draft-ietf-dnsext-mdns-19.txt

bind-3.2.

Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
configure LLMNR on an interface.  The LLMNR Enable Option, described in
[LLMNREnable], can be used to explicitly enable or disable use of LLMNR
on an interface.  The LLMNR Enable Option does not determine whether or
in which order DNS itself is used for name resolution.  The order in
which various name resolution mechanisms should be used can be specified
using the Name Service Search Option for DHCP [RFC2937].

3.2.1.  Configuration consistency

It is possible that DNS configuration mechanisms will go in and out of
service.  In these circumstances, it is possible for hosts within an
administrative domain to be inconsistent in their DNS configuration.

For example, where DHCP is used for configuring DNS servers, one or more
DHCP servers can go down.  As a result, hosts configured prior to the
outage will be configured with a DNS server, while hosts configured
after the outage will not.  Alternatively, it is possible for the DNS
configuration mechanism to continue functioning while configured DNS
servers fail.





Esibov, Aboba & Thaler       Standards Track                   [Page 11]





INTERNET-DRAFT                    LLMNR                      12 May 2003


Unless unconfigured hosts periodically retry configuration, an outage in
the DNS configuration mechanism will result in hosts continuing to
prefer LLMNR even once the outage is repaired.  Since LLMNR only enables
linklocal name resolution, this represents an unnecessary degradation in
capabilities.  As a result, it is recommended that hosts without a
configured DNS server periodically attempt to obtain DNS configuration.
A default retry interval of two (2) minutes is RECOMMENDED.

4.  Conflict resolution

The sender MUST anticipate receiving multiple replies to the same LLMNR
query, in the event that several LLMNR enabled computers receive the
query and respond with valid answers.  When this occurs, the responses
MAY first be concatenated, and then treated in the same manner that
multiple RRs received from the same DNS server would.

There are some scenarios when multiple responders MAY respond to the
same query.  There are other scenarios when only one responder MAY
respond to a query.  Resource records for which the latter queries are
submitted are referred as UNIQUE throughout this document.  The
uniqueness of a resource record depends on a nature of the name in the
query and type of the query.  For example it is expected that:

   - multiple hosts may respond to a query for an SRV type record
   - multiple hosts may respond to a query for an A or AAAA type
     record for a cluster name (assigned to multiple hosts in
     the cluster)
   - only a single host may respond to a query for an A or AAAA
     type record for a hostname.

Every responder that responds to an LLMNR query AND includes a UNIQUE
record in the response:

   1.  MUST verify that there is no other host within the scope of the
       LLMNR query propagation that can return a resource record
       for the same name, type and class.
   2.  MUST NOT include a UNIQUE resource record in the
       response without having verified its uniqueness.

Where a host is configured to respond to LLMNR queries on more than one
interface, each interface should have its own independent LLMNR cache.
For each UNIQUE resource record in a given interface's configuration,
the host MUST verify resource record uniqueness on that interface.  To
accomplish this, the host MUST send an LLMNR query for each UNIQUE
resource record.

By default, a host SHOULD be configured to behave as though all RRs are
UNIQUE.  Uniqueness verification is carried out when the host:



Esibov, Aboba & Thaler       Standards Track                   [Page 12]





INTERNET-DRAFT                    LLMNR                      12 May 2003


  - starts up or
  - is configured to respond to the LLMNR queries on an interface or
  - is configured to respond to the LLMNR queries using additional
    UNIQUE resource records.

When a host that owns a UNIQUE record receives an LLMNR query for that
record, the host MUST respond.  After the client receives a response, it
MUST check whether the response arrived on another interface.  If this
is the case, then the client can use the UNIQUE resource record in
response to LLMNR queries.  If not, then it MUST NOT use the UNIQUE
resource record in response to LLMNR queries.

The name conflict detection mechanism doesn't prevent name conflicts
when previously partitioned segments are connected by a bridge.  In such
a situation, name conflicts are detected when a sender receives more
than one response to its LLMNR multicast query.  In this case, the
sender sends the first response that it received to all responders that
responded to this query except the first one, using UDP unicast.  A host
that receives a query response containing a UNIQUE resource record that
it owns, even if it didn't send such a query, MUST verify that no other
host within the LLMNR scope is authoritative for the same name, using
the mechanism described above.  Based on the result, the host detects
whether there is a name conflict and acts accordingly.

4.1.  Considerations for Multiple Interfaces

A multi-homed host may elect to configure LLMNR on only one of its
active interfaces.  In many situations this will be adequate.  However,
should a host need to configure LLMNR on more than one of its active
interfaces, there are some additional precautions it MUST take.
Implementers who are not planning to support LLMNR on multiple
interfaces simultaneously may skip this section.

A multi-homed host checks the uniqueness of UNIQUE records as described
in Section 4.  The situation is illustrated in figure 1.

     ----------  ----------
      |      |    |      |
     [A]    [myhost]   [myhost]

   Figure 1.  Link-scope name conflict

In this situation, the multi-homed myhost will probe for, and defend,
its host name on both interfaces.  A conflict will be detected on one
interface, but not the other.  The multi-homed myhost will not be able
to respond with a host RR for "myhost" on the interface on the right
(see Figure 1).  The multi-homed host may, however, be configured to use
the "myhost" name on the interface on the left.



Esibov, Aboba & Thaler       Standards Track                   [Page 13]





INTERNET-DRAFT                    LLMNR                      12 May 2003


Since names are only unique per-link, hosts on different links could be
using the same name.  If an LLMNR client sends requests over multiple
interfaces, and receives replies from more than one, the result returned
to the client is defined by the implementation.  The situation is
illustrated in figure 2.

     ----------  ----------
      |      |    |     |
     [A]    [myhost]   [A]


   Figure 2.  Off-segment name conflict

If host myhost is configured to use LLMNR on both interfaces, it will
send LLMNR queries on both interfaces.  When host myhost sends a query
for the host RR for name "A" it will receive a response from hosts on
both interfaces.

Host myhost will then send the first responder's response to the second
responder, who will attempt to verify the uniqueness of host RR for its
name, but will not discover a conflict, since the conflicting host
resides on a different link.  Therefore it will continue using its name.

Host myhost cannot distinguish between the situation shown in Figure 2,
and that shown in Figure 3 where no conflict exists.

             [A]
            |   |
        -----   -----
            |   |
           [myhost]

   Figure 3.  Multiple paths to same host

This illustrates that the proposed name conflict resolution mechanism
does not support detection or resolution of conflicts between hosts on
different links.  This problem can also occur with unicast DNS when a
multi-homed host is connected to two different networks with separated
name spaces.  It is not the intent of this document to address the issue
of uniqueness of names within DNS.

4.2.  API issues

[RFC2553] provides an API which can partially solve the name ambiguity
problem for applications written to use this API, since the sockaddr_in6
structure exposes the scope within which each scoped address exists, and
this structure can be used for both IPv4 (using v4-mapped IPv6
addresses) and IPv6 addresses.



Esibov, Aboba & Thaler       Standards Track                   [Page 14]





INTERNET-DRAFT                    LLMNR                      12 May 2003


Following the example in Figure 2, an application on 'myhost' issues the
request getaddrinfo("A", ...) with ai_family=AF_INET6 and
ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
interfaces and the resolver library will return a list containing
multiple addrinfo structures, each with an associated sockaddr_in6
structure.  This list will thus contain the IPv4 and IPv6 addresses of
both hosts responding to the name 'A'.  Link-local addresses will have a
sin6_scope_id value that disambiguates which interface is used to reach
the address.  Of course, to the application, Figures 2 and 3 are still
indistinguishable, but this API allows the application to communicate
successfully with any address in the list.

5.  Security Considerations

LLMNR is by nature a peer-to-peer name resolution protocol.  It is
therefore inherently more vulnerable than DNS, since existing DNS
security mechanisms are difficult to apply to LLMNR and an attacker only
needs to be misconfigured to answer an LLMNR query with incorrect
information.

In order to address the security vulnerabilities, the following
mechanisms are contemplated:

[1]  Scope restrictions.

[2]  Usage restrictions.

[3]  Cache and port separation.

[4]  Authentication.

These techniques are described in the following sections.

5.1.  Scope restriction

With LLMNR it is possible that hosts will allocate conflicting names for
a period of time, or that attackers will attempt to deny service to
other hosts by allocating the same name.  Such attacks also allow hosts
to receive packets destined for other hosts.

Since LLMNR is typically deployed in situations where no trust model can
be assumed, it is likely that LLMNR queries and responses will be
unauthenticated.  In the absence of authentication, LLMNR reduces the
exposure to such threats by utilizing queries sent to a link-scope
multicast address, as well as setting the TTL (IPv4) or Hop Limit (IPv6)
fields to one (1) on both queries and responses.





Esibov, Aboba & Thaler       Standards Track                   [Page 15]





INTERNET-DRAFT                    LLMNR                      12 May 2003


While this limits the ability of off-link attackers to spoof LLMNR
queries and responses, it does not eliminate it.   For example, it is
possible for an attacker to spoof a response to a frequent query (such
as an A/AAAA query for a popular Internet host), and using a TTL or Hop
Limit field larger than one (1), for the forged response to reach the
LLMNR sender.  There also are scenarios such as public "hotspots" where
attackers can be present on the same link.

These threats are most serious in wireless networks such as 802.11,
since attackers on a wired network will require physical access to the
home network, while wireless attackers may reside outside the home.
Link-layer security can be of assistance against these threats if it is
available.

5.2.  Usage restriction

As noted in Section 3, LLMNR is intended for usage in a limited set of
scenarios.

If an interface has been configured via any automatic configuration
mechanism which is able to supply DNS configuration information, then
LLMNR SHOULD NOT be used as the primary name resolution mechanism on
that interface, although it MAY be used as a name resolution mechanism
of last resort.

Note: enabling LLMNR for use in situations where a DNS server has been
configured will result in upgraded hosts changing their default behavior
without a simultaneous update to configuration information.  Where this
is considered undesirable, LLMNR SHOULD NOT be enabled by default, so
that hosts will neither listen on the link-scope multicast address, nor
will it send queries to that address.

Use of LLMNR as a name resolution mechanism increases security
vulnerabilities.  For example, if an LLMNR query is sent whenever a DNS
server does not respond in a timely way, then an attacker can execute a
denial of service attack on the DNS server(s) and then poison the LLMNR
cache by responding to the resulting LLMNR queries with incorrect
information.

The vulnerability is more serious if LLMNR is given higher priority than
DNS among the enabled name resolution mechanisms.  In such a
configuration, a denial of service attack on the DNS server would not be