Summary of the LLMNR Last Call


Hi All,

As I am sure many of you have noticed, there was extensive discussionduring the IETF Last Call for "Link Local Multicast Name Resolution(LLMNR)" specification that is currently available asdraft-ietf-dnsext-mdns-43.txt. Thanks to all who participated! Thediscussion appears to have quieted down at this point, so I willattempt to summarize the discussion and see if we can reach someconclusions.


First, I'll give a brief summary of the responses received:

By my count 38 separate individuals responded to the Last Call. Someof these people responded on the IETF list, some on the IESG list,and some privately to me. People who responded privately to otherswere not counted :-).

Of the 38 respondents, only 18 of them stated an explicit opinion onthe publication of LLMNR as a Proposed Standard RFC. Others provideduseful facts to inform the discussion and/or discussed other topics,such as the structure of the DNS root. I was quite conservativeabout how I determined people's opinions, and I tried not to inferpeoples' opinions from factual statements about only one of theprotocols, etc.

Of the 18 people who expressed an explicit opinion, 14 people arguedagainst the publication of LLMNR as a Proposed Standard. I realizethat we don't vote on specifications in the IETF. I also realizethat the IETF LC is worded to encourage the statements of objectionand not to encourage statements of support. However, the fact that14 separate individuals felt strongly enough that this documentshould not be published to say so explicitly in response to an IETFLC must be taken quite seriously.

In addition to a few minor nits or comments, all of which have beencaptured in the issue tracker, there seem to be three major concernswith the publication of this protocol:

(1) Concerns that publication of this protocol will be confusing oractively harmful given the existing wide deployment of Apple's mDNSprotocol.

Concerns here seem to hinge on whether end-users will use .localextensions because they _think_ that they have mDNS available whenthey actually do not, which, when combined with LLMNR's defaultbehavior of querying the DNS first, will result in a larger number of.local lookups in the global DNS. There are several possible ways toalleviate this issue, including suppression of global queries for.local domains as part of an LLMNR implementation, or suppressingrecursive lookups for names in the .local domain on the local DNSserver, but none of these solutions is currently specified in theLLMNR specification or elsewhere.

(2) Security concerns have been raised about the fact thatapplications on hosts that implement LLMNR will not be able to tellif a response has come from the DNS or from a local lookup.

This opens applications to attack from nodes that can block globalDNS access and substitute local resolution. Some ways to eliminateor alleviate this issue might include: using different domains (suchas .local) to distinguish global and local lookups, explicitly usingdifferent global and local lookup mechanisms at the applicationlevel, only falling back to local resolution when a "no such name"response is received from the global DNS, placing further limits onwhat answers are acceptable from local lookups (only for certaindomains configured as local, only within certain IP subnets...).

This security concern does not seem to be adequately explored andaddressed in the LLMNR specification. At the very minimum, it shouldbe carefully explored in the security considerations section so thatimplementers and users can be aware of these concerns.

(3) Separate, but perhaps underlying both of the previous issues,there seems be a fundamental disagreement about what technicalapproach we should take to link-local name lookup. LLMNR takes theapproach that local lookups should use the same names as globallookups and that upper layers should not care whether a name wasresolved in the global DNS or locally, essentially making the locallookup mechanism an extension of the DNS. mDNS takes the approachthat local lookups should be distinguishable from global lookups andaccomplishes this through the use of a special local domain (.local).

This is an issue that has been discussed extensively in the DNSEXT WGat various times, and consensus was found to proceed with the LLMNRapproach. However, it is not clear whether that consensus is held bythe wider IETF community, as there are at least 14 people in the IETFwho have explicitly disagreed with that decision during IETF LC.

So, based on the IETF LC discussion of this document, I have come totwo conclusions:

CONCLUSION 1: There are at least two blocking technical issues withthe LLMNR specification (raised in items #1 and #2 above) that wouldneed to be resolved before this document is technically ready forpublication as an Proposed Standard RFC. We should resolve theseissues and determine that the IETF community is satisfied with theirresolution before sending the document to IESG review.

CONCLUSION 2: The IETF community does not currently have consensus tostandardize a local name resolution mechanism that takes the approachdescribed in LLMNR. Further work would be needed to establish theIETF consensus required to publish this document as a ProposedStandard.

Based on these conclusions, I do not intend to forward the LLMNRspecification to the IESG for review and approval. I am planning tosend the document back to the WG for resolution of these issues andwould issue another IETF LC if/when the WG believes that they have adocument that will address these issues and reach IETF consensus.

We have a number of choices about how to proceed in this situation,but before we talk about next steps, I would like to hear anyfeedback that people might have regarding my summary of thediscussion so far and the conclusions that I have reached from it.


Margaret




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf