Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1369

Timestamp:

02/08/11 12:03:26 (10 years ago)

Author:

julian.reschke@…

Message:

rewrite DNS spoofing advice section, taking Henrik's text (see #100)

Location:

draft-ietf-httpbis/latest

Files:

: 2 edited

p1-messaging.html (modified) (12 diffs)
p1-messaging.xml (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

draft-ietf-httpbis/latest/p1-messaging.html

-                      r1368
+                      r1369
+  }
   @bottom-center {
        content: "Expires February 2, 2012";
+       content: "Expires February 3, 2012";
+  }
   @bottom-right {
 …
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
       <meta name="dct.issued" scheme="ISO8601" content="2011-08-01">
+      <meta name="dct.issued" scheme="ISO8601" content="2011-08-02">
       <meta name="dct.replaces" content="urn:ietf:rfc:2145">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
 …
             </tr>
             <tr>
                <td class="left">Expires: February 2, 2012</td>
+               <td class="left">Expires: February 3, 2012</td>
                <td class="right">HP</td>
             </tr>
 …
             <tr>
                <td class="left"></td>
                <td class="right">August 1, 2011</td>
+               <td class="right">August 2, 2011</td>
             </tr>
          </tbody>
 …
          in progress”.
       </p>
       <p>This Internet-Draft will expire on February 2, 2012.</p>
+      <p>This Internet-Draft will expire on February 3, 2012.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
 …
                <li>11.2&nbsp;&nbsp;&nbsp;<a href="#abuse.of.server.log.information">Abuse of Server Log Information</a></li>
                <li>11.3&nbsp;&nbsp;&nbsp;<a href="#attack.pathname">Attacks Based On File and Path Names</a></li>
                <li>11.4&nbsp;&nbsp;&nbsp;<a href="#dns.spoofing">DNS Spoofing</a></li>
+               <li>11.4&nbsp;&nbsp;&nbsp;<a href="#dns.related.attacks">DNS-related Attacks</a></li>
                <li>11.5&nbsp;&nbsp;&nbsp;<a href="#attack.proxies">Proxies and Caching</a></li>
                <li>11.6&nbsp;&nbsp;&nbsp;<a href="#attack.protocol.element.size.overflows">Protocol Element Size Overflows</a></li>
 …
          bugs in such HTTP server implementations have turned into security risks.
       </p>
+      <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;<a id="dns.spoofing" href="#dns.spoofing">DNS Spoofing</a></h2>
+      <p id="rfc.section.11.4.p.1">Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to security attacks based on the
+         deliberate mis-association of IP addresses and DNS names. Clients need to be cautious in assuming the continuing validity
+         of an IP number/DNS name association.
+      </p>
+      <p id="rfc.section.11.4.p.2">In particular, HTTP clients <em class="bcp14">SHOULD</em> rely on their name resolver for confirmation of an IP number/DNS name association, rather than caching the result of previous
+         host name lookups. Many platforms already can cache host name lookups locally when appropriate, and they <em class="bcp14">SHOULD</em> be configured to do so. It is proper for these lookups to be cached, however, only when the TTL (Time To Live) information
+         reported by the name server makes it likely that the cached information will remain useful.
+      </p>
+      <p id="rfc.section.11.4.p.3">If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they <em class="bcp14">MUST</em> observe the TTL information reported by DNS.
+      </p>
+      <p id="rfc.section.11.4.p.4">If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes. As
+         network renumbering is expected to become increasingly common <a href="#RFC1900" id="rfc.xref.RFC1900.1"><cite title="Renumbering Needs Work">[RFC1900]</cite></a>, the possibility of this form of attack will grow. Observing this requirement thus reduces this potential security vulnerability.
+      </p>
+      <p id="rfc.section.11.4.p.5">This requirement also improves the load-balancing behavior of clients for replicated servers using the same DNS name and reduces
+         the likelihood of a user's experiencing failure in accessing sites which use that strategy.
+      <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;<a id="dns.related.attacks" href="#dns.related.attacks">DNS-related Attacks</a></h2>
+      <p id="rfc.section.11.4.p.1">HTTP clients rely heavily on the Domain Name Service (DNS), and are thus generally prone to security attacks based on the
+         deliberate misassociation of IP addresses and DNS names not protected by DNSSec. Clients need to be cautious in assuming the
+         validity of an IP number/DNS name association unless the response is protected by DNSSec (<a href="#RFC4033" id="rfc.xref.RFC4033.1"><cite title="DNS Security Introduction and Requirements">[RFC4033]</cite></a>).
       </p>
       <h2 id="rfc.section.11.5"><a href="#rfc.section.11.5">11.5</a>&nbsp;<a id="attack.proxies" href="#attack.proxies">Proxies and Caching</a></h2>
 …
       <h2 id="rfc.references.2"><a href="#rfc.section.13.2" id="rfc.section.13.2">13.2</a> Informative References
       </h2>
       <table>
+      <table>
          <tr>
             <td class="reference"><b id="BCP97">[BCP97]</b></td>
 …
          </tr>
          <tr>
+            <td class="reference"><b id="RFC4033">[RFC4033]</b></td>
+            <td class="top">Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “<a href="http://tools.ietf.org/html/rfc4033">DNS Security Introduction and Requirements</a>”, RFC&nbsp;4033, March&nbsp;2005.
+            </td>
+         </tr>
+         <tr>
             <td class="reference"><b id="RFC4288">[RFC4288]</b></td>
             <td class="top"><a href="mailto:ned.freed@mrochek.com" title="Sun Microsystems">Freed, N.</a> and <a href="mailto:klensin+ietf@jck.com">J. Klensin</a>, “<a href="http://tools.ietf.org/html/rfc4288">Media Type Specifications and Registration Procedures</a>”, BCP&nbsp;13, RFC&nbsp;4288, December&nbsp;2005.
 …
       <p id="rfc.section.D.17.p.1">Closed issues: </p>
       <ul>
+         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/100">http://tools.ietf.org/wg/httpbis/trac/ticket/100</a>&gt;: "DNS Spoofing / DNS Binding advice"
+         </li>
          <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/270">http://tools.ietf.org/wg/httpbis/trac/ticket/270</a>&gt;: "\-escaping in quoted strings"
          </li>
 …
                      </ul>
                   </li>
                   <li><em>RFC1900</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1900.1">11.4</a>, <a href="#RFC1900"><b>13.2</b></a></li>
+                  <li><em>RFC1900</em>&nbsp;&nbsp;<a href="#RFC1900"><b>13.2</b></a></li>
                   <li><em>RFC1919</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1919.1">2.4</a>, <a href="#RFC1919"><b>13.2</b></a></li>
                   <li><em>RFC1945</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1945.1">2.6</a>, <a href="#RFC1945"><b>13.2</b></a>, <a href="#rfc.xref.RFC1945.2">B</a></li>
 …
                      </ul>
                   </li>
+                  <li><em>RFC4033</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4033.1">11.4</a>, <a href="#RFC4033"><b>13.2</b></a></li>
                   <li><em>RFC4288</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4288.1">10.3</a>, <a href="#RFC4288"><b>13.2</b></a></li>
                   <li><em>RFC4395</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4395.1">10.2</a>, <a href="#RFC4395"><b>13.2</b></a></li>

draft-ietf-httpbis/latest/p1-messaging.xml

-                      r1368
+                      r1369
 </section>
+<section title="DNS Spoofing" anchor="dns.spoofing">
+<t>
+   Clients using HTTP rely heavily on the Domain Name Service, and are
+   thus generally prone to security attacks based on the deliberate
+   mis-association of IP addresses and DNS names. Clients need to be
+   cautious in assuming the continuing validity of an IP number/DNS name
+   association.
+</t>
+<t>
+   In particular, HTTP clients &SHOULD; rely on their name resolver for
+   confirmation of an IP number/DNS name association, rather than
+   caching the result of previous host name lookups. Many platforms
+   already can cache host name lookups locally when appropriate, and
+   they &SHOULD; be configured to do so. It is proper for these lookups to
+   be cached, however, only when the TTL (Time To Live) information
+   reported by the name server makes it likely that the cached
+   information will remain useful.
+</t>
+<t>
+   If HTTP clients cache the results of host name lookups in order to
+   achieve a performance improvement, they &MUST; observe the TTL
+   information reported by DNS.
+</t>
+<t>
+   If HTTP clients do not observe this rule, they could be spoofed when
+   a previously-accessed server's IP address changes. As network
+   renumbering is expected to become increasingly common <xref target="RFC1900"/>, the
+   possibility of this form of attack will grow. Observing this
+   requirement thus reduces this potential security vulnerability.
+</t>
+<t>
+   This requirement also improves the load-balancing behavior of clients
+   for replicated servers using the same DNS name and reduces the
+   likelihood of a user's experiencing failure in accessing sites which
+   use that strategy.
+<section title="DNS-related Attacks" anchor="dns.related.attacks">
+<t>
+   HTTP clients rely heavily on the Domain Name Service (DNS), and are thus
+   generally prone to security attacks based on the deliberate misassociation
+   of IP addresses and DNS names not protected by DNSSec. Clients need to be
+   cautious in assuming the validity of an IP number/DNS name association unless
+   the response is protected by DNSSec (<xref target="RFC4033"/>).
 </t>
 </section>
 …
 </reference>
+<reference anchor='RFC4033'>
+  <front>
+    <title>DNS Security Introduction and Requirements</title>
+    <author initials='R.' surname='Arends' fullname='R. Arends'/>
+    <author initials='R.' surname='Austein' fullname='R. Austein'/>
+    <author initials='M.' surname='Larson' fullname='M. Larson'/>
+    <author initials='D.' surname='Massey' fullname='D. Massey'/>
+    <author initials='S.' surname='Rose' fullname='S. Rose'/>
+    <date year='2005' month='March' />
+  </front>
+  <seriesInfo name='RFC' value='4033' />
+</reference>
 <reference anchor="RFC4288">
   <front>
 …
   <list style="symbols">
     <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/100"/>:
+      "DNS Spoofing / DNS Binding advice"
+    </t>
+    <t>
       <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/270"/>:
       "\-escaping in quoted strings"

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 1369

Legend:

draft-ietf-httpbis/latest/p1-messaging.html

draft-ietf-httpbis/latest/p1-messaging.xml

Download in other formats: