[dnsext] SCTP trials over on NANOG, 2 of 3 (Re: DNS hardening)

Paul Vixie <vixie@isc.org> Sat, 08 August 2009 15:54 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9724C28C20A; Sat, 8 Aug 2009 08:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Level:
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdvpgiXK3Vps; Sat, 8 Aug 2009 08:54:29 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C9A9E3A6965; Sat, 8 Aug 2009 08:54:00 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MZo6u-000Or1-SM for namedroppers-data0@psg.com; Sat, 08 Aug 2009 15:45:32 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1MZo6p-000OoQ-G8 for namedroppers@ops.ietf.org; Sat, 08 Aug 2009 15:45:29 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id C4715AC12A for <namedroppers@ops.ietf.org>; Sat, 8 Aug 2009 15:45:26 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: namedroppers@ops.ietf.org
Subject: [dnsext] SCTP trials over on NANOG, 2 of 3 (Re: DNS hardening)
In-Reply-To: Your message of "Thu\, 06 Aug 2009 07\:07\:32 GMT." <82my6d8lor.fsf@mid.bfk.de>
References: <20090805164823.43774.qmail@simone.iecc.com> <4A79CB90.708@mail-abuse.org> <82my6d8lor.fsf@mid.bfk.de>
X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 08 Aug 2009 15:45:26 +0000
Message-ID: <71625.1249746326@nsa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

there's one more after this, from steve bellovin, will be fwd'd in a moment.

> From: Florian Weimer <fweimer@bfk.de>
> Newsgroups: gmane.org.operators.nanog
> Subject: Re: DNS hardening, was Re: Dan Kaminsky
> Date: Thu, 06 Aug 2009 07:07:32 +0000
> Cc: nanog@nanog.org
> To: Douglas Otis <dotis@mail-abuse.org>
> Archived-At: <http://permalink.gmane.org/gmane.org.operators.nanog/66869>
> 
> * Douglas Otis:
> 
> > Establishing SCTP as a preferred DNS transport offers a safe harbor
> > for major ISPs.
> 
> SCTP is not a suitable transport for DNS, for several reasons:
> 
> Existing SCTP stacks are not particularly robust (far less than TCP).
> The number of bugs still found in them is rather large.
> 
> Only very few stacks (if any) implement operation without kernel
> buffers.  The remaining ones are subject to the same state exhaustion
> attacks as TCP stacks are.
> 
> At least some parts of SCTP and the SCTP API were designed for a
> cooperative environment.
> 
> The SCTP API specification is very ambiguous, which is quite strange
> for such a young protocol.  For instance, it is not clear if a single
> socket is used to communicate with multiple peers, head-of-line
> blocking can occur.
> 
> The protocol has insufficient signalling to ensure that
> implementations turn off features which are harmful on a global scale.
> For instance, persistant authoritative <-> resolver connections only
> work if you switch off heartbeat, but the protocol cannot do this, and
> it is likely that many peers won't do it.
> 
> SCTP proposers generally counter these observations by referring to
> extensions and protocols which are not yet standardized, not
> implemented, or both, constantly moving the goalposts.
> 
> -- 
> Florian Weimer                <fweimer@bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99
> 
> 

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>