Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 10/09/2006 20:53:44
On Mon, Oct 09, 2006 at 08:37:44PM -0400, Steven M. Bellovin wrote:
> 
> The first is to incorporate access control semantics into rpcbind.  It's
> not a horrible solution, in that it provides some protection against
> attackers who first query rpcbind to find out what port numbers to
> attack.

I've already said something analogous in private email, but I'll share
it, I suppose, with the list.

I do not think that "access control" semantics in particular applications
are quite what is wanted, here, if you mean "access control by address of
requesting party" which is what most people, I think, would assume you
mean.

What you want, as far as I can tell, is access control at the granularity
merely of "reachability from directly-connected network N".  Assuring that
unauthorized parties have no connectivity to N is a problem you're willing
to place out of scope for your present effort.  Firewalls (including
IP-layer filtering on the local host) can give you this, but configuring
them for protocols that use dynamic port addressing can be a real nuisance.

I suggest that the right solution is to make it easier for applications,
themselves, to accept packets delivered only to a specific IP address, and
then to assure that  your host does not route.  At present, our stack
allows an application, per-socket, to ask for packets whose destination is
"this address" or "all addresses", but not "this set of addresses".  Worse,
it is quite difficult to even find out which values of "this address" might
be valid on the local host.  The consequence is that most application code
(including the in-kernel NFS server) binds "all addresses".

I think that if we provided sane primitives for discovering the set of
valid destination addresses for a host, and binding a socket so that it
would receive packets on _some addresses_ (not one, and not all) it would
be easy to add the kind of access control you seem to want (and which a
lot of other people would probably like as well) to our applications.

In this case, we would add it to mountd, rpcbind, and the in-kernel NFS
server.  It would be a nice example of the interface, actually.

Thor