Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS hardening)
Doug Otis <doug.mtview@gmail.com> Sun, 09 August 2009 21:44 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E58343A680B; Sun, 9 Aug 2009 14:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.994
X-Spam-Level:
X-Spam-Status: No, score=0.994 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UVjA5gWX0pv; Sun, 9 Aug 2009 14:44:16 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 47CC73A681C; Sun, 9 Aug 2009 14:43:42 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MaG60-000H6u-4Q for namedroppers-data0@psg.com; Sun, 09 Aug 2009 21:38:28 +0000
Received: from [209.85.222.200] (helo=mail-pz0-f200.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <doug.mtview@gmail.com>) id 1MaG5v-000H5z-L1 for namedroppers@ops.ietf.org; Sun, 09 Aug 2009 21:38:26 +0000
Received: by pzk38 with SMTP id 38so2906556pzk.33 for <namedroppers@ops.ietf.org>; Sun, 09 Aug 2009 14:38:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=SQUuis2pgw8HqjhZyfwbEMuG7uUEUlW7G950xy9NaeY=; b=oI0+LEHsbjBprLHBvLJmU8Dj+6MAW/fRAHFgCO7i0ZNNGq4UtwQjQ+ctGQzsJAGWxs RIGVQWaeTbg8kiqIYGfCrNo987Q7c77Yx69Bs7w6xzKX3ojj0To1jKyxxVMjPkXsLRLj Y8KGtTrqKb8eXKITkI60mTc1N+M8zblCA7HzM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=QR92GNHU5NN9D9akRJplyVS8Poe3BZ8juOEGtbWyKBUQ46UmbH467OR06J6gEIfAZO TX0LGXP5uvQy+6lLImaEKqmi+botT7dawySQVFjHmuxBmDgTDmwMTwyIEvcVVbA7KgH0 ErV5hixt09LKukWKIejaiIvMeqaaFiADKNdHs=
Received: by 10.115.46.14 with SMTP id y14mr5402224waj.165.1249853902375; Sun, 09 Aug 2009 14:38:22 -0700 (PDT)
Received: from dotis-mac.local (64-142-13-68.dsl.static.sonic.net [64.142.13.68]) by mx.google.com with ESMTPS id n30sm6150808wag.6.2009.08.09.14.38.20 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 09 Aug 2009 14:38:21 -0700 (PDT)
Message-ID: <4A7F41CB.10202@gmail.com>
Date: Sun, 09 Aug 2009 14:38:19 -0700
From: Doug Otis <doug.mtview@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.1) Gecko/20090715 Thunderbird/3.0b3
MIME-Version: 1.0
To: Paul Vixie <vixie@isc.org>
CC: namedroppers@ops.ietf.org
Subject: Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS hardening)
References: <20090805164823.43774.qmail@simone.iecc.com> <4A79CB90.708@mail-abuse.org> <90CEC867-A870-4E45-AFC2-898AD655699E@arbor.net> <4A79F8A3.9040302@mail-abuse.org> <75cb24520908051449n29c53491m90fd021022d9816f@mail.gmail.com> <4A7A0D6C.90808@mail-abuse.org> <75cb24520908051853t6c0f05d3l94c404d3227d191c@mail.gmail.com> <g3my6diger.fsf@nsa.vix.com> <20090807224105.62dfb659@cs.columbia.edu> <71652.1249746400@nsa.vix.com>
In-Reply-To: <71652.1249746400@nsa.vix.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
On 8/8/09 8:46 AM, Paul Vixie wrote: >> Am I missing something? The SCTP cookie guards against the equivalent >> of SYN-flooding attacks. The problem with SCTP is normal operations. >> A UDP DNS query today takes a message and a reply, with no (kernel) >> state created on the server end. For SCTP, it takes two round trips to >> set up the connection -- which includes kernel state -- followed by the >> query and reply, and tear-down. There is info within initial exchanges (beyond that exchanged with TCP) that allows SCTP to be robust. TCP transitions from Listen to SYN_RCVD send SYN ACK, ACK recv, Established. From SYN_RVCD, it might also send FIN, transition with recv ACK, and stick on FIN-WAIT2 for recv FIN. >> I confess that I don't remember the >> SCTP state diagram; in TCP, the side that closes first can end up in >> FIN-WAIT2 state, which is stable. That is, suppose the server -- the >> loaded party -- tries to shed kernel state by closing its DNS socket >> first. If the client goes away or is otherwise uncooperative, the >> server will then end up in FIN-WAIT2, in which case kernel memory is >> consumed "forever" by conforming server TCPs. Does SCTP have that >> problem? SCTP state diagram: http://www.csm.ornl.gov/~dunigan/netperf/SCTPstate.png TCP state diagram: http://www.csm.ornl.gov/~dunigan/netperf/TCPstate.gif SCTP goes from Closed, recv Cookie ECHO, Send Cookie ACK to Established. Shutdown sent with Timer. SCTP can transitions from any to state to Closed with Abort for any reason. Minor state adjustments are handled by the Out-of-the-Blue (OOTB) routines. RFC4460 provides SCTP errata and issue review. As part of a long term strategy, the concept of allowing (somewhat) persistent SCTP DNS associations versus single transactions per TCP connection is to retain the low latency obtained with UDP, in that the next query might be bundled in a separate stream or issued within some period of time later. Deciding when an association is to be shutdown should weigh the overhead of retaining associations and heartbeats, against establishing new associations. SCTP DNS handled in this fashion should help eliminate spoofing between ISP recursive resolvers, and provide reliable transactions with authoritative name servers without extra ordinary provisioning. SCTP HTTP should also help make web sites more impervious to DDoS attacks and various types of exploits. Using SCTP with DNS should also ensure teething issues are quickly overcome. Flood protections often put in place for TCP may block without verifying the source's involvement. This means TCP can be globally flooded, or have sources selectively inhibited due to address spoofing. In addition, as a result of DNSSEC response sizes, UDP responses may also imperil the networks reaching the addresses being spoofed. SCTP eliminates these threats while demanding the least amount of additional resources. SCTP multi-home feature work best within an IPv6 environment, however SCTP's use with DNS should also help ensure it works well with IPv4 as well. -Doug -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie
- [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS ha… Paul Vixie
- [dnsext] SCTP trials over on NANOG, 2 of 3 (Re: D… Paul Vixie
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Doug Otis
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Paul Vixie
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Douglas Otis