IETF Logo Mail Archive

Re: how many angels can dance on the head of a pin?

Alex Bligh <alex@alex.org.uk> Sun, 10 August 2008 08:53 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C2B43A683B; Sun, 10 Aug 2008 01:53:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.805
X-Spam-Level:
X-Spam-Status: No, score=0.805 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEWKnc0YvuyK; Sun, 10 Aug 2008 01:53:03 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 62F8C3A6811; Sun, 10 Aug 2008 01:53:03 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KS6Zu-0005eH-27 for namedroppers-data@psg.com; Sun, 10 Aug 2008 08:47:06 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KS6Zq-0005dH-1K for namedroppers@ops.ietf.org; Sun, 10 Aug 2008 08:47:04 +0000
Received: from [192.168.100.3] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 800DFC2DB3; Sun, 10 Aug 2008 09:46:52 +0100 (BST)
Date: Sun, 10 Aug 2008 09:50:35 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Duane at e164 dot org <duane@e164.org>, bmanning@vacation.karoshi.com, Namedroppers <namedroppers@ops.ietf.org>
cc: Alex Bligh <alex@alex.org.uk>
Subject: Re: how many angels can dance on the head of a pin?
Message-ID: <01B9CF1DF0A4A4443A6E73A4@nimrod.local>
In-Reply-To: <489E89B6.6090208@e164.org>
References: <200808080237.m782bBqk005628@drugs.dv.isc.org> <489BBA1C.1040107@e164.org> <489E4D44.1080306@links.org> <20080810042136.GA18568@vacation.karoshi.com.> <489E89B6.6090208@e164.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 10 August 2008 16:24:54 +1000 Duane at e164 dot org <duane@e164.org> 
wrote:

> If shared caching at the ISP level is abandoned in favour of moving them
> closer to the end user, either on their computer or on the LAN but isn't
> accessible usually from beyond the LAN, would that not solve the
> majority of concerns currently being expressed?

I think ISP-level caching has only been targeted here because it's the most
obvious way to obtain maximum impact for a cache poisoning attack. However,
unfortunately, it's not the only way to use cache poisoning techniques.
Not using ISP-level caching means (aside from the increased load):

  1. Lookups would more often take place from behind a NAT. This can reduce
     entropy and make any given attack easier. Thus remember unlike many
     attack profiles, sticking a shared cache behind a NAT only serves
     to make things worse.

  2. For specifically targeted attacks (e.g. where what Mallory really
     wants to do is poison the DNS for a particular mail smarthost), it
     gets no more difficult.

Let's also remember that no intermediate caching at all means lots
of additional load and complexity on the end user device (as full caching
and recursion needs to be implemented there) and/or greater latency,
as the recursive element requires lookups from "." upwards go over
an end user link. Consider how, for instance, internet browsing on a mobile
phone would be affected by a total absence of intermediate caching servers.

To return to the original angels and pins discussion, when this group
was first busying itself designing just how the lipstick might be applied
to the DNSSEC pig, one of the original design criteria was that the security
worked in such a way that it was transparent to dumb caches between
authoritative server and end resolver. Solving integrity problems without
dumb caches being the ones providing the data (i.e. assuming resolver
could always talk directly to the authoritative server) would have been
far easier, and would no doubt have resulted in a far less ugly beast
of a protocol. If we were wrong to include caching as a design criterion
at all (i.e. if we can ditch it now), then yes, that is seems consistent
with your view of DNSSEC. I don't, however, think dropping caching is
a realistic option, either for vanilla DNS or for DNSSEC or any substitute
thereof.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email