Re: [Asrg] DNS over SCTP
Douglas Otis <dotis@mail-abuse.org> Fri, 29 May 2009 00:36 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FF8C3A68F0 for <asrg@core3.amsl.com>; Thu, 28 May 2009 17:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.331
X-Spam-Level:
X-Spam-Status: No, score=-6.331 tagged_above=-999 required=5 tests=[AWL=0.268, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wo4LyLQxshU7 for <asrg@core3.amsl.com>; Thu, 28 May 2009 17:36:19 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 51CD73A69D6 for <asrg@irtf.org>; Thu, 28 May 2009 17:36:14 -0700 (PDT)
Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 8B77FA9443A; Fri, 29 May 2009 00:36:31 +0000 (UTC)
Message-Id: <85FC4673-7256-4372-B4DD-260A3F8AEDA9@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: David Conrad <drc@virtualized.org>
In-Reply-To: <1E0EDA86-CFF5-40AC-AEE8-E943317E1E3C@virtualized.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Thu, 28 May 2009 17:36:30 -0700
References: <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org> <200905251603.MAA16221@Sparkle.Rodents-Montreal.ORG> <CCE0A3E1-4BCB-460C-AEA0-6548BB4AE8FE@mail-abuse.org> <4A1D64C9.5060505@tana.it> <47BC2197-472E-4615-97D2-F7E42B8F3B7D@mail-abuse.org> <4A1E8BD3.8000103@tana.it> <20090528131509.GA13521@nic.fr> <4A1E9CBF.4010703@tana.it> <20090528142325.GA22943@nic.fr> <4A1EB214.6090507@tana.it> <1E0EDA86-CFF5-40AC-AEE8-E943317E1E3C@virtualized.org>
X-Mailer: Apple Mail (2.935.3)
Cc: ietf@ietf.org, Anti-Spam Research Group - IRTF <asrg@irtf.org>
Subject: Re: [Asrg] DNS over SCTP
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2009 00:36:20 -0000
On May 28, 2009, at 9:45 AM, David Conrad wrote: > On May 28, 2009, at 5:47 AM, Alessandro Vesely wrote: >> I don't trust the data because it is signed, I trust it because the >> signature proves that it originated from the authoritative server. > > Not quite. The signature over the data proves that the holder of > the private key has signed the data. The origin of that data then > becomes irrelevant. This discussion started by describing how an authorization protocol might utilize macros embedded within a DNS cache to stage relatively free DDoS attacks, all of which would be made worse by DNSSEC. Preventing DNS poisoning was also a concern expressed, which is likely to go hand in hand with the DNS enabled attack. Since DNS is normally connectionless, security solutions like SSL have been dismissed. While DNSSEC may protect against data corruption, such protection depends upon the thorny problem of verifying a key will be solved in a practical and politically acceptable manner. This protection also requires authoritative servers to rapidly adopt DNSSEC without also confronting other insurmountable deployment issues. Fool me once, shame on you. Fool me twice... >> Therefore, if I'm connected with the authoritative server over a >> trusted channel, I can trust the data even if it isn't signed. > > Not really. You are relying on the fact that the authoritative > server and (potentially) the channels it uses to communicate to the > originator of the data have not been compromised. Assume SCTP becomes generally available as a preferred transport for DNS. If so, an ability to corrupt DNS information would be greatly reduced, whether data is signed or not. In addition, SCTP can safely carry larger signed results without the DDoS concerns that will exist for either TCP or EDNS0 over UDP. Deploying DNS on SCTP should be possible in parallel with the DNSSEC effort. >> By induction, if a resolver only uses either signed data or trusted >> channels, I can trust it. > > A trusted channel is superfluous when the data is signed. Receiving signed data represents just a fraction of the challenges facing DNSSEC. :^( >> The limitations in TCP or SCTP security stem from an attacker's >> ability to compromise one or more routers, so as to either tamper >> with the packets on the fly, or redirect them to some other host. >> That's much more difficult than forging the source address of an >> UDP packet, though. > > True, but object security removes even the residual risk of channel > compromise (e.g., a compromised router). > > However, pragmatically speaking, I suspect it is going to be much, > much easier to get DNSSEC deployed than it would be to get every > router/firewall/NAT manufacturer and network operator to support/ > deploy SCTP, not to mention getting every DNSSEC server to support > DNS over SCTP. While TCP represents a possible fall-back method whenever UDP overflows, TCP is not assured. Instead of seldom, low prevalence might better describe TCP use in DNS. In addition, DNS servers prefer UDP over TCP when resources become scarce. TCP produces greater latency, requires more back and forth exchanges, and strands resources whenever confronting spoofed connection attempts. While EDNS0 allows UDP to carry larger signed packets, this also increases UDP's exposure to increased reflected attacks that leverage the brute strength of DNS. On the other hand, SCTP reserves resources until a request is confirmed by a returned cookie, which also allows data to be exchanged sooner than would be possible with TCP. Unlike TCP, SCTP carries chunks over multiple streams rather than non-delineated bytes over a single stream. SCTP connections consume minimal resources and can sustain longer sparse associations. SCTP also tunnels over UDP to provide compatibility with legacy NATs and firewalls. SCTP might soon become popular with browsers due to its inherent improvements on security and performance over TCP. A solid SCTP stack is now available in FreeBSD that has corporate friendly source licenses. :^) If there is one lesson that should have been learned from the DNSSEC effort, resolving DNS problems will require dedicated long term planning. Within the same timeframe as DNSSEC, SCTP has been able to provide reliable and safe transport. You might be using SCTP whenever you make a phone call or watch your TV. It seems that the telephone, more than the Internet, is what people expect to just work. -Doug
- [Asrg] DNS-based Email Sender Authentication Mech… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Steve Atkins
- [Asrg] 答复: DNS-based Email Sender Authentication … Sean Shen
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… grenville armitage
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Leslie
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] rDNS Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Levine
- [Asrg] DNS over SCTP (was: Re: DNS-based Email Se… Alessandro Vesely
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… SM
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS discrimination Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Thierry Moreau
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Masataka Ohta
- Re: [Asrg] DNS over SCTP Michael Tüxen
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Francis Dupont
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Bill Manning
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNSSEC is NOT secure end to end Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Mark Andrews
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- [Asrg] RISC is end to end (was Re: DNSSEC is NOT … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end der Mouse
- Re: [Asrg] DNS over SCTP Alessandro Vesely