📄 openslp_security_whitepaper.html
字号:
utilities, which lead us to start questioning why we were trying to authenticateservices via SLP anyway? Why not just let services authenticate themselves?</tt><p><tt>An analogy from real life... I need to call an associate and relaysome confidential information. I write down his number as it was left onmy voice mail and place the phone call. BEFORE I exchange sensitive informationthe individual on the other line, I authenticate their identity (recognizetheir voice, etc). Trusting the information available on my voice mailis not required (as the number may have be to an airport pay phone). Implicitlytrusting a phone number from the white pages or any other source is notrequired (or expected) as long as the callers can authenticate themselves.</tt><p><tt>Likewise, SLP delivered information need not be trusted to be useful.As long as the entity providing a service and the entity using the servicecan authenticate each other -- separate from the mechanism used to discoveror locate one another. One problem is that many services do not have authenticationcapabilities -- which is not too much of a problem because most servicesdon't have SLP capabilities either. In the end, the only problem is thatdevelopers are just beginning to write secure software. If secure serviceand client software were indeed available, there would not be any needfor SLP authentication.</tt><p><tt>Having not heard additional comment from other experts, it is myopinion the SLP need not bear the burden of authenticating services. Theburden of authentication should be placed on the services and their clientsrather than on a protocol valued for simplicity and ease of use, administration,and deployment.</tt><p><tt>Please comment. Do you agree or disagree? Why?</tt><br> </blockquote>Response from ebi@cup.hp.com:<blockquote><tt>My take on this would be that it needs to be implementedand the people deploying it should have the option of enabling/disablingit.</tt><p><tt>Because if this is not implemented, I can see a potential denialof service attack, where a rogue SA/DA, keeps on responding to all thediscovers sent by the UA. Even though the authentication might fail whenthe application tries to authenticate using other means. It can stop theUA from finding the correct SA/DA, there by creating a denial of serviceattack.</tt><p><tt>On the other hand managing keys does make the protocol heavy weight.The problem of effective key management issue, needs to be solved for mostother protocols (like DHCP) as well. Until then, we need</tt><br><tt>to be doing the key management manually or use what openSSL uses,and when there is an optimum key management solution, we can integrateinto that.</tt></blockquote><p><br>Rebuttal from mpeterson@caldera.com:<blockquote><tt>I do not believe that the "denial of service" attack scenariodescribed above is much of an issue.</tt><p><tt>I think that it is worth clarifying that receiving incorrect information(service URLs of rogue services from rogue DA/SAs) is not a problem thatinvolves the "SLP UA portion" of a client application. The problem youdescribe above involves the portions of the client application that *use*information delivered by SLP -- the "UA portion" is only in charge of *getting*the information not using it. In other words, the problem you describeabove is an SLP usage problem not an SLP problem.</tt><p><tt>Regardless of whether or not SLPv2 authentication is implementedand configured, client applications must not expect that SLP guaranteesavailability. SLP could not possibly be expected to guarantee the stateof the network or the persistent state of the registered service. Supposethat a service registers with SLP just before a WAN outage. At least fora certain amount of time clients would experience the same "denial of service"symptoms you describe above. The real solution is to encourage developersto use the entire list of service URLs. If usage (connection to or authenticationto) one service fails, the client application should try the next.</tt><p><tt>Denial of service scenarios like the one you describe are impossibleto prevent. The only protection against denial of service attacks is fear.Yes, security by fear. Remember, "SLP is intended to function within networksunder cooperative administrative control." The above mentioned attackwould be easy to detect, track and resolve; which means that it would notprobably not be much of a problem in the environments SLP is written torun in (how many rogue DHCP servers do you see on your network).</tt><p><tt>In private network environments, the security problems that youneed to worry about are those that allow confidential data to be compromised(especially if it can be done in ways can not be detected.) Denial of serviceattacks to not compromise data.</tt><p><tt>The argument from my original post is that even if SLP authenticationwas implemented and configured correctly with (magically) delivered certificates,there would still be significant service specific security risks that wouldbe dangerous even in private networks. Upon close inspection SLP authenticationappears to solve only those security problems that are not overly relevantto private networks in the first place. (Please, if I'm wrong here, giveme some examples...)</tt><p><tt>I agree fully that SLP without authentication is in the same realm(security wise) as DHCP. My question remains -- Is this really a problemin private networks? If so, why? DHCP continues to be a widely deployedand extremely useful technology. One of the most useful aspects of DHCP(and SLP) is that there is no need for extensive configuration. Add requirementsfor establishing trust (certificates, keys, etc.) and the "plug and play"features of DHCP and SLP are gone. As this is a "theoretical discussion"I might mention that security is not free. There is always a usabilityvs. security trade off. I might also mention that sometimes *lack of* securityis a feature if the goal is usability.</tt></blockquote><p><br>Response from ebi@cup.hp.com:<blockquote><tt>Let me give you another example. If I have a workstationon the shared lan where my manager's PC is also there. Some companies restrictroot access to people on the main network. So I cannot sniff around tofind password. If there is no security in SLP, then I can registerone of the test machines, which would be in a different network (for whichI have the root access to) as the pop server. Then I get the user nameand password of my manager's pop account (The same thing can be done fora print spooler or a file server).</tt></blockquote>Rebuttal from mpeterson@caldera.com:<blockquote><tt>Again, Don't you think this is more an illustration ofthe weakness of POP3 protocol and mail server/client software than it isof SLP? I would argue that its is that POP3 needs the security boost --after all it is in the business of securing an end to end communication.SLP is not designed to solve the end-to-end authentication problem ...or is it?</tt><p><tt>On the other hand, you do allude to a very valid point -- that mosttraditional and widely deployed "end-to-end" service specific protocolsand software are not capable of secure service authentication. (It is usuallypossible authenticate the user, but client software can rarely authenticatethe server which means that there is no establishment of trust before sendingclient side user credentials.)</tt><p><tt>Should SLP be tasked with solving this problem? The answer is definitelyYES if it can be done without completely squashing major SLP usabilityfeatures ("plug and play" features). I guess I just don't see how thiscan be done.</tt></blockquote><p><br>The discussion eventually involves several engineers from a numberof organizations and becomes quite lengthy. At least, the exchangeincluded above should give a taste of the arguments involved. Forthose that are interested in reading the entire thread, it can be foundat <a href="http://www.srvloc.org/hypermail/0826.html">http://www.srvloc.org/hypermail/0826.html</a><br> <h3>Conclusions</h3>For those that are not willing to endure the tedium of reading the entiremailing list discussion, the conclusion was eventually made (at leastby the author) that though SLP authentication may be appropriatein some specialized SLP deployments, it is probably not beneficial in normalnetwork computer environments. This conclusion is basedon the following premises:<ul><li>Implementation of SLP authentication in the absence of public key infrastructurestandards would require enough manual configuration to invalidate all claimsSLP has to increased usability.</li><li>Common helper protocols DNS, DHCP, IP, even ARP are currently insecurefor usability reasons. SLP fits into this category of protocolswhere lack of security may be considered a feature when it allows for maximalusability.</li><li>Given the lack of security in the above mentioned (and other) protocolsself-established authentication of end to end communication is requiredanyway for secure communication of network software entities.</li><li>In the presence of appropriate end to end security mechanisms, SLPrelated security attacks are limited to the realm of "denial of service"or "disruptions" -- even when <i>no</i> authentication is implemented inSLP. In other words there is not a risk of compromise of confidentialinformation that can be attributed to SLP as long as appropriate end toend security is established.</li></ul>So, for the OpenSLP project, there are not any plans to implement SLPv2security. (This may change in the future depending on the successof ongoing PKI standardization efforts.) There are, however,many things that could be done to reduce opportunities for "denial of serviceattacks" or other malicious SLP related disruptions. Thesewill be addressed in future versions of OpenSLP. Also, in order to inform developers about the importance of writing secureapplications, plans have been made to include an SLP Security HOWTOas part of the OpenSLP Documentation.</body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -