Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt

Paul Vixie <paul@redbarn.org> Sat, 02 March 2019 02:33 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA91212D4EA for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 18:33:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1r2-1uYYZWz for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 18:33:24 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4036E129284 for <dnsop@ietf.org>; Fri, 1 Mar 2019 18:33:24 -0800 (PST)
Received: from [IPv6:2001:df0:eb:2f00:560:293b:9a4f:1cf2] (unknown [IPv6:2001:df0:eb:2f00:560:293b:9a4f:1cf2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id E27E8892C8; Sat, 2 Mar 2019 02:33:22 +0000 (UTC)
To: Mark Andrews <marka@isc.org>
Cc: fujiwara@jprs.co.jp, dnsop@ietf.org
References: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp> <8E7BCFB9-4578-4EAB-8CE7-B1C3BEF5B0C4@isc.org>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <56fa471b-f6aa-77e8-61ec-420dc6ebb781@redbarn.org>
Date: Fri, 1 Mar 2019 18:33:20 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10
MIME-Version: 1.0
In-Reply-To: <8E7BCFB9-4578-4EAB-8CE7-B1C3BEF5B0C4@isc.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AL6jRMCWRoRQpMOKbf7I2xeENmc>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 02:33:26 -0000


Mark Andrews wrote on 2019-03-01 12:00:
> Or one can use TSIG with a well known key to get a cryptograph hash
> of the response. ...

i prefer this approach. no matter how bad fragmentation was in V4 and no 
matter how much worse it is in V6, we must not lock ourselves into 
packets whose size is computed from the analog properties of 10Mbit 
ethernet (1500) minus a whole bunch of witch-craft fudge factors. i 
expect to live until around 2050, and by that time i'd like to use a LAN 
max packet size that's only 1/15000th of capacity (as 10Mbit ethernet 
had), and to either use smaller packets when forwarding through a WAN 
gateway, or make fragmentation possible, which V6 has unintentionally 
made presently impossible.

-- 
P Vixie