Re: [Asrg] DNS over SCTP (was: Re: DNS-based Email Sender Authentication Mechanisms: a Critical Review
Francis Dupont <Francis.Dupont@fdupont.fr> Fri, 29 May 2009 13:29 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB71A28C18A for <asrg@core3.amsl.com>; Fri, 29 May 2009 06:29:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.278
X-Spam-Level:
X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=-0.029, BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fvge521f-uO7 for <asrg@core3.amsl.com>; Fri, 29 May 2009 06:29:33 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by core3.amsl.com (Postfix) with ESMTP id 80BBB28C186 for <asrg@irtf.org>; Fri, 29 May 2009 06:29:33 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n4TDTwKm040932; Fri, 29 May 2009 15:29:59 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <200905291329.n4TDTwKm040932@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Alessandro Vesely <vesely@tana.it>
In-reply-to: Your message of Thu, 28 May 2009 15:04:19 +0200. <4A1E8BD3.8000103@tana.it>
Date: Fri, 29 May 2009 15:29:58 +0200
Sender: Francis.Dupont@fdupont.fr
X-Mailman-Approved-At: Sat, 30 May 2009 16:32:53 -0700
Cc: Anti-Spam Research Group - IRTF <asrg@irtf.org>, ietf@ietf.org
Subject: Re: [Asrg] DNS over SCTP (was: Re: DNS-based Email Sender Authentication Mechanisms: a Critical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2009 13:29:33 -0000
In your previous mail you wrote: I thought TCP was the default when the UDP message size is not enough. => with EDNS0 this is a bit more complex but IMHO this is the idea. Note the recommended "connection management" (RFC 1025 4.2.2) suggests multiple queries/responses too. That's, AFAIK, the only advantage of TCP over SCTP: it's already in place and ready. (Yes, one needs to run firewalls and all that stuff.) => this is not a new idea but today no server or resolver implementation supports DNS over SCTP. I have a lot of sympathy for SCTP but for DNS we need a transaction oriented transport, i.e., something more secure than simple stateless query/response over UDP but without the overhead of opening and closing TCP connections. This is a very old idea, cf. RFC 955, but as far as I know this is still an open problem. If I am wrong (I'd like to be :-) please request a BoF in the transport area ASAP! > A single SCTP connection can support thousands of simultaneous streams, I agree SCTP is better, and it's been around for nearly a decade now. => IMHO it is far less than 10 years but arguing about this point is out of topic. Yet, for those who miss it, good old TCP allows, say, a client to hold a couple of connections to its favorite resolver in order to avoid many of the threats illustrated by Kaminsky... => TCP is very expensive in terms of resources for the server and TCP is still vulnerable to in-the-path attacks. > There is also OS support for UDP > tunneling of SCTP when supporting legacy NATs and firewalls. Until > there is an significant incentive to make DNS more robust, use of SCTP > is likely to remain just a good and under appreciated option. It seems that DNS over SCTP would solve 90% of the problems with 10% of the efforts and resources required to implement DNSSEC. However, I hear more often about the latter than the former. How come? => DNSSEC is the only available solution which solves the problems. Others are not available (no specification published in a standard track RFC or simply unfeasible) or don't address the problems (hop-by-hop security for instance, when end-to-end is needed). Both TCP and SCTP are in the others today... Regards Francis.Dupont@fdupont.fr
- [Asrg] DNS-based Email Sender Authentication Mech… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Steve Atkins
- [Asrg] 答复: DNS-based Email Sender Authentication … Sean Shen
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… grenville armitage
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Leslie
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] rDNS Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Levine
- [Asrg] DNS over SCTP (was: Re: DNS-based Email Se… Alessandro Vesely
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… SM
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS discrimination Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Thierry Moreau
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Masataka Ohta
- Re: [Asrg] DNS over SCTP Michael Tüxen
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Francis Dupont
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Bill Manning
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNSSEC is NOT secure end to end Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Mark Andrews
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- [Asrg] RISC is end to end (was Re: DNSSEC is NOT … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end der Mouse
- Re: [Asrg] DNS over SCTP Alessandro Vesely