On Oct 26, 2020, at 4:14 PM, Toerless Eckert <t...@cs.fau.de> wrote: > And the question from the AD was what could be done. So, do you have any > implemention suggestion ? Are there any sugestions for mDNS ?
There are no simple mitigations. If there were, they would already be in the protocol. > Btw: I do agree that for most use of mDNS as it is relying on dynamic ports, > my suggestion would create an undesired trend of allocating static port > numbers. > This is also true for GRASP in general, but for the specific use-cases > in mind in my text, which are really inside-network infra protocols, the > argument could be > made that static port allocation was indeed well feasible (as we're talking > about a > very small number here) . But we had not done it because we hadn't vetted the > benefits > of doing such a port allocation. If it’s a multicast discovery protocol with no authentication, then constraining the set of allowed ports just means that the node that’s attacking you has to be able to listen on that port, which it likely can. So I think this reduces function without increasing hardening. What actually hardens mDNS is that it’s a link-local protocol. It doesn’t work across links. This limits the attack surface. But there’s no way to eliminate the attack surface. If I were in Ben’s shoes, I’d be asking you to change the protocol to support authentication and ToFU as a hardening strategy, with some better trust establishment mechanism as future work based on the existing presence of crypto signatures. But the current consensus of the IETF is apparently that ADs aren’t allowed to insist on things like that. :( _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop