IETF Logo Mail Archive

Re: [dns-privacy] Joel Jaeggli's Discuss on draft-ietf-dprive-edns0-padding-02: (with DISCUSS)

Warren Kumari <warren@kumari.net> Mon, 29 February 2016 23:15 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70FFF1A0178 for <dns-privacy@ietfa.amsl.com>; Mon, 29 Feb 2016 15:15:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COoD8odYX0-p for <dns-privacy@ietfa.amsl.com>; Mon, 29 Feb 2016 15:15:05 -0800 (PST)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26E241A016A for <dns-privacy@ietf.org>; Mon, 29 Feb 2016 15:15:05 -0800 (PST)
Received: by mail-yw0-x236.google.com with SMTP id g127so135114832ywf.2 for <dns-privacy@ietf.org>; Mon, 29 Feb 2016 15:15:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+kpe86F8Y26A5LumSOTnkL2Jn29vZxv8F+7SuBrdnvU=; b=Z+Zl59qvjTNmwV9HoiqiAmjhkzM0EFThEzn2/LplCiQeKt6e+CiJOClZ3JKTLoczF4 ySBRkQjovLvckKMlCVQab8nqh5FUsIJ6H/9Y3zmiDH3ScSmEV3ZC4getQfGhFRt+qz5t 4I/bSQuz4XBzCcUGhtF8RIUxAf0mKOrA0OujgqQTghsoafrVoS5GvAj/PLAgAxJjCxvL SLAEACYtrmvZllgbQE8cZTmwjXpnRYR5azw/HjkbAaqOI2P4yrBn6t6FAdf1Iqhj1svA Hqqwf4CvHjo8L5LIyXc3WDAnW4eAHy7Q/4dcK8/Eo0NVpkINBmSncGnumJg5wCd6cLUA H47w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+kpe86F8Y26A5LumSOTnkL2Jn29vZxv8F+7SuBrdnvU=; b=l5HrerUcWSbgYNiM0M7NAEOVhU7y4zH/uLNZv8ZNNOaEE6cviPXzEzOZ/pQkSjC67x ZALzLXoqZ+uC6nGP9ELrt2p3NYcrOUfDWnK9xmktiF63A7W6+wyL7VK6lLpooIyrsT2a 9Oew7l6S+bKwh0s4c6H+rdyi5pCY8UR2SAdjfxJAjaXVq0Xmcy8FktDKxuwRyzQ9cfly miPTJ5iqwiob9764QDFShOZWJd1xQPPXHoDNdfpPmmNoESnYnqV+0sdzKFLOSV7bDDZN T/Bkv+bnGt8Y+b69PV1v2QCqghEqcS0gQCbDcL0TVO79MZlt6t6OiVnmRz4B3//Meki2 LVnw==
X-Gm-Message-State: AD7BkJKJ90FaGsyMWRhj8skvaylIw9bspOBMZR8xNpt7FnHuoDlIINsBDsBspmGaoVeNzHjHCt9kFOC7xjGxUIU/
X-Received: by 10.13.210.67 with SMTP id u64mr9917019ywd.42.1456787704445; Mon, 29 Feb 2016 15:15:04 -0800 (PST)
MIME-Version: 1.0
References: <20160229195527.11806.46599.idtracker@ietfa.amsl.com> <20160229223447.78935641@pallas.home.time-travellers.org> <31a8330c-b14a-bd75-5432-380758f95a2c@bogus.com>
In-Reply-To: <31a8330c-b14a-bd75-5432-380758f95a2c@bogus.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 29 Feb 2016 23:14:55 +0000
Message-ID: <CAHw9_i+3Gu+Uoe+k3pgCtUUU_dj9N9VbBgiVhYPe4e73XVGdOA@mail.gmail.com>
To: joel jaeggli <joelja@bogus.com>, Shane Kerr <shane@time-travellers.org>
Content-Type: multipart/alternative; boundary="001a114e7e30a32c78052cf0d17e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/uYsTVRcOpAIGNgaAUTzYzbFYCyU>
Cc: tjw.ietf@gmail.com, draft-ietf-dprive-edns0-padding@ietf.org, dns-privacy@ietf.org, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org
Subject: Re: [dns-privacy] Joel Jaeggli's Discuss on draft-ietf-dprive-edns0-padding-02: (with DISCUSS)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 23:15:06 -0000

On Mon, Feb 29, 2016 at 4:40 PM joel jaeggli <joelja@bogus.com> wrote:

> On 2/29/16 1:34 PM, Shane Kerr wrote:
> > Joel,
> >
> > At 2016-02-29 11:55:27 -0800
> > "Joel Jaeggli" <joelja@bogus.com> wrote:
> >>
> >> This is just something I want to discuss, it's not an objection...
> >>
> >> At this point we say:
> >>
> >>    Implementations therefore
> >>    SHOULD avoid using this option if the DNS transport is not encrypted.
> >>
> >> If you did allow this on unencrypted dns transport this seems like it
> >> serves as a utility function for  DNS amplification.
> >>
> >> Wouldn't it be better to say MUST NOT?
> >>
> >> e.g. this is exclusively for use with TLS / DTLS supporting  sessions?
> >
> > If the concern is amplification, then this is independent of
> > encryption. Unencrypted TCP or even DNS cookies should address the
> > concern, the same as they do for any large response.
> >
> > In the interests of simplicity I think your suggestion of making it a
> > MUST NOT makes sense though. Perhaps a sentence explaining the
> > motivation for such a strong recommendation is beneficial in that case.
> >
> > Something like:
> >
> >    The use of the EDNS(0) Padding provides only a benefit when DNS
> >    packets are not transported in clear text. Further, it is possible
> >    EDNS(0) Padding may make DNS amplification attacks easier.
> >    Implementations therefore MUST NOT use this option if the DNS
> >    transport is not encrypted.
> >
> > Personally I would be happy if the definition of "DNS transport"
> > remains vague in the hopes of covering everything. ;)
>
> I like this proposal just fine, if we're not violating the assumptions
> of any of the participants...
>

<nh>
  <aol>
      Me too!
   </aol>
</nh>

W
P.S: yes, that *was* fun!


>
> thanks
> joel
>
> > Cheers,
> >
> > --
> > Shane
> >
>
>
>

v2.23.0 | Report a Bug | By Email