Re: LDAP Root for dc style naming

[David J N Begley <david@avarice.nepean.uws.edu.au>]

On Fri, 14 Jan 2000, Kurt D. Zeilenga wrote:

> At 11:15 PM 1/14/00 +1100, David J N Begley wrote:
> >Further, I'd be wary of allowing the "well known aliases" approach as it could
> >lead to the same problem that happened when Squid used to (by default,
> >regardless what the config said) automatically "announce" every proxy to a
> >central source (lots of proxies were being used as peers without their
> >permission, before the respective admins worked their way up the learning
> >curve to apply ACLs).
> 
> Did Squid modify DNS records automatically?  I think this be a different
> issue.

No it didn't, but the end result was the same.  First, let me make clear that
I'm voicing a valid security concern, but have not yet convinced myself one
way or t'other as to whether or not the concern is worth the bother.

In the Squid case, a configuration option indicated that by default Squid did
not announce the presence of the proxy to the outside world;  a bug, however,
meant that the opposite was true.  Anyone looking for another proxy from which
to obtain faster/cheaper Web data could simply check the central list and help
themselves.  The onus was on the admin setting up Squid to ACL it so as to
deny unauthorised or anonymous access to the proxy.  Given that many people
setting up Squid had not yet learnt sufficient to configure ACLs restricting
access, this meant a lot of proxies were used without their owner's
permission.

This situation was considered "bad", so the Squid bug was fixed and more
effort put into explaining to admins how to ACL their proxies;  the problem
was fought on two fronts - make it harder to find proxies (don't auto-announce
their presence) and make ACL'g out unauthorised access easier for first-time
Squid admins.

It could be argued that anyone wanting to use someone's proxy wouldn't need
the central registry list, they could just scan the DNS looking for well-known
aliases or even port-scan for Squid's 3128, 8080 or other ports;  but this
problem didn't become as widespread as it was until the bug in Squid made it
"easier" for more people to "exploit".

That's why I raise the issue here (as caution, more than anything
else).  Anyone setting up an unprotected LDAP directory has already opened
that service up to the Internet;  however, few people scan the DNS or
port-scan IP networks looking for LDAP servers specifically - but a referral
backend such as suggested would make it sufficiently "easy" for more people to
do this.  Whether or not that's a good thing is subject to debate, obviously.

> >In this case, anyone firing up an LDAP server without ACLs would, unwittingly,
> >be opening up their directory to the entire world (yes, I know they've done it
> >already - but this would seem to make it easier).
> 
> Just firing up a server is not enough to be found.  DNS zone
> changes must be made.

Ack - but how many people go 'round scanning DNS zones specifically for the
"ldap.<domain>" host?  As with the Squid problem, it can be done anyway but
"the problem" wasn't a problem as such until something made it easier for more
people to exploit it.

> A root would provide referrals to any and all which have SRV or well known
> aliases established in their DNS zones.

The assumption you've made is that the presence of these records is an
automatic invitation to the entire Internet;  this is the point that I think I
can't quite get 'round just yet.

> Well, if directory intend to have SRV or well known aliases established
> then they should adhere to established practices.  Both practices are in
> use and are in the process of being documented.  Those operating
> directories on the Internet are presumed to be aware of these practices.  
> If not, well, they'll get some curious log messages...

Are you suggesting that the referral would include URLs to both naming styles?

Cheers..


dave