mdns/dnssd Threat Model

Similar documents
Secure SDN Authentication (DNS based PKI model)

draft-eckert-anima-grasp-dnssd-00

A Framework for Optimizing IP over Ethernet Naming System

Cisco Wide Area Bonjour Solution Overview

Wireless Network Security

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Security Baseline Data Model for Network Infrastructure Device draft-xia-sacm-nid-dp-security-baseline-00 draft-dong-sacm-nid-cp-security-baseline-00

Intended status: Informational. October 22, Requirements for Scalable DNS-SD/mDNS Extensions draft-lynn-dnssd-requirements-00

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Cloud Computing Lectures. Cloud Security

Configuring the Service Discovery Gateway

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

CSE 123b Communications Software

Quick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004

A Study of Two Different Attacks to IPv6 Network

CSE 123A Computer Netwrking

Virtual Subnet : A L3VPN-based Subnet Extension Solution for Cloud Data Center Interconnect

Insights on IPv6 Security

MANET Architecture and address auto-configuration issue

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt

Communications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage

Quick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Network Security. Thierry Sans

Internet Engineering Task Force (IETF) M. Blanchet Viagenie D. Migault Ericsson July 2015

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Introduction to IEEE 802.1Qca Path Control and Reservation

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Analysis of OpenFlow Networks.

SECURE HOME GATEWAY PROJECT

NETWORK SECURITY. Ch. 3: Network Attacks

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

SECURE HOME GATEWAY PROJECT

MULTICAST SECURITY. Piotr Wojciechowski (CCIE #25543)

Keying & Authentication for Routing Protocols (KARP) draft-lebovitz-kmart-roadmap-03

BYZANTINE ATTACK ON WIRELESS MESH NETWORKS: A SURVEY

Wireless LAN Security (RM12/2002)

Security Issues In Mobile Ad hoc Network Routing Protocols

Internet Engineering Task Force (IETF) Request for Comments: 8386 University of Applied Sciences Augsburg Category: Informational

Configuring a DHCP Server DHCP Operation

EveryonePrint. Mobile Gateway 4.2. Installation Guide. EveryonePrint Mobile Gateway Installation Guide Page 1 of 30

Mobile Security Fall 2013

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Advanced iscsi Management April, 2008

Detecting the Auto-configuration Attacks on IPv4 and IPv6 Networks

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

What is Eavedropping?

Switching & ARP Week 3

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Network Encryption 3 4/20/17

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

SECURITY SYSTEM FOR DNS USING CRYPTOGRAPHY. N.DEVI M.Sc., M.Ed., M.Phil., Assistant prof, Mangayarkarasi college of arts and science for women

DNS Security. * pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

NETLMM Security Threats on the MN-AR Interface draft-kempf-netlmm-threats-00.txt

CSE 565 Computer Security Fall 2018

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

CIS 5373 Systems Security

Augmented SEND: Aligning Security, Privacy, and Usability. Dr. Ahmad Alsadeh Birzeit University Palestine

Wireless Network Security Spring 2015

Insights on IPv6 Security

Why multicast? The concept of multicast Multicast groups Multicast addressing Multicast routing protocols MBONE Multicast applications Conclusions

IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

An Operational Perspective on BGP Security. Geoff Huston February 2005

Protecting Privacy: The Evolution of DNS Security

ERNW WHITEPAPER 62 RA GUARD EVASION REVISITED

TD#RNG#2# B.Stévant#

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Benchmarking Drafts Overview for Members of SDNRG (94th IETF, Yokohama)

Printopia Pro Multicast DNS (mdns) Deployment and Troubleshooting Guide

Wireless Network Security Spring 2016

Service Discovery Gateway

Configuring Vulnerability Assessment Devices

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments

TABLE OF CONTENTS CHAPTER TITLE PAGE

IT114 NETWORK+ Learning Unit 1 Objectives: 1, 2 Time In-Class Time Out-Of-Class Hours 2-3. Lectures: Course Introduction and Overview

2. Firewall Management Tools used to monitor and control the Firewall Environment.

An Example of use the Threat Modeling Tool

vcenter Operations Management Pack for NSX-vSphere

Secure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe

Securing ARP and DHCP for mitigating link layer attacks

Security in Mobile Ad-hoc Networks. Wormhole Attacks

ARP Inspection and the MAC Address Table

INTERNET OF THINGS (IoT) DESIGN CONSIDERATIONS FOR EMBEDDED CONNECTED DEVICES ANDREW CAPLES SENIOR PRODUCT MARKETING MANAGER, NUCLEUS

Mobile Communications. Ad-hoc and Mesh Networks

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

Distributed Systems 26. Mobile Ad Hoc Mesh Networks

Connecting to the Network

2016/01/17 04:04 1/9 Basic Routing Lab

Innovative uses as result of DNSSEC

Virtual Subnet : A L3VPN-based Subnet Extension Solution draft-xu-l3vpn-virtual-subnet-01

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

The Study on Security Vulnerabilities in IPv6 Autoconfiguration

Virtual Subnet (VS): A Scalable Data Center Interconnection Solution

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Transcription:

IETF91 13 November 2014 Honolulu DNSSD WG mdns/dnssd Threat Model draft-rafiee-dnssd-mdns-threatmodel-01 Author: Hosnieh Rafiee www.huawei.com HuaweiTechnologies Duesseldorf GmbH, Munich, Germany

Unicast DNS vs. mdns/dnssd - Differences (Scope of Threats) mdns/dnssd submits multicast messages mdns/dnssd is adhoc Only the names are valid inside the local networks therefore, it does not expose names and IP addresses beyond local networks Translates names to IP addresses when there is no DNS infrastructure available (efficient translation) Discover services in the network by service instance enumeration (browsing) mdns/dnssd is a zero configuration protocol mdns/dnssd is efficient to use for constrained devices (WSN) mdns checks uniqueness of names only in limited scope while unicast DNS can check the uniqueness of names globally Threat model Hosnieh Rafiee DNSSD 2

Unicast DNS vs. mdns/dnssd - Similarities DNSSD can also use unicast messages similar to unicast DNS Both translates names to IP addresses and check the uniqueness of names Both caches some data. For example DNSSD caches the service names with their TTL in the client and unicast DNS caches domain names and IP addresses Both do not encrypt the message contents Both are dependent to other mechanisms for security Threat model Hosnieh Rafiee DNSSD 3

Threats: unicast DNS vs. DNS-SD RFC 3833 covers a limited list of threats for unicast DNS. Here is the categorization of all those attacks Similar Threat Groups Specific to DNS-SD Specific to unicast DNS Spoofing (source IP spoofing, identity spoofing, MITM, cache poisoning) DoS attacks Data tampering Similar names with different character sets (internationalized labels) fake domains MAC spoofing Privacy issue (IP address, names leakage) Unauthorized update to DNS zone file Human errors (configuration mistakes, etc.) Threat model Hosnieh Rafiee DNSSD 4

Scalable DNS-SD (SSD) vs. mdns/dnssd -- Differences SSD covers larger scope and not only local link (explained in section 3 requirement document) In SSD, names and IPs are exposed to larger groups and increase the privacy risks SSD might not be zero config Zero configuration only for home and PAN networks Requires configuration on switches and routers to increase the scope of discovery Might require SLA between domain administrators especially in campus networks Threat model Hosnieh Rafiee DNSSD 5

Threats: Scalable DNS-SD (SSD) vs. DNS-SD - I Similar Threat Groups Specific to DNS-SD Specific to SSD Spoofing (source IP spoofing, identity spoofing, MITM, cache poisoning, MAC spoofing) DoS attacks Data tampering Names with different character sets (internationalized labels) Privacy issue (IP address, names leakage) Network topology leakage Unauthorized update to unicast DNS Especial type of DoS attack -- Resource exhaustion (especially applicable to constrained devices) Unauthorized access to service providers (like a printer) Threat model Hosnieh Rafiee DNSSD 6

Threats: Scalable DNS-SD (SSD) vs. DNS-SD - I Similar Threat Groups Specific to DNS-SD Specific to SSD Human errors (incorrect configuration of middle boxes) allows wide range of attacks Node compromising: resulting in flooding the network with false information (larger traffic if it supposed to be broadcast) Threat model Hosnieh Rafiee DNSSD 7

Solution Scope Threats Unauthenticated Device DoS Unauthorized Access Data tampering Privacy issue Solution Scope The Use of access lists, policies, secure authentication, proof of IP ownership/mac ownership Authentication, network monitoring Access lists, policies Data integrity check Randomization (efficient), data encryption (cost effective), Control on Discovery scope Threat model Hosnieh Rafiee DNSSD 8

Not in SSD Charter but in a scope of service discovery In virtualized network many services are software based and can be accessed by their names/labels The use of DNSSD to discover security functions in Network Function Virtualization (NFV) Advantage Abstraction Disadvantage All the threats explained in t his presentation The use of DNSSD to discover different APIs or users who wants to request any functions in the network Threat model Hosnieh Rafiee DNSSD 9

Next steps? WG adoption? Threat model Hosnieh Rafiee DNSSD 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback