02/08/11 12:03:26 (10 years ago)

rewrite DNS spoofing advice section, taking Henrik's text (see #100)

1 edited


  • draft-ietf-httpbis/latest/p1-messaging.html

    r1368 r1369  
    359359  }
    360360  @bottom-center {
    361        content: "Expires February 2, 2012";
     361       content: "Expires February 3, 2012";
    362362  }
    363363  @bottom-right {
    410410      <meta name="dct.creator" content="Reschke, J. F.">
    411411      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
    412       <meta name="dct.issued" scheme="ISO8601" content="2011-08-01">
     412      <meta name="dct.issued" scheme="ISO8601" content="2011-08-02">
    413413      <meta name="dct.replaces" content="urn:ietf:rfc:2145">
    414414      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    442442            </tr>
    443443            <tr>
    444                <td class="left">Expires: February 2, 2012</td>
     444               <td class="left">Expires: February 3, 2012</td>
    445445               <td class="right">HP</td>
    446446            </tr>
    495495            <tr>
    496496               <td class="left"></td>
    497                <td class="right">August 1, 2011</td>
     497               <td class="right">August 2, 2011</td>
    498498            </tr>
    499499         </tbody>
    525525         in progress”.
    526526      </p>
    527       <p>This Internet-Draft will expire on February 2, 2012.</p>
     527      <p>This Internet-Draft will expire on February 3, 2012.</p>
    528528      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    529529      <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
    675675               <li>11.2&nbsp;&nbsp;&nbsp;<a href="#abuse.of.server.log.information">Abuse of Server Log Information</a></li>
    676676               <li>11.3&nbsp;&nbsp;&nbsp;<a href="#attack.pathname">Attacks Based On File and Path Names</a></li>
    677                <li>11.4&nbsp;&nbsp;&nbsp;<a href="#dns.spoofing">DNS Spoofing</a></li>
     677               <li>11.4&nbsp;&nbsp;&nbsp;<a href="#dns.related.attacks">DNS-related Attacks</a></li>
    678678               <li>11.5&nbsp;&nbsp;&nbsp;<a href="#attack.proxies">Proxies and Caching</a></li>
    679679               <li>11.6&nbsp;&nbsp;&nbsp;<a href="#attack.protocol.element.size.overflows">Protocol Element Size Overflows</a></li>
    27332733         bugs in such HTTP server implementations have turned into security risks.
    27342734      </p>
    2735       <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;<a id="dns.spoofing" href="#dns.spoofing">DNS Spoofing</a></h2>
    2736       <p id="rfc.section.11.4.p.1">Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to security attacks based on the
    2737          deliberate mis-association of IP addresses and DNS names. Clients need to be cautious in assuming the continuing validity
    2738          of an IP number/DNS name association.
    2739       </p>
    2740       <p id="rfc.section.11.4.p.2">In particular, HTTP clients <em class="bcp14">SHOULD</em> rely on their name resolver for confirmation of an IP number/DNS name association, rather than caching the result of previous
    2741          host name lookups. Many platforms already can cache host name lookups locally when appropriate, and they <em class="bcp14">SHOULD</em> be configured to do so. It is proper for these lookups to be cached, however, only when the TTL (Time To Live) information
    2742          reported by the name server makes it likely that the cached information will remain useful.
    2743       </p>
    2744       <p id="rfc.section.11.4.p.3">If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they <em class="bcp14">MUST</em> observe the TTL information reported by DNS.
    2745       </p>
    2746       <p id="rfc.section.11.4.p.4">If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes. As
    2747          network renumbering is expected to become increasingly common <a href="#RFC1900" id="rfc.xref.RFC1900.1"><cite title="Renumbering Needs Work">[RFC1900]</cite></a>, the possibility of this form of attack will grow. Observing this requirement thus reduces this potential security vulnerability.
    2748       </p>
    2749       <p id="rfc.section.11.4.p.5">This requirement also improves the load-balancing behavior of clients for replicated servers using the same DNS name and reduces
    2750          the likelihood of a user's experiencing failure in accessing sites which use that strategy.
     2735      <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;<a id="dns.related.attacks" href="#dns.related.attacks">DNS-related Attacks</a></h2>
     2736      <p id="rfc.section.11.4.p.1">HTTP clients rely heavily on the Domain Name Service (DNS), and are thus generally prone to security attacks based on the
     2737         deliberate misassociation of IP addresses and DNS names not protected by DNSSec. Clients need to be cautious in assuming the
     2738         validity of an IP number/DNS name association unless the response is protected by DNSSec (<a href="#RFC4033" id="rfc.xref.RFC4033.1"><cite title="DNS Security Introduction and Requirements">[RFC4033]</cite></a>).
    27512739      </p>
    27522740      <h2 id="rfc.section.11.5"><a href="#rfc.section.11.5">11.5</a>&nbsp;<a id="attack.proxies" href="#attack.proxies">Proxies and Caching</a></h2>
    28532841      <h2 id="rfc.references.2"><a href="#rfc.section.13.2" id="rfc.section.13.2">13.2</a> Informative References
    28542842      </h2>
    2855       <table>                                                   
     2843      <table>                                                     
    28562844         <tr>
    28572845            <td class="reference"><b id="BCP97">[BCP97]</b></td>
    29462934         </tr>
    29472935         <tr>
     2936            <td class="reference"><b id="RFC4033">[RFC4033]</b></td>
     2937            <td class="top">Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “<a href="http://tools.ietf.org/html/rfc4033">DNS Security Introduction and Requirements</a>”, RFC&nbsp;4033, March&nbsp;2005.
     2938            </td>
     2939         </tr>
     2940         <tr>
    29482941            <td class="reference"><b id="RFC4288">[RFC4288]</b></td>
    29492942            <td class="top"><a href="mailto:ned.freed@mrochek.com" title="Sun Microsystems">Freed, N.</a> and <a href="mailto:klensin+ietf@jck.com">J. Klensin</a>, “<a href="http://tools.ietf.org/html/rfc4288">Media Type Specifications and Registration Procedures</a>”, BCP&nbsp;13, RFC&nbsp;4288, December&nbsp;2005.
    36343627      <p id="rfc.section.D.17.p.1">Closed issues: </p>
    36353628      <ul>
     3629         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/100">http://tools.ietf.org/wg/httpbis/trac/ticket/100</a>&gt;: "DNS Spoofing / DNS Binding advice"
     3630         </li>
    36363631         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/270">http://tools.ietf.org/wg/httpbis/trac/ticket/270</a>&gt;: "\-escaping in quoted strings"
    36373632         </li>
    38983893                     </ul>
    38993894                  </li>
    3900                   <li><em>RFC1900</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1900.1">11.4</a>, <a href="#RFC1900"><b>13.2</b></a></li>
     3895                  <li><em>RFC1900</em>&nbsp;&nbsp;<a href="#RFC1900"><b>13.2</b></a></li>
    39013896                  <li><em>RFC1919</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1919.1">2.4</a>, <a href="#RFC1919"><b>13.2</b></a></li>
    39023897                  <li><em>RFC1945</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC1945.1">2.6</a>, <a href="#RFC1945"><b>13.2</b></a>, <a href="#rfc.xref.RFC1945.2">B</a></li>
    39423937                     </ul>
    39433938                  </li>
     3939                  <li><em>RFC4033</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4033.1">11.4</a>, <a href="#RFC4033"><b>13.2</b></a></li>
    39443940                  <li><em>RFC4288</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4288.1">10.3</a>, <a href="#RFC4288"><b>13.2</b></a></li>
    39453941                  <li><em>RFC4395</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4395.1">10.2</a>, <a href="#RFC4395"><b>13.2</b></a></li>
Note: See TracChangeset for help on using the changeset viewer.