IETF Logo Mail Archive

Re: how many angels can dance on the head of a pin?

Alex Bligh <alex@alex.org.uk> Sun, 10 August 2008 09:33 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E7E83A68A0; Sun, 10 Aug 2008 02:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.271
X-Spam-Level: *
X-Spam-Status: No, score=1.271 tagged_above=-999 required=5 tests=[AWL=-0.093, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfZqGmTy6i7W; Sun, 10 Aug 2008 02:33:43 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 75E1C3A67F9; Sun, 10 Aug 2008 02:33:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KS7DY-000Pf7-6c for namedroppers-data@psg.com; Sun, 10 Aug 2008 09:28:04 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KS7DU-000Pdz-J1 for namedroppers@ops.ietf.org; Sun, 10 Aug 2008 09:28:02 +0000
Received: from [192.168.100.3] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 814F6C2DB3; Sun, 10 Aug 2008 10:27:56 +0100 (BST)
Date: Sun, 10 Aug 2008 10:31:41 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Alex Bligh <alex@alex.org.uk>, Duane at e164 dot org <duane@e164.org>
cc: bmanning@vacation.karoshi.com, Namedroppers <namedroppers@ops.ietf.org>, Alex Bligh <alex@alex.org.uk>
Subject: Re: how many angels can dance on the head of a pin?
Message-ID: <70CC931622BD9710F13283EA@nimrod.local>
In-Reply-To: <6751CAB7406138E7F72B474E@nimrod.local>
References: <200808080237.m782bBqk005628@drugs.dv.isc.org> <489BBA1C.1040107@e164.org> <489E4D44.1080306@links.org> <20080810042136.GA18568@vacation.karoshi.com.> <489E89B6.6090208@e164.org> <01B9CF1DF0A4A4443A6E73A4@nimrod.local> <489EAFCD.2090204@e164.org> <6751CAB7406138E7F72B474E@nimrod.local>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 10 August 2008 10:22:27 +0100 Alex Bligh <alex@alex.org.uk> wrote:

> Some NATs (e.g.) have the behaviour of using a constant source port by
> DNS, or a source port incrementing by 1 for each query (which is just
> as bad).

I should have added that whilst non-broken NATs don't make things worse
(*), they also don't make things better.

* = though arguably anything that compresses the

> If the attacker can't send requests and replies they would need to be in
> the path to alter things.

The data path being directly attacked is that from the caching server
(via the NAT) to the authoritative server (which is partly outside the NAT)
not between the stub resolver and the caching server (which is entirely
inside the NAT).

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email