[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Assorted arm-buster problems - network configuration

On Mon 08 Jul 2019 at 13:37:26 -0400, Lee wrote:

> On 7/7/19, andreimpopescu@gmail.com <andreimpopescu@gmail.com> wrote:
> > On Sb, 06 iul 19, 15:36:37, Lee wrote:
> >>
> >> "an accident waiting to happen" was from me and I also gave the rfc
> >> for mdns, so that's hardly "nothing of substance to support that
> >> view."  If you're having trouble finding the rfc, it's here
> >>   https://tools.ietf.org/html/rfc6762
> >
> > Care to elaborate though?
> 
> While reading about a security issue I came across the line "An
> insecure protocol will eventually be exploited." - which sounds right
> to me.  And the standard q&a for most security issues involving an
> insecure protocol seems to be
> q: how do i prevent <bad thing> from happening?
> a: by not allowing it in the first place.
> 
> Hopefully we're clear about my bias now :)

Indeed we are. Everyone has a bias of one sort or another. It is often
what makes things interesting.
> 
> > The dangers are not at all obvious to me, possibly because I haven't
> > used it much (if at all).
> 
> Read the first three paragraph of the "Security Considerations" section
>   https://tools.ietf.org/html/rfc6762#section-21
> 
> Assuming everything on the network is a trusted host is a dangerous
> assumption, so paragraph 1 is N/A
> 
> Assuming a trusted host won't get hacked is a dangerous assumption, so
> paragraph 3 is N/A.
> 
> All that's left is paragraph 2 -- and uninstalling whatever software
> uses mDNS :)

I am unsure your analysis necessarily leads to to the conclusion you
make. Perhaps it does for you, but the section is, after all, dealing
only with considerations. You have assessed them and come to a decision
which fits your situation. 

Anyway, thank you for this diligent response. It is differs somewhat
from

 > I'd also consider exterminating avahi with extreme prejudice,
 > i.e. 'aptpurge avahi-daemon'. Really simplifies things. Not
 > installing this software in the first place works even better.

This lead only to boltstering the OP's inate prejudices against software
he lacks understanding of and that does not fit into his world view..

-- 
Brian.
Reply to: