[Standards] RFC 3920, 10.2/10.3: subdomain routing rules
dave at cridland.net
Thu Mar 29 14:29:18 UTC 2007
On Thu Mar 29 14:13:15 2007, Matthias Wimmer wrote:
> Dave Cridland schrieb:
>> DNS-SEC comes in, of course, because otherwise there's an attack
>> where the attacker sets up a legimimate server for domain A,
>> ensures a channel is active to it by sending the target server
>> stanzas for A, cons it into reusing the channel for some other
>> domain B by spoofing DNS, and maintains that channel as well by
>> frequent stanza sending to B. Then, the attacker has obtained all
>> the legimate traffic to the domain B from the target server.
>> Does that clarify things?
> "Yes ... but"
> We are open to this type of attack at present anyway. XMPP s2s does
> only authenticate the sending server of a connection - NOT the
> receiving server.
Oh. TLS deployment is that bad?
> With dialback we are even not able to authenticate the receiving
> server. With TLS+SASL a server could verify the certificate of the
> receiving server, but AFAIK this is currently not done by our
Well, with TLS+SASL, you can authenticate both ends. It gets quite
amusing to do, because of the certificate authorities, but it is
> To enforce authentication of the receiving server we would have to
> disable dialback and require trusted certificates.
The problem is you have to essentially mandate a list of CAs, as I
understand things. Or, you can use leap-of-faith TLS in combination
with dialback, and at the least heavily reduce the attack's practical
Leap-of-faith TLS is basically where you assume that the certificate
is correct the first time, and you assume that a change - if the new
certificate is still not verifiable - is a spoof. It's not perfect,
but since people rarely want to intercept data from servers which
have never been used before, it's quite practical.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards