New ZeroConf Spec

[Dick Davies]

On 27/07/06, Dan Kegel <dank at kegel.com> wrote:

> subverting a network considerably; instead of having to carefully craft
> packets or catch a computer when it's making a DNS or DHCP request,

DHCP is based on network broadcasts. There's no 'careful crafiting' required.

> the attacker can now just tell Avahi to advertise a service, and the
> bogus service is reliably available on all systems running Avahi!

ITYM 'the bogus service is now visible on the network'.
Any application that deals with LAN hosts is going to need a discovery
mechanism, that's why they're using zeroconf. They could portscan the
local subnet, but that would be horribly inefficient and the rogue host would
still show up in the list.

> > isn't it more like opening a window compared to a gate with a
> > big "Hack me" sign above it.

> No, it's not.  Wishing that Avahi is as secure as standard DNS won't make it so.

Dan, you keep saying this over and over but you're not explaining yourself
very clearly.

If you use DNS based AAA mechanisms, then mDNS is probably not a good
idea. We all know this.

If you're suggesting the daemon is insecure, then you'll have to
explain yourself
better. libresolv runs in the same address space as whatever app calls
it, so it's
common for DNS queries to run as root. Avahi is a separate unprivileged process,
so this is more secure by design.

-- 
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/