IETF Logo Mail Archive

Re: [dns-privacy] DPRIVE over UDP or TCP

Phillip Hallam-Baker <ietf@hallambaker.com> Thu, 23 April 2015 02:25 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D341A0334 for <dns-privacy@ietfa.amsl.com>; Wed, 22 Apr 2015 19:25:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.276
X-Spam-Level:
X-Spam-Status: No, score=-1.276 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8zRzxdX18jj for <dns-privacy@ietfa.amsl.com>; Wed, 22 Apr 2015 19:25:39 -0700 (PDT)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDD521A00DB for <dns-privacy@ietf.org>; Wed, 22 Apr 2015 19:25:38 -0700 (PDT)
Received: by layy10 with SMTP id y10so3087914lay.0 for <dns-privacy@ietf.org>; Wed, 22 Apr 2015 19:25:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=EE8J2AJejqttRkppgWNZy8dDzGoBz6b7OG+BUV1ytZY=; b=dveRUW85A+e8QXxUNKXqXV5DNjZKc90FEnfmGOTQ7pZZOB3Gy8HP7Gr0eRzua4/xjL 2a+FVphZePDvnVf4UG4ppD2BJaiQ9Xi35Nij4PteO9Az9SMUoLVvVzYRyMtkKIeVHgf9 9uKH886asxmQeB6Wthb/m47VqmDzk5Wrd1FW6p9+X9T9+RVX24oaf+rmSoYBcxb+BM+u Wx5Ij1zYd8dosd9Hp5c2NSY9MnRHM/n9WgJRvDg7T2ML4UCU1norkTonFq91TIyx64RY nDCLp1aAGXr3e83eCo5m0FJuLPziaZ3Irugkp9d8KnsNQTX2F7AdL4eJpy8EqXHlklxh 4JrA==
MIME-Version: 1.0
X-Received: by 10.152.45.97 with SMTP id l1mr464809lam.55.1429755937347; Wed, 22 Apr 2015 19:25:37 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Wed, 22 Apr 2015 19:25:37 -0700 (PDT)
In-Reply-To: <CA+9kkMBjJc10h0fDaXaYs4HzMSjM06B_6x=5KvPnEn4iZ7fhsw@mail.gmail.com>
References: <832DC193-6328-42EC-B33A-801FC1731EB0@cisco.com> <CA+9kkMBjJc10h0fDaXaYs4HzMSjM06B_6x=5KvPnEn4iZ7fhsw@mail.gmail.com>
Date: Wed, 22 Apr 2015 22:25:37 -0400
X-Google-Sender-Auth: gJDloinCDsbcAaCdJf-GFTsMVi0
Message-ID: <CAMm+Lwiu+DVgOHp8XenQEr8fbR7uvQCcSoG-U1ShHxGyat2myA@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/related; boundary="001a11c1b02ac2df5605145afecb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/1yDB3yPm2flpB4WsDLPO3CUO-zM>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, ๐Ÿ”“Dan Wing <dwing@cisco.com>
Subject: Re: [dns-privacy] DPRIVE over UDP or TCP
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 02:25:40 -0000

On Wed, Apr 22, 2015 at 6:24 PM, Ted Hardie <ted.ietf@gmail.com> wrote:

> On Wed, Apr 22, 2015 at 10:15 AM, [image: ๐Ÿ”“]Dan Wing <dwing@cisco.com>
> wrote:
>
>> During the DPRIVE meeting in Dallas, several questions came up about UDP
>> versus TCP.  We had previously submitted a "DNS over DTLS" document which
>> predated DPRIVE.  We re-submitted the document with a few edits and a
>> filename that makes it easier to find,
>> https://tools.ietf.org/html/draft-wing-dprive-dnsodtls, diffs at
>> https://tools.ietf.org/rfcdiff?url1=draft-wing-dnsop-dnsodtls-01&url2=draft-wing-dprive-dnsodtls-00
>>
>> The working group may want to consider the advantages of DNS over DTLS
>> over UDP compared to using TCP:
>>
>>  * No reliance on operating system support of TCP Fast Open [RFC7413] to
>> achieve same number of round trips.
>>  * Avoidance of TCP's network head of line blocking.
>>
>>
> โ€‹Just to confirm my understanding, with DTLS plus anycast, you'd have
> similar issues for restart as TCP (state being associated with a single
> endpoint, timeout required for flushing state).  Is that your thinking as
> well?โ€‹
>
> regards,
>
> Ted
>

I am not an expert on DTLS but that was the concern that made me avoid
using it. I want a completely stateless resolver, not just UDP.

That means using either a very fast ECC scheme for authentication or some
sort of kerberos ticket.

There are TLS features that may be sufficient but I worry about the number
of framing bytes.

v2.23.0 | Report a Bug | By Email