IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-08.txt

Michael StJohns <msj@nthpermutation.com> Tue, 12 December 2017 22:20 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496FE1279E5 for <dnsop@ietfa.amsl.com>; Tue, 12 Dec 2017 14:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMLjJO0LsmtZ for <dnsop@ietfa.amsl.com>; Tue, 12 Dec 2017 14:20:55 -0800 (PST)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22E4C127444 for <dnsop@ietf.org>; Tue, 12 Dec 2017 14:20:55 -0800 (PST)
Received: by mail-qt0-x235.google.com with SMTP id u10so1149879qtg.2 for <dnsop@ietf.org>; Tue, 12 Dec 2017 14:20:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=wrlbLMj/cSckAaL2W2P12n2/jQTS7lqoPmNLzjR8SAA=; b=G3sbLMR41G1okWtrQZQCaokzMk5jOrAwf8wguGFhPuuc2PeoVO9Hrg1FbpKRxwmtFj qwUk3PhBUuQMopkIgAPwOhAMdTpMAR7XJsEw+0X5uoSRx5RSrfejzd3OfeLYMMOt/J7K mP1fLBUhibFXqtGcMfvzL4ihFszVYTiuck9Wb9f7eywdSVK7w0n3de+E3pUrQk/xFPh/ Y5DmLxirYnuIfsiKRS2zI/iwT+Ep7icEuxFjDOo6kbJKN59mYaqrakx3JsT0+d797Ey3 OzlwsfRfpVT9q/agTj9w+RwSDuQuQN10+YWR5wRVKsEcgt4nnk/mOFij6eMYLNPSlOCR IIsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=wrlbLMj/cSckAaL2W2P12n2/jQTS7lqoPmNLzjR8SAA=; b=Pvn7yDGiEKQOJIRcgDT60ykeOoNb4jpWfUIDfgYxutP3kwLsvw6+Mxkn+rxdbrGYIc UYWgQjeeXHXp8YF7kTjgrcDV4lNcbh6Y3MRLZn0RorLdWNqDtFwhMuvdd3EcV3OmcKjq PL1rME41qF0CptO6kkFQ1T6CP1FUHvzP1W8ycd8CMUsqLjXMn6Koj0xBdEml7mQNE/vy HPDMfU6Ig7+HbG0afpYQzmSd6ltp9uUIkHwOuLGsHFc+GBaPeVLHS68+H1cJuw+QXJrF ikR0+nxiAqX2KhEQll2GXJGulBou66MRCSPdxJSpTraDcLx4atwa5M4Z6UOrATlglUaj wu4w==
X-Gm-Message-State: AKGB3mJ3CYy4JOzUFo/Id0DkjVu8IXoJDO0sXy/A/dyZIk6ZP0StGjSZ SpKds7d3YWcVnprNBluYhkTRGYgq
X-Google-Smtp-Source: ACJfBouBotfc5Zt0b7Jl1a1thwkOjHP8ttZZVisExRbvlqvu7CvcwaPhBiC1jQrvRuQZEnvvLstEWQ==
X-Received: by 10.55.176.66 with SMTP id z63mr7519008qke.149.1513117253691; Tue, 12 Dec 2017 14:20:53 -0800 (PST)
Received: from ?IPv6:2601:152:4400:720f::1009? ([2601:152:4400:720f::1009]) by smtp.gmail.com with ESMTPSA id o24sm144844qkl.22.2017.12.12.14.20.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Dec 2017 14:20:52 -0800 (PST)
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: dnsop@ietf.org
References: <151199364931.4845.3034001091375154653@ietfa.amsl.com> <yblvahshg6z.fsf@wu.hardakers.net> <9c71768d-4807-3d0a-b4b1-0ac8d066fe9f@nthpermutation.com> <yblindiavlm.fsf@w7.hardakers.net> <6d239b9a-fd1e-46a3-c705-6851dd8ffe0a@nthpermutation.com> <ybl8te8kbaq.fsf@wu.hardakers.net> <142cad85-1e0e-b4c9-1561-ad590984739a@nthpermutation.com> <yblshcfhnai.fsf@wu.hardakers.net> <1ca3daed-d521-0fcd-d1e7-eef2b781707b@nthpermutation.com> <ybl8te7fyks.fsf@wu.hardakers.net>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <26d61092-942a-16bc-e939-ed9400a17a29@nthpermutation.com>
Date: Tue, 12 Dec 2017 17:20:51 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <ybl8te7fyks.fsf@wu.hardakers.net>
Content-Type: multipart/alternative; boundary="------------EF8DC5EC144F823F96E10184"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8acgBYFkG6fmFEOzVoTM77SFh04>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-08.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2017 22:20:57 -0000

On 12/12/2017 4:03 PM, Wes Hardaker wrote:
> Michael StJohns <msj@nthpermutation.com> writes:
>
>> A "perfect" system will behave the way you've described - but adding a
>> safety factor while ignoring the phase shift brought on by retransmits
>> within the addHoldDown interval will not characterize the actual
>> system.
> Ah ha!  So, you do actually agree that my description of the perfect
> case is true, which means we really have been in violent agreement about
> the "perfect" line in the sand.  [as I've said: I absolutely understand
> the point your making about real world issues, such as timing drifts]

This is what you got out of all of that?   What I said was that doing 
any analysis starting from the "perfect" model would not lead you to the 
right place.  Your description of the perfect case is correct in its 
behavior and totally irrelevant to figuring out the final answer.

> And as I said in the last message, I agreed that a delay/phase-shift
> made sense and I'd be happy to produce a new term for it.  Ideally I'd
> like to add that into the safetyMargin because it reflects real-world
> conditions,
No - it doesn't.  Please look at the diagrams I provided and think about 
them for a day before responding.    I think you're still confusing 
system behavior with client behavior.


> and I was trying to contain that to just one particular
> term.  But I understand you don't want it buried in there, so I'll
> create a new term to deal with timing phase shifts and add that before
> the existing safetyMargin.
No - please don't. Please use the math I gave you.  It is correct.

Here's the whole diagram including retransmits in all the possible 
places and assuming a best case start compared against a "perfect" model 
with the same best case start:




The only effect of the retransmissions within the addHoldDown time is to 
shift when the final query happens.  In a pool of 10K clients, you'll 
get a percentage of those clients taking an entire activeRefresh 
interval after THEIR addHoldDown expires.

In no case does any calculation that involves an "activeRefreshOffset" 
provide a worst case analysis.
In no case does a "phaseShift" term provide any value over assuming that 
the addHoldDown expires just after the last query in the 
addHoldDownInterval.

So again:

sigExpiration + activeRefresh + addHoldDown + activeRefresh + 
retransmission slop/aka safetyFactor.





>
>> Can we stop now?
> I think so as I believe I can add words that we'll both agree to.  But
> I've said that before, so...
>
>
> The only remaining questions, just to double double be sure:
>
> 1) "is one activeRefresh period long enough to account for the slop
>     associated with time clock drifts?"
>
>     I'd argue yes, as any clock that drifted longer than an activeRefresh
>     (min = 1hr) is a seriously broken clock.  I think you agree.
I don't know why you think this matters.  Assume that drift + 
retransmissions is enough to get the phase shifted to the worst case 
(e.g. just before the end of the addHoldDown period for at least one 
client) and we're done with this analysis.

>
> 2) "is one activeRefresh period long enough to account for network
>     delays and other elements, aside from 'retries and missing queries'?"
>
>     I think you and I agree on this too, that one should be sufficient to
>     cover network delays too.
>
Again, I don't know why you think this matters.   If this is the safety 
factor, then no - you're asking the wrong question.  If this is just 
about accounting for the actual time to accomplish a query then you only 
have to account for the round trip delays for the query before the 
addHoldDown and the round trip delays for the query after.  Any delays 
during the addHoldDown time only cause the phase to shift.  Those delays 
are more than covered by a single fastQuery interval and can be ignored 
with any reasonable safetyFactor.

For the safetyFactor you want to consider how large the pool of queriers 
and how often the queries fail to figure out how big to make the safety 
factor.  This ends up looking like a cumulative distribution function 
and you're looking to pick a cutoff far enough along the curve that you 
get most (tm) of the clients having completed the installation before 
moving on. 
https://en.wikipedia.org/wiki/Binomial_distribution#/media/File:Binomial_distribution_cdf.svg 
for example.

Later, Mike

v2.23.0 | Report a Bug | By Email