[dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS hardening)
Paul Vixie <vixie@isc.org> Sat, 08 August 2009 15:54 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D1C828C227; Sat, 8 Aug 2009 08:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.808
X-Spam-Level:
X-Spam-Status: No, score=-1.808 tagged_above=-999 required=5 tests=[AWL=-0.724, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, J_CHICKENPOX_33=0.6, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIWm6j+UhyjQ; Sat, 8 Aug 2009 08:54:28 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0C5573A6C76; Sat, 8 Aug 2009 08:53:50 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MZo87-000P3n-4T for namedroppers-data0@psg.com; Sat, 08 Aug 2009 15:46:47 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1MZo80-000P2q-8q for namedroppers@ops.ietf.org; Sat, 08 Aug 2009 15:46:43 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 04925AC090 for <namedroppers@ops.ietf.org>; Sat, 8 Aug 2009 15:46:40 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: namedroppers@ops.ietf.org
Subject: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS hardening)
In-Reply-To: Your message of "Fri, 07 Aug 2009 22:41:05 -0400." <20090807224105.62dfb659@cs.columbia.edu>
References: <20090805164823.43774.qmail@simone.iecc.com> <4A79CB90.708@mail-abuse.org> <90CEC867-A870-4E45-AFC2-898AD655699E@arbor.net> <4A79F8A3.9040302@mail-abuse.org> <75cb24520908051449n29c53491m90fd021022d9816f@mail.gmail.com> <4A7A0D6C.90808@mail-abuse.org> <75cb24520908051853t6c0f05d3l94c404d3227d191c@mail.gmail.com> <g3my6diger.fsf@nsa.vix.com> <20090807224105.62dfb659@cs.columbia.edu>
X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1
Date: Sat, 08 Aug 2009 15:46:40 +0000
Message-ID: <71652.1249746400@nsa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
i'm fwd'ing these here to be sure that protocol people and not just ops people have a chance to see and hear what's being said and asked re: SCTP. > Date: Fri, 7 Aug 2009 22:41:05 -0400 > From: "Steven M. Bellovin" <smb@cs.columbia.edu> > To: Paul Vixie <vixie@isc.org> > Cc: nanog@merit.edu > Subject: Re: DNS hardening, was Re: Dan Kaminsky > Organization: Columbia University > X-Mailer: Claws Mail 3.7.0 (GTK+ 2.16.0; x86_64--netbsd) > > On Thu, 06 Aug 2009 06:51:24 +0000 > Paul Vixie <vixie@isc.org> wrote: > > > Christopher Morrow <morrowc.lists@gmail.com> writes: > > > > > how does SCTP ensure against spoofed or reflected attacks? > > > > there is no server side protocol control block required in SCTP. > > someone sends you a "create association" request, you send back a > > "ok, here's your cookie" and you're done until/unless they come back > > and say "ok, here's my cookie, and here's my DNS request." so a > > spoofer doesn't get a cookie and a reflector doesn't burden a server > > any more than a ddos would do. > > > > because of the extra round trips nec'y to create an SCTP > > "association" (for which you can think, lightweight TCP-like > > session-like), it's going to be nec'y to leave associations in place > > between iterative caches and authority servers, and in place between > > stubs and iterative caches. however, because the state is mostly on > > the client side, a server with associations open to millions of > > clients at the same time is actually no big deal. > > Am I missing something? The SCTP cookie guards against the equivalent > of SYN-flooding attacks. The problem with SCTP is normal operations. > A UDP DNS query today takes a message and a reply, with no (kernel) > state created on the server end. For SCTP, it takes two round trips to > set up the connection -- which includes kernel state -- followed by the > query and reply, and tear-down. I confess that I don't remember the > SCTP state diagram; in TCP, the side that closes first can end up in > FIN-WAIT2 state, which is stable. That is, suppose the server -- the > loaded party -- tries to shed kernel state by closing its DNS socket > first. If the client goes away or is otherwise uncooperative, the > server will then end up in FIN-WAIT2, in which case kernel memory is > consumed "forever" by conforming server TCPs. Does SCTP have that > problem? > > > --Steve Bellovin, http://www.cs.columbia.edu/~smb -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie
- [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DNS ha… Paul Vixie
- [dnsext] SCTP trials over on NANOG, 2 of 3 (Re: D… Paul Vixie
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Doug Otis
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Paul Vixie
- Re: [dnsext] SCTP trials on NANOG, 3 of 3 (Re: DN… Douglas Otis