cpj@ENG.SUN.COM (Chuck Jerian) (07/05/89)
The use of broadcast binding in yp makes it no more or less secure than ip in general. Ip uses the arp protocol over ethernet, and similar protocols on broadcast/multicast capable media to locate the machine with a given ip address. In this regard the holder of any ip address is as suspect as a putative yp server. To authenticate any server of a given service to a client, encryption is required. The server must possess some secret key. Either a mutual authentication algorithm can be used, such as Diffie Hellman, where the client also requires a secret key, and a session can be created by using a conversation key based on the combination of the Pa Sb == Sa Pb, or a certificate can be used from RSA which only requires a public key for the server, or some private key scheme can be used with a Needham Schroder authentication server, (e.g. Kerberos). Whatever scheme is used, the client can know that he is talking to the server who possess the appropriate secret key. Scheme based on unecrypted addresses provide only the illusion of security.
vjs@rhyolite.wpd.sgi.com (Vernon Schryver) (07/06/89)
In article <8907050408.AA20722@sparky.Eng.Sun.COM>, cpj@ENG.SUN.COM (Chuck Jerian) writes: > The use of broadcast binding in yp makes it no more or less secure than > ip in general.... > Scheme based on unecrypted addresses provide only the illusion of security. Agreed, but... An unknowing person can make a machine a YP server for the local domain. If the machine started with reasonable databases, it can be weeks or months before neighbors who happen to bind to the impostor start having problems, and then they tend to seem wierd and impossible. I've heard that you guys on the other side of the dump have often had the same problem. A similar problem occurs if two machines come up with the same IP address. However, in standard 4.xBSD, at least one of them will complain. We have found that having the complainer defend its address not only makes the other machine also complain, but can keep links up enough to fix the problem. It would be nice if ypserv could do something similar. Both of these are not security issues, except in the same very weak sense that memory protection makes an operating system "secure." It's more a matter of detecting and making difficult errors than of putting bad guys out of business. BTW, I miss-wrote about YP or DNS being incomplete solutions. I meant that either and/or both are incomplete and that ULTRIX and others have the right idea about letting you configure which of the 3 databases to consult in which order. I think that the issue should be decide not just by a file, but also be overridable with an environment variable, but that's a nit. Vernon Schryver Silicon Graphics vjs@sgi.com I hope mentioning ARP screaming make this sufficiently relevant.