[dnsext] Re: DNS hardening, was Re: Dan Kaminsky
Paul Vixie <vixie@isc.org> Thu, 06 August 2009 15:29 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 93A4E3A6E05; Thu, 6 Aug 2009 08:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFxkxL88KjFu; Thu, 6 Aug 2009 08:29:58 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5EFC828C13F; Thu, 6 Aug 2009 08:28:53 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MZ4rF-0005XJ-7W for namedroppers-data0@psg.com; Thu, 06 Aug 2009 15:26:21 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1MZ4r8-0005Wg-OL for namedroppers@ops.ietf.org; Thu, 06 Aug 2009 15:26:18 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 766AAABD5B for <namedroppers@ops.ietf.org>; Thu, 6 Aug 2009 15:26:14 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: namedroppers@ops.ietf.org
Subject: [dnsext] Re: DNS hardening, was Re: Dan Kaminsky
In-Reply-To: Your message of "Thu\, 06 Aug 2009 07\:22\:14 GMT." <82eirp8l09.fsf@mid.bfk.de>
References: <20090805164823.43774.qmail@simone.iecc.com> <4A79CB90.708@mail-abuse.org> <90CEC867-A870-4E45-AFC2-898AD655699E@arbor.net> <4A79F8A3.9040302@mail-abuse.org> <75cb24520908051449n29c53491m90fd021022d9816f@mail.gmail.com> <4A7A0D6C.90808@mail-abuse.org> <75cb24520908051853t6c0f05d3l94c404d3227d191c@mail.gmail.com> <g3my6diger.fsf@nsa.vix.com> <82eirp8l09.fsf@mid.bfk.de>
X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 06 Aug 2009 15:26:14 +0000
Message-ID: <18671.1249572374@nsa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
doug otis, paul vixie, and florian weimer splashed some SCTP over on nanog@ in the last 24 hours. here's the interesting part, as i measure such things: > Subject: Re: DNS hardening, was Re: Dan Kaminsky > From: Florian Weimer <fweimer@bfk.de> > Date: Thu, 06 Aug 2009 07:22:14 +0000 > > * Paul Vixie: > > > there is no server side protocol control block required in SCTP. > > SCTP needs per-peer state for congestion control and retransmission. > > > someone sends you a "create association" request, you send back a > > "ok, here's your cookie" and you're done until/unless they come back > > and say "ok, here's my cookie, and here's my DNS request." so a > > spoofer doesn't get a cookie and a reflector doesn't burden a server > > any more than a ddos would do. > > This is a red herring. The TCP state issues are deeper and haven't > got much to do with source address validation. The issues are mostly > caused by how the BSD sockets API is designed. SCTP uses the same API > model, and suffers from similar problems. > > > because of the extra round trips nec'y to create an SCTP "association" > > (for which you can think, lightweight TCP-like session-like), it's > > going to be nec'y to leave associations in place between iterative > > caches and authority servers, and in place between stubs and iterative > > caches. > > This doesn't seem possible with current SCTP because the heartbeat > rate quickly adds up and overloads servers further upstream. It also > does not work on UNIX-like system where processes are short-lived and > get a fresh stub resolver each time they are restarted. > > -- > Florian Weimer <fweimer@bfk.de> > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstraße 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie
- [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS ha… Paul Vixie
- [dnsext] SCTP trials over on NANOG, 2 of 3 (Re: D… Paul Vixie
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Doug Otis
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Paul Vixie
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Douglas Otis