Re: [dnsext] Source Port and QID selection for re-transmits?
Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 23 October 2008 13:40 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E1BA3A6889; Thu, 23 Oct 2008 06:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.959
X-Spam-Level:
X-Spam-Status: No, score=-4.959 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWb80G21m7KI; Thu, 23 Oct 2008 06:39:48 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6E2CF3A6820; Thu, 23 Oct 2008 06:39:48 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Kt0Kp-0002bm-2b for namedroppers-data@psg.com; Thu, 23 Oct 2008 13:34:43 +0000
Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <nweaver@ICSI.Berkeley.EDU>) id 1Kt0Ke-0002ao-Il for namedroppers@ops.ietf.org; Thu, 23 Oct 2008 13:34:36 +0000
Received: from [IPv6:::1] (fruitcake [192.150.186.11]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id m9NDYLJG018238; Thu, 23 Oct 2008 06:34:21 -0700 (PDT)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, Ray.Bellis@nominet.org.uk, namedroppers@ops.ietf.org
Message-Id: <F39B9304-E8E2-4CDF-9B94-B1490C1EE205@icsi.berkeley.edu>
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
To: Wouter Wijngaards <wouter@NLnetLabs.nl>
In-Reply-To: <490058F2.5020508@nlnetlabs.nl>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: [dnsext] Source Port and QID selection for re-transmits?
Date: Thu, 23 Oct 2008 06:34:22 -0700
References: <OFC76E0B00.F35C649D-ON802574EB.00341AB2-802574EB.00354F1B@nominet.org.uk> <490058F2.5020508@nlnetlabs.nl>
X-Mailer: Apple Mail (2.929.2)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
On Oct 23, 2008, at 3:58 AM, Wouter Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ray.Bellis@nominet.org.uk wrote: >> On researching a draft I'm writing I've been unable to find any >> guidance >> on whether the QID and Source Port of a re-transmit should be the >> same as >> for the original request. >> What are the WG's thoughts? > > Leave to implementation. Lengthening the time the packet is > accepted is > one choice. Choosing new ID, port (and no longer accepting the old > one) > is another choice. You could caution against birthday attacks, but > please do not prescribe implementation. I don't think it matters much: Case 1: Retry uses the same entropy. Case 2: Retry uses a new entropy set. For BOTH cases, there is an additional window of time outstanding where a spoofed packet could be received. There is a trivially slight attacker advantage on case 1, as the attacker can continue to send from a randomly selected subset of the entropy space instead of starting over, but if you have 32b+ of entropy, this advantage is going to be trivially small, and if you have only 16b of entropy, you are sunk anyway. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Source Port and QID selection for re-tra… Ray.Bellis
- Re: [dnsext] Source Port and QID selection for re… Wouter Wijngaards
- Re: [dnsext] Source Port and QID selection for re… Nicholas Weaver
- Re: [dnsext] Source Port and QID selection for re… George Barwood