Re: [dnsext] [spfbis] Sean Turner's No Objection on draft-ietf-spfbis-4408bis-19: (with COMMENT)
Douglas Otis <doug.mtview@gmail.com> Tue, 01 October 2013 07:55 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C7721F93BF; Tue, 1 Oct 2013 00:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVyedfpzSkLW; Tue, 1 Oct 2013 00:55:37 -0700 (PDT)
Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com [IPv6:2607:f8b0:400e:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 7357F21F89FF; Tue, 1 Oct 2013 00:55:37 -0700 (PDT)
Received: by mail-pd0-f170.google.com with SMTP id x10so6864183pdj.15 for <multiple recipients>; Tue, 01 Oct 2013 00:55:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xzGTk/YHvuVICyRNxMld0kiT+f/pUWjAspyQ3Zh0yrw=; b=0WxWXf9gdVkde3OdpzcR2/CB8Miovzllez5zRTfqPa1Xelq6fpVusPdlOkdyuO5JAe iYVCY8F3w2Q7JS6eqGL8jlufhMLKqboF87WCzLdn1960lOfh1kspFvZN6k1xhpJrEU2x zr0PqN+m97b29Bu+j9cBmi2xY+fMSYKaFYdxo/gZtF6X7i1H0fsxq1+bB3ui2ka/5hNt EmwTC9qqpiFfogIfcsOjf44Iq39VOGIe+7Gu49+GmNHz3wBz2TMVeMcJnLNYgMLARrRI qlyncEsyNjBz6ljXqYyXc/ttcfcHRozXvsdIiSJgt3zGE8VPHJX8nP/Zqv809tGkyNlW YaYA==
X-Received: by 10.68.189.163 with SMTP id gj3mr28063389pbc.102.1380614137146; Tue, 01 Oct 2013 00:55:37 -0700 (PDT)
Received: from [192.168.2.201] (c-24-6-103-174.hsd1.ca.comcast.net. [24.6.103.174]) by mx.google.com with ESMTPSA id k4sm5241939pbd.11.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 01 Oct 2013 00:55:34 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20130912150227.57069.qmail@joyce.lan>
Date: Tue, 01 Oct 2013 00:55:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <620FDB21-B8AD-41C4-BA4F-1616D8425B98@gmail.com>
References: <20130912150227.57069.qmail@joyce.lan>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.1510)
Cc: spfbis@ietf.org, "dnsext@ietf.org Group" <dnsext@ietf.org>
Subject: Re: [dnsext] [spfbis] Sean Turner's No Objection on draft-ietf-spfbis-4408bis-19: (with COMMENT)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2013 07:55:38 -0000
Dear John, See comments inline. On Sep 12, 2013, at 8:02 AM, John Levine <johnl@taugh.com> wrote: > I don't see anything about SPF that makes DNS spoofing more of a > problem than any other DNS application, so I don't see why it needs > another plug for DNSSEC. For the record, I would like to strongly disagree with this statement. SPFbis represents a significant change in how DNS and DNSSEC can be abused and network amplifications achieved. SPF introduces predefined "mechanisms" in conjunction with "macros" that operate on message elements rather than just DNS resources. These "mechanisms" combine with "macros" (if actually implemented by large providers) to allow any compromised system to leverage cached Resource Records to induce recipients into making more than 222 uniquely directed DNS transactions derived from check_host() message elements (111 DNS transactions for each of the two SPFbis check_host() message elements). NO MITIGATION of this type of threat is possible without ignoring SPFbis records containing "macros". This mitigation remains practical only by email providers (not DNS operators) since only 0.00053 of the domains publish records with a "macro" feature. When DNSSEC is used, network amplification calculations change dramatically. For example, the "PTR" or "MX" "mechanism" can be invoked 10 times where each instance can resolve addresses for 10 RRs. For the PTR mechanism, each invocation is permitted to return any number of PTR RRs where the upper bound on the response size could be 8x larger. While SPFbis recommends against their publication, there is no recommendation against these "mechanisms" being processed by recipients which is where the threat is realized. The complexity is represented by the target modulation permitted by SPFbis "macros". RFC4033 does not offer any mitigation for this type of threat which becomes significantly worse when the DNS Message constraint changes from 512 octets and each message can then cause 222 massive UDP DNS transactions against two likely unrelated names constructed by macro expansion that SPFbis recommends be resolved. > On the other hand, it's not a big deal, if it'll make the discuss go away, that's fine. I don't think any DNS abuse mitigation strategy would be effective against SPFbis misuse of DNS. SPFbis offers unknown entities significant access to DNS resources that can not be blocked by BCP38, rate limiting, or even be identified by RR Type or naming convention. Sending a 1KB message could result in network amplifications significantly greater than that provided by source address spoofing. The reason this is not likely an issue is that providers are not processing SPF records that contain macros because they may prefetch SPF records as a means of whitelisting which precludes use of "macros". If so, "macros" may introduce significant interchange issues. Too bad no survey was made regarding the publication or the processing of SPFbis "macros". Regards, Douglas Otis >>>> ---------------------------------------------------------------------- >>>> COMMENT: >>>> ---------------------------------------------------------------------- >>>> >>>> Should s11.3 also provide a mitigation via a reference for the spoofed >>>> DNS? Right now it just points to the DNS threats RFC. I guess the >>>> reader can infer they should use DNSSEC if they're worried but adding a >>>> pointer to the right RFC would be better. Something as simple as adding >>>> "... and see [RFCXYZ] for a countermeasure" or something like that. >>> >>> I'll suggest: >>> >>> and see RFC 4033 for a countermeasure. >>> >>> and leave it to the SPFBIS WG to comment on the above. >> >> That would work for me. > _______________________________________________ > spfbis mailing list > spfbis@ietf.org > https://www.ietf.org/mailman/listinfo/spfbis
- Re: [dnsext] [spfbis] Sean Turner's No Objection … Douglas Otis