ietf
[Top] [All Lists]

Re: Last Call: 'Linklocal Multicast Name Resolution (LLMNR) ' to Proposed Standard

2005-08-30 16:35:43
On 10-aug-2005, at 20:47, The IESG wrote:

> The IESG has received a request from the DNS Extensions WG to
> consider the
> following document:

> - 'Linklocal Multicast Name Resolution (LLMNR) '
>    <draft-ietf-dnsext-mdns-42.txt> as a Proposed Standard

> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action.  Please send any comments to the
> iesg(_at_)ietf(_dot_)org or ietf(_at_)ietf(_dot_)org mailing lists by 
2005-08-24.

Sorry for the delay.

After the discussion on the IETF list I thought it prudent to do a
more thorough review of the draft.

Agreed. Although this is not gernally my area, the discussion led me to
review the document.

This statement:

[a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
      address(es) defined in Section 2, and on UDP and TCP port 5355 on
      the unicast address(es) that could be set as the source address
(es)
      when the responder responds to the LLMNR query.

Seems to be in conflict with:

    Unicast LLMNR queries MUST be done using TCP and the responses MUST
    be sent using the same TCP connection as the query.  Senders MUST
    support sending TCP queries, and responders MUST support listening
    for TCP queries. If the sender of a TCP query receives a response to
    that query not using TCP, the response MUST be silently discarded.

    Unicast UDP queries MUST be silently discarded.

Why would a responder be required to listen on unicast UDP and then
have to silently discard anything that comes in?

Indeed. It certainly seems unnecessary to me.

    Section 2.4 discusses use of TCP for LLMNR queries and
responses.  In
    composing an LLMNR query using TCP, the sender MUST set the Hop
Limit
    field in the IPv6 header and the TTL field in the IPv4 header of the
    response to one (1).  The responder SHOULD set the TTL or Hop Limit
    settings on the TCP listen socket to one (1) so that SYN-ACK packets
    will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
    prevents an incoming connection from off-link since the sender will
    not receive a SYN-ACK from the responder.

    For UDP queries and responses, the Hop Limit field in the IPv6
header
    and the TTL field in the IPV4 header MAY be set to any value.
    However, it is RECOMMENDED that the value 255 be used for
    compatibility with Apple Bonjour [Bonjour].

Why not REQUIRE that UDP queries/responses have a TTL of 255. Then
the receiver of a packet can determine with almost complete certainty
that the packet didn't traverse any routers by checking if the
received packet has a TTL of 255. (See (amongst others) ICMPv6 for
how this works.)

This seems like a reasonable suggestion.

    Since LLMNR queries can be sent when DNS server(s) do not respond, an
    attacker can execute a denial of service attack on the DNS server(s)
    and then poison the LLMNR cache by responding to an LLMNR query with
    incorrect information.

Couldn't have said it better myself.

LLMNR takes the approach of intermingling the locally resolved
namespace with the globally resolved namespace. This will lead to
security problems such as the one mentioned above (the security
considerations section is way too cavalier), but also unduly puts
strain on both the local and the global mechanisms in the expected
common case where a host will first try to resolve a name globally
and failing that, try to resolve the name locally.

Quite correct. In addition, the approach of trying the global DNS then falling
back to LLMNR seems likely to create fertile ground for screwy and hard
to trace errors.

Suppose, for example, the LLMNR resolver is configured (intentionally or
otherwise) to respond to some names that are also defined in the DNS. Perhaps
this was done to provide a fallback service, perhaps it was done in error,
whatever. But since normal DNS provides the information under normal
circumstances this information ends up not being used. Soon it is forgotten,
updates aren't done, and the information goes stale. Then the DNS service
experiences a transient failure. LLNMR now provides the information, but oops,
it's way out of date. And of course by the time someone attempts to track down
the problem the DNS will no doubt be back up and nobody will be able to figure
out what happened.

Debugging name service problems is already difficult enough, thank you very
much, without this added wrinkle.

For instance, when a user configures a name that doesn't exist in the
global namespace on a locally reachable device, and then references
that device by name, this will involve the global DNS unnecessarily.
Since the intended result does materialize, the user doesn't see a
failure condition and the situation persists.

It has been claimed elsewhere that this is not so much of an issue because DNS
servers can be configured to reject such queries. I'm afraid I don't buy this
claim, for two reasons. First and most important, implementing such a setup
requires that sites understand and implement consistent naming policies. This
rarely happens in practice. Second, while such setups aren't difficult to
implement with most nameservers, they aren't exactly trivial either. And many
admins are very reluctant to mess around with name server configurations for
fear of breaking something.

Alternatively, whenever there is a failure in the global DNS, for
instance because of lack of reachability, unavailability of a DNS
server or the user typing an incorrect name, this will result in a
local multicast query. On some links this is very undesirable. Low-
bandwidth links such as cell phone data services are an obvious
example. Another one is IEEE 802.11x. Due to its one-to-many nature
broadcasts and multicasts must be sent at an artificial low bitrate
on these links, using up an inordinate amount of link bandwidth
relative to the packet size.

A few additional comments on the draft:

(1) Section 2.3 talks about using LLMNR and MX records to "find a local
   mail server". Trouble is, MX records are used for mail routing on the
   Internet. They are not designed for or used to locate local mail
   servers. And even if this usage made sense, IMO it is inappropriate for
   this document to talk about ways to locate a mail service, if for no
   other reason than service location is supposed to be out of scope.

(2) The abstract and to some extent the introduction talk about the goals of the
   protocol and what the protocol isn't supposed to be. They really should
   focus on what the protocol is.

(3) The entire document seems hugely convoluted and full of warnings,
   caveats, and restrictions. Perhaps this is unavoidable, but the general
   feel is that of a specification grudgingly agreed to as part of some
   sort of compromise, rather than work done to meet a real need.
   Reading the document, I cannot imagine actually wanting to implement it.

(4) Section 2.5 talks about using a TTL value of 255 "for compatibility with
   Bonjour". Given that this work is claimed to be orthogonal to mDNS
   I don't understand why this was included.

I suggest that the IESG either send back the draft to the wg to fix
these problems or at most approves publication as an experimental RFC
and NOT a standards track RFC.

IMO this needs major work even before being approved as experimental. The
overlapped namespace approach in particular seems hugely problematic and IMO
needs to be replaced.

                                Ned

P.S. Please note that I have taken no position on the LLMNR vs mDNS debate. I
haaven't even looked at the mDNS specifications. My comments here are solely on
having reviewed LLMNR.

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>