7/RTP-ral-1.0) with ESMTP id KAA00499; Fri, 12 May 2000 10:56:36 -0400 Received: from localhost.localdomain (IDENT:narten@localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.9.3/8.9.3) with ESMTP id NAA00776; Thu, 11 May 2000 13:54:16 -0400 Message-Id: <200005111754.NAA00776@localhost.localdomain> To: aboba@internaut.com Cc: "'Erik Guttman'" , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-Reply-To: Message from "Bernard Aboba" of "Wed, 03 May 2000 09:56:24 PDT." <000c01bfb520$85093fa0$428939cc@ntdev.microsoft.com> Date: Thu, 11 May 2000 13:54:16 -0400 From: Thomas Narten Sender: owner-zeroconf@merit.edu Precedence: bulk "Bernard Aboba" writes: > >Antagonistic server attack. The host MUST be able to determine > >whether a discovered DHCP server, DNS server, SLP DA (or > >whatever) or MADCAP server is to be used or not. Well, nobody has implemented secure dhcp as there is no RFC for it. Hopefully that will change soon (there is an almost-finished WG draft). Secure (resolver) DNS implementations are also in short supply at this point. > >NOTE: This requirement *looks good,* but how many systems in > > practice are enabled to use DHCP authentication, DNSSec, SLP > > authentication and MADCAP security? > If one assumes that all of these services reside on a home > gateway, it may be quite reasonable to come up with a > relatively simple way of securing all of them. However, > saying that the host MUST be able to use it seems like > raising the bar too high, given that very few hosts can > do this today. The general bar the IESG has is that an end user MUST be able to turn on security and have it work. That means it MUST be implemented, but the end user has the choice of whether to enable it or not. Anything lower than MUST implies that products don't have to implement the security part in order to be compliant with a spec. This leads to the all-too-common problem whereby a customer may want to enable security (i.e., after being targetted), but find their house (i.e, product) has no locks on its doors as the vendor took a shortcut to save costs. Thomas From owner-zeroconf@merit.edu Fri May 12 12:48:39 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA06992 for ; Fri, 12 May 2000 12:48:39 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 2051F5DDCD; Fri, 12 May 2000 12:47:15 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0CAC85DE1F; Fri, 12 May 2000 12:47:15 -0400 (EDT) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by segue.merit.edu (Postfix) with ESMTP id DFA0D5DDCD for ; Fri, 12 May 2000 12:47:13 -0400 (EDT) Received: from SERVER ([63.199.7.253]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FUG00AMPH7N85@mta6.snfc21.pbi.net> for ZeroConf@Merit.edu; Fri, 12 May 2000 09:45:23 -0700 (PDT) Date: Fri, 12 May 2000 09:42:20 -0700 From: Peter Johansson Subject: Re: zeroconf security - conclusions In-reply-to: <200005111755.NAA00786@localhost.localdomain> X-Sender: Celeborn@PacBell.net To: Zero Configuration Message-id: <3.0.5.32.20000512094220.0097ad60@PacBell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Content-type: text/plain; charset="us-ascii" References: <"Message from Erik Guttman Sender: owner-zeroconf@merit.edu Precedence: bulk At 01:55 PM 5/11/00 -0400, Thomas Narten wrote: <> A very useful observation, Thomas. I agree wholeheartedly. What's left is a discussion about the guidance provided the user when the network is first established and a policy decision must be taken. Does the knowledge as to whether or not a particular is in "secure mode" reside in a central entity? Or is it distributed throughout the network? Regards, Peter Johansson Congruent Software, Inc. 98 Colorado Avenue Berkeley, CA 94707 (510) 527-3926 (510) 527-3856 FAX PJohansson@ACM.org From owner-zeroconf@merit.edu Wed May 17 04:01:00 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA01005 for ; Wed, 17 May 2000 04:00:59 -0400 (EDT) Received: by segue.merit.edu (Postfix) id BFE715DDB5; Wed, 17 May 2000 04:00:22 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id E7B9D5DDDC; Wed, 17 May 2000 04:00:21 -0400 (EDT) Received: from kitab.cisco.com (kitab.cisco.com [171.69.187.233]) by segue.merit.edu (Postfix) with ESMTP id 5813E5DDB5 for ; Wed, 17 May 2000 04:00:13 -0400 (EDT) Received: (from raj@localhost) by kitab.cisco.com (8.9.2/8.9.2) id SAA02291; Tue, 16 May 2000 18:29:58 -0700 (PDT) (envelope-from raj) From: Richard Johnson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14625.62997.221755.178854@kitab.cisco.com> Date: Tue, 16 May 2000 18:29:57 -0700 (PDT) To: Thomas Narten Cc: Erik Guttman , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-Reply-To: <200005111755.NAA00786@localhost.localdomain> References: <200005111755.NAA00786@localhost.localdomain> X-Mailer: VM 6.74 under 20.4 "Emerald" XEmacs Lucid Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Thomas Narten writes: > An alternate way of looking at this is that by defualt all new devices > MUST be able to determine whether security is enabled or not (on the > network to which it is connected) and if so, do the necessary things > to configure itself to operate in a secure environment. I.e., the > device doesn't get to decide, the network to which it attaches has > presumably already decided. > > Thomas This idea of securing the network instead of the device could really help zeroconf. I could easily see one or more programs which could be installed on your Windows and Mac systems as a Control Panel, and on Unix as a daemon, which would implement a "secure network" protocol. When a new device is attached, it would see this protocol was installed on the net and would request "joining the network". When you buy a device, it could be advertised as "secure net enabled", meaning that understands the "secure net" protocol. If you want a secure net, you would be willing to even pay a little extra to get the device with this capability as opposed to the cheaper one which didn't have it. In short, all zeroconf needs to really say is the text above; that a device will be able to detect when running a secure version of the protocol is needed, and will be able to do so if it's capable of it. /raj From owner-zeroconf@merit.edu Wed May 17 04:03:01 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA01076 for ; Wed, 17 May 2000 04:03:00 -0400 (EDT) Received: by segue.merit.edu (Postfix) id D775C5DDE5; Wed, 17 May 2000 04:00:59 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C5B3A5DDDC; Wed, 17 May 2000 04:00:59 -0400 (EDT) Received: from kitab.cisco.com (kitab.cisco.com [171.69.187.233]) by segue.merit.edu (Postfix) with ESMTP id 9B2625DDD3 for ; Wed, 17 May 2000 04:00:55 -0400 (EDT) Received: (from raj@localhost) by kitab.cisco.com (8.9.2/8.9.2) id RAA02238; Tue, 16 May 2000 17:59:52 -0700 (PDT) (envelope-from raj) From: Richard Johnson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14625.61186.995657.279666@kitab.cisco.com> Date: Tue, 16 May 2000 17:59:46 -0700 (PDT) To: Thomas Narten Cc: "Walker, Jesse" , "'Erik Guttman'" , zeroconf@merit.edu Subject: Re: zeroconf security - conclusions In-Reply-To: <200005111753.NAA00766@localhost.localdomain> References: <392A357CE6FFD111AC3E00A0C99848B002FE962D@hdsmsx31.hd.intel.com> <200005111753.NAA00766@localhost.localdomain> X-Mailer: VM 6.74 under 20.4 "Emerald" XEmacs Lucid Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Thomas Narten writes: > I agree that wireless will change the rules. But I believe the two > cases are still somewhat different. With wireless LANs, targetted > attacks from folks physically nearby become feasible. But this is a > different kind of threat and in many (most?) cases won't be a > problem. But it likely will be enough of a problem in specific cases > that just ignoring it isn't acceptable. I'm beginning to think that wireless networks shouldn't really change things wrt. zeroconf. I understand this is a radical change from the prevailing opinion here, so let me explain. Sniffing packets as well as injecting packets by simply being "close by", simply because you're using a wireless LAN, is very similar to plugging a computer directly into the physical LAN. This means that for all practical purposes having a wireless LAN card allows you all of the same privileges as being inside the building! This is exactly why wireless companies have already come up with WEP (Wired Equivalent Privacy) and other types of encryption. By addressing the wireless need for encryption at the lowest layer, it means that all layers above that are automatically taken care of. That is, assuming you believe that the low layer encryption on the wireless LAN is "good enough". If you don't, then you have an argument for a better encryption method on wireless LANs (and thus a market). This statement in no way should be taken as meaning that I believe security is not needed. Just that wireless LANs don't, by themselves, necessitate security in the protocols involved. /raj From owner-zeroconf@merit.edu Wed May 17 11:03:32 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA05785 for ; Wed, 17 May 2000 11:03:32 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 8B8E75DDE0; Wed, 17 May 2000 11:02:42 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 77DE85DDC6; Wed, 17 May 2000 11:02:42 -0400 (EDT) Received: from apollo.leviton.com (apollo.leviton.com [209.177.59.130]) by segue.merit.edu (Postfix) with ESMTP id 4E6A35DD95 for ; Wed, 17 May 2000 11:02:41 -0400 (EDT) Received: by APOLLO with Internet Mail Service (5.5.2650.21) id ; Wed, 17 May 2000 11:02:26 -0400 Message-ID: From: "Rose, William" To: "'Richard Johnson'" Cc: zeroconf@merit.edu Subject: RE: zeroconf security - conclusions Date: Wed, 17 May 2000 11:02:24 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFC010.E8DAC788" Sender: owner-zeroconf@merit.edu Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFC010.E8DAC788 Content-Type: text/plain; charset="iso-8859-1" I agree that all of the protocols I am aware of that use RF or powerline (excluding X10) include encryption and at least the controls also include authentication but I believe there were other issues of security listed as well such as traffic analysis, etc. Also, assuming the "perpetrator" uses a device with the same chipset as the in-home devices, then the device would know the encryption method being used. How then does the network 'know' that this device should not be a member of the home network unless some sort of configuration step is taken by the homeowner? With the control protocols such as LonWorks and CEBus, a configuration step is required to 'bind' a device to the network. At a minimum, a button is pressed on both devices to make the logical connection. WRT requiring configuration, it seems the real requirement is zeroconfig (minimum config?) for the customer. Certainly if there is a outside connection to the network, a simple phone call to a service provider (the manufacturer, ISP, etc.) with configuration over the connection could pass the "mom" test. The call could even be handled by voice recognition or through the phone keypad to avoid the cost of a human on the other end. (Just an idea). Bill Rose Leviton Mfg. Chair, CEA Home Networking Committee > -----Original Message----- > From: Richard Johnson [mailto:raj@cisco.com] > Sent: Tuesday, May 16, 2000 9:00 PM > To: Thomas Narten > Cc: Walker, Jesse; 'Erik Guttman'; zeroconf@merit.edu > Subject: Re: zeroconf security - conclusions > > > Thomas Narten writes: > > I agree that wireless will change the rules. But I believe the two > > cases are still somewhat different. With wireless LANs, targetted > > attacks from folks physically nearby become feasible. But this is a > > different kind of threat and in many (most?) cases won't be a > > problem. But it likely will be enough of a problem in > specific cases > > that just ignoring it isn't acceptable. > > I'm beginning to think that wireless networks shouldn't really change > things wrt. zeroconf. I understand this is a radical change from the > prevailing opinion here, so let me explain. > > Sniffing packets as well as injecting packets by simply being "close > by", simply because you're using a wireless LAN, is very similar > to plugging a computer directly into the physical LAN. This means > that for all practical purposes having a wireless LAN card allows > you all of the same privileges as being inside the building! This > is exactly why wireless companies have already come up with WEP > (Wired Equivalent Privacy) and other types of encryption. By > addressing the wireless need for encryption at the lowest layer, > it means that all layers above that are automatically taken care > of. > > That is, assuming you believe that the low layer encryption on the > wireless LAN is "good enough". If you don't, then you have an > argument for a better encryption method on wireless LANs (and thus a > market). > > This statement in no way should be taken as meaning that I believe > security is not needed. Just that wireless LANs don't, by themselves, > necessitate security in the protocols involved. > > /raj > ------_=_NextPart_001_01BFC010.E8DAC788 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: zeroconf security - conclusions
I agree that all of the protocols I am aware of that = use RF or powerline (excluding X10) include encryption and at least the = controls also include authentication but I believe there were other = issues of security listed as well such as traffic analysis, etc. Also, = assuming the "perpetrator" uses a device with the same = chipset as the in-home devices, then the device would know the = encryption method being used. How then does the network 'know' that = this device should not be a member of the home network unless some sort = of configuration step is taken by the homeowner? With the control = protocols such as LonWorks and CEBus, a configuration step is required = to 'bind' a device to the network. At a minimum, a button is pressed on = both devices to make the logical connection.

WRT requiring configuration, it seems the real = requirement is zeroconfig (minimum config?) for the customer. Certainly = if there is a outside connection to the network, a simple phone call to = a service provider (the manufacturer, ISP, etc.) with configuration = over the connection could pass the "mom" test. The call could = even be handled by voice recognition or through the phone keypad to = avoid the cost of a human on the other end. (Just an idea).

Bill Rose
Leviton Mfg.
Chair, CEA Home Networking Committee

> -----Original Message-----
> From: Richard Johnson [mailto:raj@cisco.com]
> Sent: Tuesday, May 16, 2000 9:00 PM
> To: Thomas Narten
> Cc: Walker, Jesse; 'Erik Guttman'; = zeroconf@merit.edu
> Subject: Re: zeroconf security - conclusions =
>
>
> Thomas Narten writes:
> > I agree that wireless will change = the rules. But I believe the two
> > cases are still somewhat different. = With wireless LANs, targetted
> > attacks from folks physically nearby = become feasible. But this is a
> > different kind of threat and in many = (most?) cases won't be a
> > problem. But it likely will be = enough of a problem in
> specific cases
> > that just ignoring it isn't = acceptable.
>
> I'm beginning to think that wireless networks = shouldn't really change
> things wrt. zeroconf. I understand this = is a radical change from the
> prevailing opinion here, so let me = explain.
>
> Sniffing packets as well as injecting packets = by simply being "close
> by", simply because you're using a = wireless LAN, is very similar
> to plugging a computer directly into the = physical LAN. This means
> that for all practical purposes having a = wireless LAN card allows
> you all of the same privileges as being inside = the building! This
> is exactly why wireless companies have already = come up with WEP
> (Wired Equivalent Privacy) and other types of = encryption. By
> addressing the wireless need for encryption at = the lowest layer,
> it means that all layers above that are = automatically taken care
> of.
>
> That is, assuming you believe that the low = layer encryption on the
> wireless LAN is "good enough". = If you don't, then you have an
> argument for a better encryption method on = wireless LANs (and thus a
> market).
>
> This statement in no way should be taken as = meaning that I believe
> security is not needed. Just that = wireless LANs don't, by themselves,
> necessitate security in the protocols = involved.
>
> /raj
>
------_=_NextPart_001_01BFC010.E8DAC788-- From owner-zeroconf@merit.edu Thu May 18 19:20:42 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14321 for ; Thu, 18 May 2000 19:20:41 -0400 (EDT) Received: by segue.merit.edu (Postfix) id BF9295DED4; Thu, 18 May 2000 19:20:14 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id A9AD05DE67; Thu, 18 May 2000 19:20:14 -0400 (EDT) Received: from motgate2.mot.com (motgate2.mot.com [136.182.1.10]) by segue.merit.edu (Postfix) with ESMTP id 8D85F5DED2 for ; Thu, 18 May 2000 19:20:12 -0400 (EDT) Received: [from pobox2.mot.com (pobox2.mot.com [136.182.15.8]) by motgate2.mot.com (motgate2 2.1) with ESMTP id QAA26955; Thu, 18 May 2000 16:20:10 -0700 (MST)] Received: [from homer.arc.corp.mot.com (homer.arc.corp.mot.com [217.1.10.38]) by pobox2.mot.com (MOT-pobox2 2.0) with ESMTP id QAA09458; Thu, 18 May 2000 16:20:07 -0700 (MST)] Received: from motorola.com (swerve.arc.corp.mot.com [217.1.10.63]) by homer.arc.corp.mot.com (8.9.3/8.9.3) with ESMTP id JAA08317; Fri, 19 May 2000 09:20:03 +1000 (EST) Message-ID: <39247AA3.A97F23D@motorola.com> Date: Fri, 19 May 2000 09:20:03 +1000 From: Aidan Williams X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Thomas Narten Cc: Aidan Williams , Peter Johansson , Zero Configuration Subject: Re: zeroconf security - conclusions References: <200005111748.NAA00741@localhost.localdomain> Content-Type: multipart/mixed; boundary="------------294FA7EB680A4CC3D3CB9D31" Sender: owner-zeroconf@merit.edu Precedence: bulk This is a multi-part message in MIME format. --------------294FA7EB680A4CC3D3CB9D31 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Thomas Narten wrote: > > > If you have lots of devices on a network sharing the same > > symmetric key, and you transfer the key over the network > > each time you configure a new device, the risk of someone > > grabbing a copy of the key goes up. It becomes a waiting > > game, and someone will write the equivalent of a password > > sniffer which will do the waiting for you. > > The key doesn't get transferred in the clear. Ever. There are standard > ways of generating session keys (e.g., diffie-hellman) that allow two > unknowns to create a private channel over which they can communicate > secretly. So this should be a non-problem in practice. > I don't think anyone is suggesting that keys be transferred in the clear. The issue arose in the context of devices which might not have enough grunt to do public key crypto. In that context various suggestions were made which created an out of band channel over which the key could be transferred: a power socket in the home controller into which you plug your new device, a network formed by touching devices together, and the idea of a device key on a barcode which could be read by the "control device" and used to protect the key transfer. No doubt these kinds of schemes may not make sense to standardise in the IETF. Although I am entirely in favour of using Diffie-Hellman for key exchange, I would not want to mandate a key exchange scheme which would be impractical for low powered embedded devices. regards aidan ____ :wq! --------------294FA7EB680A4CC3D3CB9D31 Content-Type: text/x-vcard; charset=us-ascii; name="Aidan.Williams.vcf" Content-Description: Card for Aidan Williams Content-Disposition: attachment; filename="Aidan.Williams.vcf" Content-Transfer-Encoding: 7bit begin:vcard n:Williams;Aidan tel;fax:+61 2 9666 0501 tel;work:+61 2 9666 0649 x-mozilla-html:FALSE url:http://www.arc.corp.mot.com/ org:Motorola Australian Research Centre;Scalable Commodity Internet Laboratory version:2.1 email;internet:Aidan.Williams@motorola.com title:Senior Research Engineer adr;quoted-printable:;;(Not mailing address)=0D=0ALevel 3, 12 Lord Street;Botany;NSW;2019;Australia note;quoted-printable:Mailing address is:=0D=0A=0D=0AAidan Williams=0D=0ALocked Bag 5028=0D=0ABotany NSW 1455=0D=0A fn:Aidan Williams end:vcard --------------294FA7EB680A4CC3D3CB9D31-- From owner-zeroconf@merit.edu Tue May 23 10:36:17 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA04217 for ; Tue, 23 May 2000 10:36:17 -0400 (EDT) Received: by segue.merit.edu (Postfix) id AD4A45DDCA; Tue, 23 May 2000 10:35:57 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 9B5465DDB4; Tue, 23 May 2000 10:35:57 -0400 (EDT) Received: from monitor.internaut.com (mg136-128.ricochet.net [204.179.136.128]) by segue.merit.edu (Postfix) with ESMTP id 88CBB5DD9D for ; Tue, 23 May 2000 10:35:52 -0400 (EDT) Received: from vaiobean (vaiobean.ntdev.microsoft.com [204.57.137.66] (may be forged)) by monitor.internaut.com (8.9.2/8.8.8) with SMTP id HAA29874; Tue, 23 May 2000 07:18:18 -0700 (PDT) Reply-To: From: "Bernard Aboba" To: , "'DHCPv4 discussion list'" Cc: Subject: RE: Fwd: linklocal + DHCP servers Date: Tue, 23 May 2000 07:40:40 -0700 Message-ID: <002e01bfc4c4$dedf3f30$428939cc@ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200005221406.HAA05290@zephyr.isi.edu> X-Mimeole: Produced By Microsoft MimeOLE V5.50.4131.1600 Importance: Normal Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >Given the derth of publication on the IPv4 link-local address, >I'd be surprised if -any- code base treats the 169.254.0.0/16 >prefix as unique. And given its recent vintage and a lack of >understanding of the longer term impact, I'd be shocked if >this had even made it to SOP status. It will be a -very- long >time before this has the same status as the loopback space. So are you saying that we should just treat 169.254/16 as another private prefix and forget about it being linklocal? Or that additional precautions need to be taken, like sourcing packets from TTL=1? From owner-zeroconf@merit.edu Tue May 23 10:42:16 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA04310 for ; Tue, 23 May 2000 10:42:16 -0400 (EDT) Received: by segue.merit.edu (Postfix) id A40A05DD9D; Tue, 23 May 2000 10:42:07 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 903325DDAE; Tue, 23 May 2000 10:42:07 -0400 (EDT) Received: from garlic.amaranth.net (garlic.amaranth.net [216.235.243.195]) by segue.merit.edu (Postfix) with ESMTP id 521E15DD9D for ; Tue, 23 May 2000 10:42:06 -0400 (EDT) Received: from senie.com (garlic.amaranth.net [216.235.243.195]) (authenticated) by garlic.amaranth.net (8.10.1/8.10.1) with ESMTP id e4NEfxI08547; Tue, 23 May 2000 10:41:59 -0400 Message-ID: <392A98B7.506C4F22@senie.com> Date: Tue, 23 May 2000 10:41:59 -0400 From: Daniel Senie Organization: Amaranth Networks Inc. X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: aboba@internaut.com Cc: bmanning@ISI.EDU, "'DHCPv4 discussion list'" , zeroconf@merit.edu Subject: Re: Fwd: linklocal + DHCP servers References: <002e01bfc4c4$dedf3f30$428939cc@ntdev.microsoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Bernard Aboba wrote: > > >Given the derth of publication on the IPv4 link-local address, > >I'd be surprised if -any- code base treats the 169.254.0.0/16 > >prefix as unique. And given its recent vintage and a lack of > >understanding of the longer term impact, I'd be shocked if > >this had even made it to SOP status. It will be a -very- long > >time before this has the same status as the loopback space. > > So are you saying that we should just treat 169.254/16 as > another private prefix and forget about it being linklocal? > Or that additional precautions need to be taken, like > sourcing packets from TTL=1? It's worse than that... you'd also have to reject any DHCP relay packets. The TTL on DHCP relay packets is not necessarily predictable. All relay packets would be an indicator that the DHCP server has no direct attachment to the LAN segment in question. There's also the issue of the DHCP server having to use the link info along with the IP address for keeping its records. After all, the same DHCP server might be serving multiple directly-attached LANs. So for example, 169.254.45.109 might exist on three different LANs, but refer to three different stations. If those were self-assigned, not assigned by the DHCP server, the server must nonetheless track them. This whole area quickly becomes a significant can of worms, adding complexity to an existing, deployed protocol, with questionable and limited advantages. -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com From owner-zeroconf@merit.edu Tue May 23 12:52:55 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA06427 for ; Tue, 23 May 2000 12:52:55 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 7E85F5DDD8; Tue, 23 May 2000 12:52:45 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 6CDD95DDD6; Tue, 23 May 2000 12:52:45 -0400 (EDT) Received: from garlic.amaranth.net (garlic.amaranth.net [216.235.243.195]) by segue.merit.edu (Postfix) with ESMTP id 05A875DDCA for ; Tue, 23 May 2000 12:52:44 -0400 (EDT) Received: from senie.com (garlic.amaranth.net [216.235.243.195]) (authenticated) by garlic.amaranth.net (8.10.1/8.10.1) with ESMTP id e4NGqgI10382; Tue, 23 May 2000 12:52:42 -0400 Message-ID: <392AB759.3F75D611@senie.com> Date: Tue, 23 May 2000 12:52:41 -0400 From: Daniel Senie Organization: Amaranth Networks Inc. X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Bill Manning Cc: zeroconf@merit.edu Subject: Re: Fwd: linklocal + DHCP servers References: <200005231628.JAA06133@zephyr.isi.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Bill Manning wrote: > > % > So are you saying that we should just treat 169.254/16 as > % > another private prefix and forget about it being linklocal? > % > Or that additional precautions need to be taken, like > % > sourcing packets from TTL=1? > % > % It's worse than that... you'd also have to reject any DHCP relay > % packets. The TTL on DHCP relay packets is not necessarily predictable. > % All relay packets would be an indicator that the DHCP server has no > % direct attachment to the LAN segment in question. > % > % There's also the issue of the DHCP server having to use the link info > % along with the IP address for keeping its records. After all, the same > % DHCP server might be serving multiple directly-attached LANs. So for > % example, 169.254.45.109 might exist on three different LANs, but refer > % to three different stations. If those were self-assigned, not assigned > % by the DHCP server, the server must nonetheless track them. > % > % This whole area quickly becomes a significant can of worms, adding > % complexity to an existing, deployed protocol, with questionable and > % limited advantages. > % > % -- > % ----------------------------------------------------------------- > % Daniel Senie dts@senie.com > % Amaranth Networks Inc. http://www.amaranth.com > > Well, if the TTL>1 then there is a breakdown in operations. > 169.254.0.0 is -link-local- i.e. should -NEVER- be forwarded off > the local wire. Not Routed. Not bridged. I guess a repeater might be ok, > but I'd be looking closely. :) NO RELAY. Bill, I think Bernard was talking about the DHCP packets, and I know I was. They won't have 169.254/16 addresses at least during the intial exchanges (will instead be 0.0.0.0). DHCP packets can certainly be relayed. -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com From owner-zeroconf@merit.edu Wed May 24 14:43:13 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10893 for ; Wed, 24 May 2000 14:43:13 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 933165DDC9; Wed, 24 May 2000 14:43:03 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 8300D5DDB7; Wed, 24 May 2000 14:43:03 -0400 (EDT) Received: from leo.eg.bucknell.edu (leo.eg.bucknell.edu [134.82.56.108]) by segue.merit.edu (Postfix) with ESMTP id 3A8FB5DDB3 for ; Wed, 24 May 2000 14:43:02 -0400 (EDT) Received: from droms-mac (pm3mi1-3.uplink.net [209.173.86.4]) by leo.eg.bucknell.edu (8.8.8+Sun/8.8.8) with ESMTP id OAA13939; Wed, 24 May 2000 14:42:59 -0400 (EDT) Message-Id: <4.2.2.20000524010308.00a47dc0@mail.bucknell.edu> X-Sender: droms@mail.bucknell.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 24 May 2000 01:05:02 -0400 To: Stuart Cheshire , ZeroConf@merit.edu From: Ralph Droms Subject: RE: 169.254/16 IP addresses In-Reply-To: <200005090126.SAA15778@scv3.apple.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-zeroconf@merit.edu Precedence: bulk At 06:26 PM 5/8/00 -0700, you wrote: >I agree that it would be pretty odd to configure a DHCP server to >allocate 169.254 addresses instead of something else, like 192.168, but I >don't see why it wouldn't work. 169.254 and 192.168 addresses have slightly different properties: the former are link-local while the latter are site-local. I can't think of a reason to manage link-local addresses with DHCP but perhaps someone else can... - Ralph From owner-zeroconf@merit.edu Wed May 24 19:43:22 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14264 for ; Wed, 24 May 2000 19:43:21 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 0D4185DD98; Wed, 24 May 2000 19:43:04 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id EFC5D5DD97; Wed, 24 May 2000 19:43:03 -0400 (EDT) Received: from monitor.internaut.com (mg136-128.ricochet.net [204.179.136.128]) by segue.merit.edu (Postfix) with ESMTP id 9D82D5DD8E for ; Wed, 24 May 2000 19:42:59 -0400 (EDT) Received: from vaiobean (vaiobean.ntdev.microsoft.com [204.57.137.66] (may be forged)) by monitor.internaut.com (8.9.2/8.8.8) with SMTP id QAA31537; Wed, 24 May 2000 16:24:58 -0700 (PDT) Reply-To: From: "Bernard Aboba" To: "'Ralph Droms'" , "'Stuart Cheshire'" , Subject: RE: 169.254/16 IP addresses Date: Wed, 24 May 2000 16:47:42 -0700 Message-ID: <000601bfc5da$74e154d0$428939cc@ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <4.2.2.20000524010308.00a47dc0@mail.bucknell.edu> Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.50.4131.1600 Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >I can't think of a reason to manage link-local addresses with DHCP but perhaps >someone else can... The major reason to consider this would be so as to allow hosts that can only handle one IP address per interface to retain that address if and when a DHCP server came up. This is only relevant in the case of small networks, since one would presume that linklocal addressing is not going to be used in enterprise networks. However, if one is willing to allow a host to have more than one address per interface (as Stuart has proposed) then you could get a new address and keep the old linklocal one too. From owner-zeroconf@merit.edu Thu May 25 01:20:30 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA21133 for ; Thu, 25 May 2000 01:20:30 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 7B8E25DDB4; Thu, 25 May 2000 01:20:21 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 5FD625DDB3; Thu, 25 May 2000 01:20:21 -0400 (EDT) Received: from monitor.internaut.com (mg136-128.ricochet.net [204.179.136.128]) by segue.merit.edu (Postfix) with ESMTP id C09655DD8E for ; Thu, 25 May 2000 01:20:13 -0400 (EDT) Received: from vaiobean (vaiobean.ntdev.microsoft.com [204.57.137.66] (may be forged)) by monitor.internaut.com (8.9.2/8.8.8) with SMTP id WAA31835; Wed, 24 May 2000 22:03:05 -0700 (PDT) Reply-To: From: "Bernard Aboba" To: "'Stuart Cheshire'" , Subject: RE: zeroconf security - conclusions Date: Wed, 24 May 2000 22:25:50 -0700 Message-ID: <000301bfc609$b14afc30$428939cc@ntdev.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <200005092128.OAA25739@scv3.apple.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4131.1600 Sender: owner-zeroconf@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit >My AirPort base station at home doesn't have a serial port. It is >configured in the obvious sensible way -- using SNMP packets, over IP >over wired (or wireless) Ethernet. Of course the first thing I did was >configure a password to protect it. How did I communicate with it to set >the password in the first place? Via zeroconf IP. If the thing had not >arrived speaking IP out-of-the-box, then I would have needed some other >way to communicate with it to set the password -- like the serial port on >the 3COM router. Had this been a wired link, I'd agree that this would be sensible. But given that the above procedure transfers a key over an unencrypted broadcast media, I'd argue for a more secure key management technique. From owner-zeroconf@merit.edu Wed May 31 14:22:25 2000 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA19226 for ; Wed, 31 May 2000 14:22:24 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 663D25DDE0; Wed, 31 May 2000 14:22:11 -0400 (EDT) Delivered-To: zeroconf-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 51C7C5DDD1; Wed, 31 May 2000 14:22:11 -0400 (EDT) Received: from ftpbox.mot.com (ftpbox.mot.com [129.188.136.101]) by segue.merit.edu (Postfix) with ESMTP id EE56C5DDA3 for ; Wed, 31 May 2000 14:22:09 -0400 (EDT) Received: [from pobox.mot.com (pobox.mot.com [129.188.137.100]) by ftpbox.mot.com (ftpbox 2.1) with ESMTP id LAA28577; Wed, 31 May 2000 11:22:01 -0700 (MST)] Received: [from noah.dma.isg.mot.com (noah.dma.isg.mot.com [150.21.2.29]) by pobox.mot.com (MOT-pobox 2.0) with ESMTP id LAA07430; Wed, 31 May 2000 11:22:01 -0700 (MST)] Received: from dma.isg.mot.com (nrlab-10.dma.isg.mot.com [150.21.50.48]) by noah.dma.isg.mot.com (8.8.8+Sun/8.8.8) with ESMTP id OAA22601; Wed, 31 May 2000 14:22:00 -0400 (EDT) Message-Id: <200005311822.OAA22601@noah.dma.isg.mot.com> To: chesire@apple.com From: Donald Eastlake 3rd Cc: dee3@torque.pothole.com, zeroconf@merit.edu Subject: comments on draft-cheshire-ipv4-linklocal-00.txt Date: Wed, 31 May 2000 14:22:00 -0400 Sender: owner-zeroconf@merit.edu Precedence: bulk This generally looks good but I have the following comments: (1) The draft says that DNS RRs giving a link local address SHOULD NOT be returned in response to requests received fron non local addresses. However, I think this is impractical. DNS knows nothing about different classes or numeric regions of addressing in "A" IPv4 RRs (or in any of the IPv6 RRs either for that matter). Even if it did, to conditionally not return some A RRs while returning others would break the DNS "RRset" concept which treats all RRs with the same name and type as a unit (see RFC 2181, Resource Record Sets). For example, RRset's are the level at which signatures are done for DNS security (see RFC 2535) so a signature can't be verified unless you have the full RRset. (2) I suppose it's too late, but wouldn't using 0xFFFE0000 through 0xFFFEFFFF to get a 2**16 link local address region have be a bit more consistent with the general IPv4 address type scheme? Or possibly just use Class E (0xF0000000 - 0xF7FFFFFF) and define Class F to start with 111110 binary... (3) On random number generation in section 2, I recommend that you simply reference RFC 1750. (4) I believe an IPv6 host is required to be able to support multiple addresses per interface, which you might mention in section 3. Seems like this draft should be listed on the ZEROCONF WG charter page so people interested in that can find it. (The chairs can do that by just sending a message to Steve Coya. It does not require that the draft be renamed.) Thanks, Donald ================================================================== Donald Eastlake 3rd +1 508-261-5434(v) lde008@dma.isg.mot.com Motorola, MS: M4-10 +1 508-261-4447(fx) dee3@torque.pothole.com 20 Cabot Boulevard, Mansfield, MA 02048 USA