I tried to document this ages ago in https://datatracker.ietf.org/doc/draft-ietf-dnsop-reverse-mapping-considerations/, and got so many contradictory edits (see the history) that the final version ended up saying “A or maybe not-A, or maybe both, your choice,” so the then-chairs decided the document wasn’t worth sending through publication.
A — Andrew Sullivan Please excuse my clumbsy thums > On Apr 11, 2022, at 11:38, Michael Richardson <[email protected]> wrote: > > > Hi, in reviews of > > https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-iot-dns-considerations-04.html > > I was asked to expand upon why the reverse map can not be intelligently used > for MUD ACLs. (section 3, XXX stuff) > (MUD controllers, upon being presented with ACLs made up of > names need to do forward lookups of the names and build ACLs based upon the > IP addresses.) > > There are two aspects of this: > 1) even in an ideal situation, it takes too long on the first packet to > extract a name from an IP address. Yes, that could be aggresively cached. > > 2) forward:reverse maps are N:M mappings, often with unidirectional parts, > and often > broken or not delegated. > > Further, there is no authorization of the mappings, so an attacker who > wants to be able to reach IP address 2001:db8::abcd, can insert a > reverse name of their choice, including updates.example.com, which is > permitted by the MUD ACL. > > While I can write the above paragraph, I don't feel that it's detailed enough > for what is needed, and I feel that we (the IETF) must have documented the > security issues with reverse/forward mismatched at least twice over the past > 40 years. > > I'm looking for a good well reviewed reference to use rather than repeating > this again. > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
