Changeset 1369


Ignore:
Timestamp:
Aug 2, 2011, 5:03:26 AM (8 years ago)
Author:
julian.reschke@…
Message:

rewrite DNS spoofing advice section, taking Henrik's text (see #100)

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r1368 r1369  
    359359  }
    360360  @bottom-center {
    361        content: "Expires February 2, 2012";
     361       content: "Expires February 3, 2012";
    362362  }
    363363  @bottom-right {
     
    410410      <meta name="dct.creator" content="Reschke, J. F.">
    411411      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
    412       <meta name="dct.issued" scheme="ISO8601" content="2011-08-01">
     412      <meta name="dct.issued" scheme="ISO8601" content="2011-08-02">
    413413      <meta name="dct.replaces" content="urn:ietf:rfc:2145">
    414414      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
     
    442442            </tr>
    443443            <tr>
    444                <td class="left">Expires: February 2, 2012</td>
     444               <td class="left">Expires: February 3, 2012</td>
    445445               <td class="right">HP</td>
    446446            </tr>
     
    495495            <tr>
    496496               <td class="left"></td>
    497                <td class="right">August 1, 2011</td>
     497               <td class="right">August 2, 2011</td>
    498498            </tr>
    499499         </tbody>
     
    525525         in progress”.
    526526      </p>
    527       <p>This Internet-Draft will expire on February 2, 2012.</p>
     527      <p>This Internet-Draft will expire on February 3, 2012.</p>
    528528      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    529529      <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
     
    675675               <li>11.2&nbsp;&nbsp;&nbsp;<a href="#abuse.of.server.log.information">Abuse of Server Log Information</a></li>
    676676               <li>11.3&nbsp;&nbsp;&nbsp;<a href="#attack.pathname">Attacks Based On File and Path Names</a></li>
    677                <li>11.4&nbsp;&nbsp;&nbsp;<a href="#dns.spoofing">DNS Spoofing</a></li>
     677               <li>11.4&nbsp;&nbsp;&nbsp;<a href="#dns.related.attacks">DNS-related Attacks</a></li>
    678678               <li>11.5&nbsp;&nbsp;&nbsp;<a href="#attack.proxies">Proxies and Caching</a></li>
    679679               <li>11.6&nbsp;&nbsp;&nbsp;<a href="#attack.protocol.element.size.overflows">Protocol Element Size Overflows</a></li>
     
    27332733         bugs in such HTTP server implementations have turned into security risks.
    27342734      </p>
    2735       <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;<a id="dns.spoofing" href="#dns.spoofing">DNS Spoofing</a></h2>
    2736       <p id="rfc.section.11.4.p.1">Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to security attacks based on the
    2737          deliberate mis-association of IP addresses and DNS names. Clients need to be cautious in assuming the continuing validity
    2738          of an IP number/DNS name association.
    2739       </p>
    2740       <p id="rfc.section.11.4.p.2">In particular, HTTP clients <em class="bcp14">SHOULD</em> rely on their name resolver for confirmation of an IP number/DNS name association, rather than caching the result of previous
    2741          host name lookups. Many platforms already can cache host name lookups locally when appropriate, and they <em class="bcp14">SHOULD</em> be configured to do so. It is proper for these lookups to be cached, however, only when the TTL (Time To Live) information
    2742          reported by the name server makes it likely that the cached information will remain useful.
    2743       </p>
    2744       <p id="rfc.section.11.4.p.3">If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they <em class="bcp14">MUST</em> observe the TTL information reported by DNS.
    2745       </p>
    2746       <p id="rfc.section.11.4.p.4">If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes. As
    2747          network renumbering is expected to become increasingly common <a href="#RFC1900" id="rfc.xref.RFC1900.1"><cite title="Renumbering Needs Work">[RFC1900]</cite></a>, the possibility of this form of attack will grow. Observing this requirement thus reduces this potential security vulnerability.
    2748       </p>
    2749       <p id="rfc.section.11.4.p.5">This requirement also improves the load-balancing behavior of clients for replicated servers using the same DNS name and reduces
    2750          the likelihood of a user's experiencing failure in accessing sites which use that strategy.
     2735      <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;<a id="dns.related.attacks" href="#dns.related.attacks">DNS-related Attacks</a></h2>
     2736      <p id="rfc.section.11.4.p.1">HTTP clients rely heavily on the Domain Name Service (DNS), and are thus generally prone to security attacks based on the
     2737         deliberate misassociation of IP addresses and DNS names not protected by DNSSec. Clients need to be cautious in assuming the
     2738         validity of an IP number/DNS name association unless the response is protected by DNSSec (<a href="#RFC4033" id="rfc.xref.RFC4033.1"><cite title="DNS Security Introduction and Requirements">[RFC4033]</cite></a>).
    27512739      </p>
    27522740      <h2 id="rfc.section.11.5"><a href="#rfc.section.11.5">11.5</a>&nbsp;<a id="attack.proxies" href="#attack.proxies">Proxies and Caching</a></h2>
     
    28532841      <h2 id="rfc.references.2"><a href="#rfc.section.13.2" id="rfc.section.13.2">13.2</a> Informative References
    28542842      </h2>
    2855       <table>                                                   
     2843      <table>                                                     
    28562844         <tr>
    28572845            <td class="reference"><b id="BCP97">[BCP97]</b></td>
     
    29462934         </tr>
    29472935         <tr>
     2936            <td class="reference"><b id="RFC4033">[RFC4033]</b></td>
     2937            <td class="top">Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “<a href="http://tools.ietf.org/html/rfc4033">DNS Security Introduction and Requirements</a>”, RFC&nbsp;4033, March&nbsp;2005.
     2938            </td>
     2939         </tr>
     2940         <tr>
    29482941            <td class="reference"><b id="RFC4288">[RFC4288]</b></td>
    29492942            <td class="top"><a href="mailto:ned.freed@mrochek.com" title="Sun Microsystems">Freed, N.</a> and <a href="mailto:klensin+ietf@jck.com">J. Klensin</a>, “<a href="http://tools.ietf.org/html/rfc4288">Media Type Specifications and Registration Procedures</a>”, BCP&nbsp;13, RFC&nbsp;4288, December&nbsp;2005.
     
    36343627      <p id="rfc.section.D.17.p.1">Closed issues: </p>
    36353628      <ul>
     3629         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/100">http://tools.ietf.org/wg/httpbis/trac/ticket/100</a>&gt;: "DNS Spoofing / DNS Binding advice"
     3630         </li>
    36363631         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/270">http://tools.ietf.org/wg/httpbis/trac/ticket/270</a>&gt;: "\-escaping in quoted strings"
    36373632         </li>
     
    38983893                     </ul>
    38993894                  </li>
    3900                   <li><em>RFC1900</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1900.1">11.4</a>, <a href="#RFC1900"><b>13.2</b></a></li>
     3895                  <li><em>RFC1900</em>&nbsp;&nbsp;<a href="#RFC1900"><b>13.2</b></a></li>
    39013896                  <li><em>RFC1919</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1919.1">2.4</a>, <a href="#RFC1919"><b>13.2</b></a></li>
    39023897                  <li><em>RFC1945</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1945.1">2.6</a>, <a href="#RFC1945"><b>13.2</b></a>, <a href="#rfc.xref.RFC1945.2">B</a></li>
     
    39423937                     </ul>
    39433938                  </li>
     3939                  <li><em>RFC4033</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4033.1">11.4</a>, <a href="#RFC4033"><b>13.2</b></a></li>
    39443940                  <li><em>RFC4288</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4288.1">10.3</a>, <a href="#RFC4288"><b>13.2</b></a></li>
    39453941                  <li><em>RFC4395</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4395.1">10.2</a>, <a href="#RFC4395"><b>13.2</b></a></li>
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r1368 r1369  
    40114011</section>
    40124012
    4013 <section title="DNS Spoofing" anchor="dns.spoofing">
    4014 <t>
    4015    Clients using HTTP rely heavily on the Domain Name Service, and are
    4016    thus generally prone to security attacks based on the deliberate
    4017    mis-association of IP addresses and DNS names. Clients need to be
    4018    cautious in assuming the continuing validity of an IP number/DNS name
    4019    association.
    4020 </t>
    4021 <t>
    4022    In particular, HTTP clients &SHOULD; rely on their name resolver for
    4023    confirmation of an IP number/DNS name association, rather than
    4024    caching the result of previous host name lookups. Many platforms
    4025    already can cache host name lookups locally when appropriate, and
    4026    they &SHOULD; be configured to do so. It is proper for these lookups to
    4027    be cached, however, only when the TTL (Time To Live) information
    4028    reported by the name server makes it likely that the cached
    4029    information will remain useful.
    4030 </t>
    4031 <t>
    4032    If HTTP clients cache the results of host name lookups in order to
    4033    achieve a performance improvement, they &MUST; observe the TTL
    4034    information reported by DNS.
    4035 </t>
    4036 <t>
    4037    If HTTP clients do not observe this rule, they could be spoofed when
    4038    a previously-accessed server's IP address changes. As network
    4039    renumbering is expected to become increasingly common <xref target="RFC1900"/>, the
    4040    possibility of this form of attack will grow. Observing this
    4041    requirement thus reduces this potential security vulnerability.
    4042 </t>
    4043 <t>
    4044    This requirement also improves the load-balancing behavior of clients
    4045    for replicated servers using the same DNS name and reduces the
    4046    likelihood of a user's experiencing failure in accessing sites which
    4047    use that strategy.
     4013<section title="DNS-related Attacks" anchor="dns.related.attacks">
     4014<t>
     4015   HTTP clients rely heavily on the Domain Name Service (DNS), and are thus
     4016   generally prone to security attacks based on the deliberate misassociation
     4017   of IP addresses and DNS names not protected by DNSSec. Clients need to be
     4018   cautious in assuming the validity of an IP number/DNS name association unless
     4019   the response is protected by DNSSec (<xref target="RFC4033"/>).
    40484020</t>
    40494021</section>
     
    47264698</reference>
    47274699
     4700<reference anchor='RFC4033'>
     4701  <front>
     4702    <title>DNS Security Introduction and Requirements</title>
     4703    <author initials='R.' surname='Arends' fullname='R. Arends'/>
     4704    <author initials='R.' surname='Austein' fullname='R. Austein'/>
     4705    <author initials='M.' surname='Larson' fullname='M. Larson'/>
     4706    <author initials='D.' surname='Massey' fullname='D. Massey'/>
     4707    <author initials='S.' surname='Rose' fullname='S. Rose'/>
     4708    <date year='2005' month='March' />
     4709  </front>
     4710  <seriesInfo name='RFC' value='4033' />
     4711</reference>
     4712
    47284713<reference anchor="RFC4288">
    47294714  <front>
     
    59745959  <list style="symbols">
    59755960    <t>
     5961      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/100"/>:
     5962      "DNS Spoofing / DNS Binding advice"
     5963    </t>
     5964    <t>
    59765965      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/270"/>:
    59775966      "\-escaping in quoted strings"
Note: See TracChangeset for help on using the changeset viewer.