[Standards] RFC 3920, 10.2/10.3: subdomain routing rules
dave at cridland.net
Thu Mar 29 13:16:49 UTC 2007
On Wed Mar 28 21:50:55 2007, Matthias Wimmer wrote:
> Ralph Meijer schrieb:
> > Actually I think that using DNS-SEC as a source for
> authentication would
> > be in combination with SASL EXTERNAL, just like how we now use TLS
> > certs. I'm not sure if you need to explicitly mention alternates.
> Could somebody please give me a clue how DNSsec would be used for
> authentication? Due to my knowledge DNSsec can only be used to make
> sure, that DNS responses are not spoofed. So you get a trustable IP
> address from your DNS resolver. But this leaves the door open for
> attack, that does not require spoofing the IP address.
Hmmm. More explanation needed. I don't promise any of this is correct.
What I actually meant was that, assuming an integrity-protected
authenticated channel to the remote server, then my assumption was
that reuse of that channel to send stanzas intended for a different
domain, but the same server, seemed reasonable off the top of my head
assuming that the lookup itself was secure, which is where DNS-SEC
So, supposing that you looked up jabber.eu, found the XMPP service,
connected to it, and did some TLS-based mutual auth, proving the
server's identity. Then later, you get a stanza to forward to
xmpp.eu. If you looked up xmpp.eu and the lookups were protected by
DNS-SEC, then you might get an overlap - in this case I believe you
would. It seems reasonable to me that this would mean that one
*could* then send the stanza over the existing connection.
That would seem to fit the section 9.1.2 text that Bruce proposed -
although I'm far from wed to the idea.
DNS-SEC comes in, of course, because otherwise there's an attack
where the attacker sets up a legimimate server for domain A, ensures
a channel is active to it by sending the target server stanzas for A,
cons it into reusing the channel for some other domain B by spoofing
DNS, and maintains that channel as well by frequent stanza sending to
B. Then, the attacker has obtained all the legimate traffic to the
domain B from the target server.
Does that clarify things?
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards