On 12/04/2014 09:56 AM, Jacob Appelbaum wrote:
> I'm currently working with a friend on a privilege separated dhcp
> client that does not need raw sockets. It is in the early stages but
> it is able to do the network lease without being root and without
> having a raw socket. It is surprising that absolutely no one has done
> this in the past. I think everyone just looked at the ISC DCHP code
> and cargo culted from that point forward.
>
>>
>> In general it might be better for security to have a derooted DHCP
>> client that does not need CAP_NET_RAW and also has less attack surface
>> then dhclient (C code + shell scripts).
>
> I completely agree. The DHCP client in Tails is a major attack vector.
> I think that we could patch the ISC daemon, for example, to do some
> tricks - if we didn't want an outright replacement. If anyone is
> interested in this and would actually use some patches. I'm wary of
> starting such a process if it will not be used. I'd rather focus on
> writing a totally different dhcp client from scratch. My experience
> with writing tlsdate really influences me on this with regard to
> Tails.
>
>> Maybe use a small replacement
>> client that does only support bare minimum needed to get an IP4/6 and
>> not the whole spec (instead of trying to fix dhclient)? Anyways, some
>> efforts for dhclient are made here [3].
>
> I think a simple DHCP client is quite straight forward - integration
> with Network-Manager is probably more difficult than a simple DHCP
> network client.
I'm not sure i'd characterize a simple DHCP client as "quite straight
forward", but certainly minimalist one is more straightforward than one
which handles all the possible extensions that have cluttered DHCP over
the years.
I spoke recently with Christian Huitema from Microsoft about having an
anonymity-preserving DHCP client profile -- one that leaks no additional
information about the client beyond the current MAC address of the
requesting device. He offered to spec out exactly what he wants MS to
plan to do for this; If you're working on a minimalist
anonymity-preserving client like this, it would be good to coordinate
with them, so that your client would be indistinguishable from theirs.
The main thrust of the profile would be to nail down things like:
* list exactly which options will be emitted in each message sent by
the client
* for each emitted option, specify its exact contents
* specify a deterministic algorithm for mapping the link layer address
to a value suitable for the client identifier option
* specify the lease renewal behavior algorithm
If you're interested, i'm happy to put you and your friend in touch with
Christian and his team about this. Anonymity loves company!
--dkg
