On Mon, Oct 26, 2020 at 04:39:10PM -0400, Ted Lemon wrote:
> What actually hardens mDNS is that it’s a link-local protocol.
> It doesn’t work across links. This limits the attack surface.
Exactly.
> But there’s no way to eliminate the attack surface. If I were in Ben’s
> shoes,
> I’d be aski
On Mon, Oct 26, 2020 at 04:39:10PM -0400, Ted Lemon wrote:
> On Oct 26, 2020, at 4:14 PM, Toerless Eckert wrote:
> > And the question from the AD was what could be done. So, do you have any
> > implemention suggestion ? Are there any sugestions for mDNS ?
>
> There are no simple mitigations. If t
On Oct 26, 2020, at 4:14 PM, Toerless Eckert wrote:
> And the question from the AD was what could be done. So, do you have any
> implemention suggestion ? Are there any sugestions for mDNS ?
There are no simple mitigations. If there were, they would already be in the
protocol.
> Btw: I do agree
On Mon, Oct 26, 2020 at 04:09:41PM -0400, Ted Lemon wrote:
> On Oct 26, 2020, at 4:05 PM, Jared Mauch wrote:
> >> If the anwer of the experts is "do not harden implementations of existing
> >> protocols",
> >> but only improve protocols or eliminate security risks from underlays, i
> >> think
>
On Oct 26, 2020, at 4:05 PM, Jared Mauch wrote:
>> If the anwer of the experts is "do not harden implementations of existing
>> protocols",
>> but only improve protocols or eliminate security risks from underlays, i
>> think
>> that is not a good strategy to show to implementors trying to unders
On Mon, Oct 26, 2020 at 06:42:21PM +0100, Toerless Eckert wrote:
> Thanks, Jared
>
> Somehow everybody tries to escape answering the question asked by giving
> their correct but orthogonal pet problem space answer. Ted correctly claims
> the protocols suck security wise, and you correctly claim th
On Oct 26, 2020, at 1:30 PM, Toerless Eckert wrote:
>> If you???re going to do that, you might as well just turn off mDNS entirely.
>
> How is this worse than NOT doing this heuristic ?
It’s likely exactly the same. My expectation would be that the port in the SRV
record is literally never the
Thanks, Jared
Somehow everybody tries to escape answering the question asked by giving
their correct but orthogonal pet problem space answer. Ted correctly claims
the protocols suck security wise, and you correctly claim that there are a lot
more
deployment considerations in face of risky underla
On Mon, Oct 26, 2020 at 01:05:42PM -0400, Ted Lemon wrote:
> On Oct 26, 2020, at 12:59 PM, Toerless Eckert wrote:
> > The networks where i am worried are not home networks,
> > but something like an office park network, where supposedly each
> > tenant (company) should have gotten their disjoint L
> On Oct 26, 2020, at 1:05 PM, Ted Lemon wrote:
>
> On Oct 26, 2020, at 12:59 PM, Toerless Eckert wrote:
>> The networks where i am worried are not home networks,
>> but something like an office park network, where supposedly each
>> tenant (company) should have gotten their disjoint L2 domain
On Oct 26, 2020, at 12:59 PM, Toerless Eckert wrote:
> The networks where i am worried are not home networks,
> but something like an office park network, where supposedly each
> tenant (company) should have gotten their disjoint L2 domains, ... and then
> they didn't. And one of the tenants has a
Thanks, Ted.
I agree with your overall assesment, but the question was what
an implementation should do in the face of a particular pre-existing
condition: Aka: With mDNS or GRASP as they both stand today
(me of course right now primarily interest in GRASP< but if
implementation/operational guida
That would be a very bad heuristic. The whole point of SRV records is to
eliminate the dependency on reserve ports.
Really this is a non problem. We are not seeing this on home networks at
present, because it’s just not an interesting attack. But supposing that we
wanted to do something about
Ben Kaduk (SEC AD) was wondering about the appropriateness of a hardening
suggestion
in draft-ietf-anima-autonomic-control-plane-29. Let me translate this into
mDNS, even though its about GRASP, but IMHO for the purpose of this issue
its equivalent:
Node wants to discover on a LAN a particular se
14 matches
Mail list logo
