IETF Logo Mail Archive

Re: [DNSOP] Suggestion for "any" - TCP only

Hugo Maxwell Connery <hmco@env.dtu.dk> Tue, 10 March 2015 03:11 UTC

Return-Path: <hmco@env.dtu.dk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06CB81A9073 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 20:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVuYruBHvRlh for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 20:10:59 -0700 (PDT)
Received: from spamfilter2.dtu.dk (spamfilter2.dtu.dk [130.225.73.113]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB201A89AC for <dnsop@ietf.org>; Mon, 9 Mar 2015 20:10:58 -0700 (PDT)
Received: from ait-pexedg01.win.dtu.dk (ait-pexedg01.win.dtu.dk [192.38.82.191]) by spamfilter2.dtu.dk with ESMTP id t2A3AqV9002876-t2A3AqVB002876 (version=TLSv1.0 cipher=AES128-SHA bits=128 verify=CAFAIL); Tue, 10 Mar 2015 04:10:52 +0100
Received: from ait-pex02mbx06.win.dtu.dk (192.38.80.18) by ait-pexedg01.win.dtu.dk (192.38.82.191) with Microsoft SMTP Server (TLS) id 14.3.224.2; Tue, 10 Mar 2015 04:10:54 +0100
Received: from ait-pex01mbx01.win.dtu.dk ([fe80::49f9:dd7a:cb60:3434]) by ait-pex02mbx06.win.dtu.dk ([169.254.6.171]) with mapi id 14.03.0224.002; Tue, 10 Mar 2015 04:10:51 +0100
From: Hugo Maxwell Connery <hmco@env.dtu.dk>
To: Paul Vixie <paul@redbarn.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [DNSOP] Suggestion for "any" - TCP only
Thread-Index: AQHQWerYkZ/d4l6r00u4c13wJoXN8J0TSXOAgAArYYCAAAJwAIAAF4WAgACP8QCAALDEAIAAO6F/
Date: Tue, 10 Mar 2015 03:09:56 +0000
Message-ID: <6CB05D82CE245B4083BBF3B97E2ED47027BD20@ait-pex01mbx01.win.dtu.dk>
References: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com> <alpine.LFD.2.10.1503082115040.2914@bofh.nohats.ca> <54FD1969.3070405@redbarn.org> <alpine.LFD.2.10.1503082359510.31060@bofh.nohats.ca> <54FD2F2F.7050704@redbarn.org> <alpine.LFD.2.10.1503090936560.13703@bofh.nohats.ca>, <54FE3C36.9090808@redbarn.org>
In-Reply-To: <54FE3C36.9090808@redbarn.org>
Accept-Language: en-AU, da-DK, en-US
Content-Language: en-AU
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [130.225.73.250]
Content-Type: multipart/mixed; boundary="_002_6CB05D82CE245B4083BBF3B97E2ED47027BD20aitpex01mbx01wind_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/AcnAQ1T27DRUdB-m9mh-2iGi0HA>
X-Mailman-Approved-At: Tue, 10 Mar 2015 04:30:59 -0700
Cc: dnsop <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] Suggestion for "any" - TCP only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 03:11:01 -0000

+1

(privacy response is with all, and this specific issue is not an amplification one)

Hugo Connery,
Technical University of Denmark
________________________________________
From: DNSOP [dnsop-bounces@ietf.org] on behalf of Paul Vixie [paul@redbarn.org]
Sent: Tuesday, 10 March 2015 01:35
To: Paul Wouters
Cc: dnsop; Brian Dickson
Subject: Re: [DNSOP] Suggestion for "any" - TCP only

[cid:part1.04050505.05010300@redbarn.org]
Paul Wouters<mailto:paul@nohats.ca>
Monday, March 09, 2015 10:02 PM
On Sun, 8 Mar 2015, Paul Vixie wrote:

So why are we proposing to ACL the ANY queries again?

because people like me with dig-based diagnostic tools want to be able
to run ANY queries against our own servers, from our NOC/SOC.

Fair enough.

Cloudfare is not doing this for privacy reasons. So let's not kid
ourselves.

cloudflare's motives are their own affair. our motives, as a community,
for getting behind the cloudflare proposal, are what should concern us.

But all the text you want to remove from the -00 points to why people in
real life will deploy this, and you are stating that is wrong use of the
draft. Your suggestion of removing the text won't change what people
will actually use this draft for, which is to fight amplification
attacks (and avoid needing to implement "difficult ANY code")

anyone who uses this draft to defend against amplification or reflection is a fool, or else, was misled by some assertion made in the draft or on this mailing list that blocking ANY (or other meta-queries) is an effective defense against reflection/amplification. we have to stick a pitchfork in the neck of that idea. or, if you prefer: that idea is a criminal whose head should be on a pike outside the city wall.

Another argument I've heard is about the privacy of a cache. If that's
the goal of the draft, perhaps we should move it to dprive and make
that explicit?

we don't have to move something to dprive just because it touches on privacy. limiting surveillance opportunities by intermediaries is no one working group's sole charge -- it's something all working groups must do.

If we specifically want to address the ANY amplification,

we don't. this is not an amplification issue.

... If we look at the core issue, amplification based on
spoofed source IPs,

amplification based on spoofed source IP's is not the core issue.

but we can go back and forth beating that dead meme another few dozen times if you want.

--
Paul Vixie

v2.23.0 | Report a Bug | By Email