Re: [BEHAVE] DNS vs port overloading

Mark Andrews <marka@isc.org> Thu, 27 June 2013 22:11 UTC

Return-Path: <marka@isc.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8671721F9DE3 for <behave@ietfa.amsl.com>; Thu, 27 Jun 2013 15:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJB259AHQha2 for <behave@ietfa.amsl.com>; Thu, 27 Jun 2013 15:11:46 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 3BFD221F9DCE for <behave@ietf.org>; Thu, 27 Jun 2013 15:11:46 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 22740C94B0; Thu, 27 Jun 2013 22:11:38 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1372371106; bh=zrMLiLV903BcfOa7h+B/VGMt5BEX1CZp6Odo8M/TNJ8=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=M0qLIkoePJAYAHBqkCLi97dAn8p+SrN7zXb3s+/ZTM3m+TG2KL7g9y48FYoSgnodG qWuLRYOcj0XuCbqbCe+FBZjaZS1Bq3GkFcKvDxd1AsvFpdYUGA/B8oYpClGlBMNQt4 CwIcM5/f+wiiAkAyJc4wSfDkDnpNKuPbqYEKeh5Y=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Thu, 27 Jun 2013 22:11:38 +0000 (UTC) (envelope-from marka@isc.org)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6D6E416004A; Thu, 27 Jun 2013 22:12:56 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 4ZXZqR1WVVxw; Thu, 27 Jun 2013 22:12:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1F6551600A4; Thu, 27 Jun 2013 22:12:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at zmx1.isc.org
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gNQlsWfjVphA; Thu, 27 Jun 2013 22:12:55 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) by zmx1.isc.org (Postfix) with ESMTPSA id B0F8516004A; Thu, 27 Jun 2013 22:12:54 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id 4FBF936609FC; Fri, 28 Jun 2013 08:11:33 +1000 (EST)
To: Simon Perreault <simon.perreault@viagenie.ca>
From: Mark Andrews <marka@isc.org>
References: <CB1B483277FEC94E9B58357040EE5D02325A6E93@xmb-rcd-x15.cisco.com> <2f7dce8264c8a9a72640629502a44295@cacaoweb.org> <51C1681A.5030909@viagenie.ca> <f8741fad1af1cee094de9c59408b7425@cacaoweb.org> <51C40374.8080403@viagenie.ca> <21e25b7ae1501228a67656b2fa4bc009@cacaoweb.org> <51CAA20F.4070307@viagenie.ca> <7f35bf30538732e3953bd33bcab7a791@cacaoweb.org> <51CC444C.1030507@viagenie.ca> <20130627141434.3B0BD365EA62@drugs.dv.isc.org> <51CC4A59.8080801@viagenie.ca> <20130627143612.51ECB365ED5A@drugs.dv.isc.org> <51CC50AE.2080909@viagenie.ca>
In-reply-to: Your message of "Thu, 27 Jun 2013 16:48:14 +0200." <51CC50AE.2080909@viagenie.ca>
Date: Fri, 28 Jun 2013 08:11:33 +1000
Message-Id: <20130627221133.4FBF936609FC@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: behave@ietf.org, ivan@cacaoweb.org
Subject: Re: [BEHAVE] DNS vs port overloading
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 22:11:50 -0000

In message <51CC50AE.2080909@viagenie.ca>, Simon Perreault writes:
> Le 2013-06-27 16:36, Mark Andrews a écrit :
> >>> And overloading DNS could potentially defeat the port randomisation
> >>> done by the server even though nameservers do port overloading
> >>> themselves to send traffic out a large set of ports choosen at
> >>> random and reselected from at random.
> >>
> >> Good point.
> >>
> >> Could that be solved with operational advice? In the case of CGN, we
> >> could advise the ISP could to make sure that its recursive nameserver
> >> sits on the border between the internal and external realm such that no
> >> DNS traffic is handled by the CGN.
> >>
> >> Would that fully address your concern?
> >
> > No.  Many ISP's have a history of mucking with DNS results when you
> > use their servers.  Most ISP's don't muck DNS queries not directed
> > to their servers.  For those that do you can usually see that they
> > are mucking with results.
> >
> > You can't just redirect queries at a normal recursive server and
> > think that will provide a "transparent DNS caching server".
> 
> Right, but, port overloading is not what kills the randomization done by 
> the DNS client. Non-port preserving NAT is what kills it.

Deterministic (e.g. sequential) port assignment kills it.  Port
overloading kills it if not done sensibly.

> Non-port preserving NATs are already required to implement port 
> randomization according to:
> 
> https://tools.ietf.org/html/rfc6056#section-4
> 
> Port overloading is not incompatible with port randomization. Maybe we 
> should explicitly write this and add a reference to RFC 6056?
> 
> Simon
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org