Hi, in reviews of https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-iot-dns-considerations-04.html
I was asked to expand upon why the reverse map can not be intelligently used
for MUD ACLs. (section 3, XXX stuff)
(MUD controllers, upon being presented with ACLs made up of
names need to do forward lookups of the names and build ACLs based upon the
IP addresses.)
There are two aspects of this:
1) even in an ideal situation, it takes too long on the first packet to
extract a name from an IP address. Yes, that could be aggresively cached.
2) forward:reverse maps are N:M mappings, often with unidirectional parts,
and often
broken or not delegated.
Further, there is no authorization of the mappings, so an attacker who
wants to be able to reach IP address 2001:db8::abcd, can insert a
reverse name of their choice, including updates.example.com, which is
permitted by the MUD ACL.
While I can write the above paragraph, I don't feel that it's detailed enough
for what is needed, and I feel that we (the IETF) must have documented the
security issues with reverse/forward mismatched at least twice over the past
40 years.
I'm looking for a good well reviewed reference to use rather than repeating
this again.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
