[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Dave Cridland dave at cridland.net
Thu Mar 29 13:16:49 UTC 2007


On Wed Mar 28 21:50:55 2007, Matthias Wimmer wrote:
> Hi!
> 
> Ralph Meijer schrieb:
> > Actually I think that using DNS-SEC as a source for 
> authentication would
> > be in combination with SASL EXTERNAL, just like how we now use TLS
> > certs. I'm not sure if you need to explicitly mention alternates.
> 
> Could somebody please give me a clue how DNSsec would be used for
> authentication? Due to my knowledge DNSsec can only be used to make
> sure, that DNS responses are not spoofed. So you get a trustable IP
> address from your DNS resolver. But this leaves the door open for 
> any
> attack, that does not require spoofing the IP address.
> 
> 
Hmmm. More explanation needed. I don't promise any of this is correct.

What I actually meant was that, assuming an integrity-protected 
authenticated channel to the remote server, then my assumption was 
that reuse of that channel to send stanzas intended for a different 
domain, but the same server, seemed reasonable off the top of my head 
assuming that the lookup itself was secure, which is where DNS-SEC 
came in.

So, supposing that you looked up jabber.eu, found the XMPP service, 
connected to it, and did some TLS-based mutual auth, proving the 
server's identity. Then later, you get a stanza to forward to 
xmpp.eu. If you looked up xmpp.eu and the lookups were protected by 
DNS-SEC, then you might get an overlap - in this case I believe you 
would. It seems reasonable to me that this would mean that one 
*could* then send the stanza over the existing connection.

That would seem to fit the section 9.1.2 text that Bruce proposed - 
although I'm far from wed to the idea.

DNS-SEC comes in, of course, because otherwise there's an attack 
where the attacker sets up a legimimate server for domain A, ensures 
a channel is active to it by sending the target server stanzas for A, 
cons it into reusing the channel for some other domain B by spoofing 
DNS, and maintains that channel as well by frequent stanza sending to 
B. Then, the attacker has obtained all the legimate traffic to the 
domain B from the target server.

Does that clarify things?

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list