Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 19 July 2017 07:22 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B1B131BF7 for <dns-privacy@ietfa.amsl.com>; Wed, 19 Jul 2017 00:22:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0RP-HBmj-E0 for <dns-privacy@ietfa.amsl.com>; Wed, 19 Jul 2017 00:22:15 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F57813178D for <dns-privacy@ietf.org>; Wed, 19 Jul 2017 00:22:09 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 3751431C83; Wed, 19 Jul 2017 09:22:08 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id EBAAFEC0B1C; Wed, 19 Jul 2017 09:16:24 +0200 (CEST)
Date: Wed, 19 Jul 2017 09:16:24 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Shane Kerr <shane@time-travellers.org>
Cc: Hugo Connery <hmco@env.dtu.dk>, dns-privacy@ietf.org
Message-ID: <20170719071624.GA15004@laperouse.bortzmeyer.org>
References: <149911712731.22782.2792826496381014188@ietfa.amsl.com> <CAHXf=0pDy9+vp-gfEAfMwb27w8fc8WqSfBL4eC4LZZzLG+XLOw@mail.gmail.com> <1499157602.2629.1.camel@env.dtu.dk> <20170707095819.233ef89c@earth.zonnestelsel.tk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170707095819.233ef89c@earth.zonnestelsel.tk>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jklFeY4FqT89oKyFYQ0aWmaYGTw>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 07:22:17 -0000
On Fri, Jul 07, 2017 at 09:58:19AM +0000, Shane Kerr <shane@time-travellers.org> wrote a message of 193 lines which said: > Do you really mean to propose an option to pad every query and > response message to 65K bytes? I guess I don't object it for the > sake of completion, but it seems a bit crazy. Note that there are already "crazy" policies mentioned in draft-ietf-dprive-padding-policy-01 :-) ("No Padding" and "Fixed Length Padding"). This proposal (improved by suggestions to pad queries at the maximum size a query can be, and responses to the MTU or the EDNS buffer size) is just a variant of the "Block Length Padding" policy, with a length so large that in practice the padding will be always be the block length and not a multiple of it. Suggested text for the "Block Length Padding" section: In Block Length Padding, a sender pads each message so that its padded length is a multiple of a chosen block length. This creates a greatly reduced variety of message lengths. An implementor needs to consider that even the zero-length EDNS0 Padding Option increases the length of the packet by 4 octets. Options: Block Length - values between 16 and 128 octets for the queries seem reasonable, they have to be larger for the responses (see [dkg-padding-ndss] and section 5 for a discussion). It is also possible to have a very large block length, meaning that in practice the padding length will always be the block length. In that case, reasonable values may be 288 bytes for the query (the maximum size of a one-question query over TCP) and the EDNS buffer size of the server for the responses. Advantages: This policy is reasonably easy to implement, reduces the variety of message ("fingerprint") sizes significantly, and does not require a source of (pseudo) random numbers, since the amount of padding can be derived from the actual (unpadded) message. Disadvantage: Given an unpadded message and the block size of the padding (which is assumed to be public knowledge once a server is reachable), the size of a message can be predicted. Therefore, the minimum and maximum length of the unpadded message is known. (Unless you use the variant with a very large block length but, in that case, the disadvantage is that you send a lot of "useless" bytes.) This is currently the recommended policy (see section 5).
- [dns-privacy] I-D Action: draft-ietf-dprive-paddi… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Alexander Mayrhofer
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Hugo Connery
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Paul Hoffman
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Shane Kerr
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Shane Kerr
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Tony Finch
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Ilari Liusvaara
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer