Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
fujiwara@jprs.co.jp Mon, 04 March 2019 11:43 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E3712D4F0 for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2019 03:43:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ANeous1acC-7 for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2019 03:43:18 -0800 (PST)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AD09128701 for <dnsop@ietf.org>; Mon, 4 Mar 2019 03:43:17 -0800 (PST)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id x24BhFpF022487; Mon, 4 Mar 2019 20:43:15 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id A996C1800B6; Mon, 4 Mar 2019 20:43:14 +0900 (JST)
Received: from localhost (off-cpu05.osa.jprs.co.jp [172.23.4.15]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id 9E3411800B2; Mon, 4 Mar 2019 20:43:14 +0900 (JST)
Date: Mon, 04 Mar 2019 20:43:14 +0900
Message-Id: <20190304.204314.379212645659552827.fujiwara@jprs.co.jp>
To: jinmei@wide.ad.jp
Cc: dnsop@ietf.org
From: fujiwara@jprs.co.jp
In-Reply-To: <CAJE_bqeMMiqpnPfVZiWGWS3OgjUqjpLQzYpYAb=utfn8cc9NVg@mail.gmail.com>
References: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp> <CAJE_bqeMMiqpnPfVZiWGWS3OgjUqjpLQzYpYAb=utfn8cc9NVg@mail.gmail.com>
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.2.0.1013-24468.007
X-TM-AS-Result: No--14.185-5.0-31-10
X-imss-scan-details: No--14.185-5.0-31-10
X-TMASE-MatchedRID: pQ19oJpqo0JCXIGdsOwlUu5i6weAmSDKYawhvkuLgj6qvcIF1TcLYJUa O6918oTXROwS2FMrZ3AIxqETeiFLxY9fIGBGUrQ7ypeMiaCPnxsS12tj9Zvd89vpj5+dNlQv1Xa SwLj62i0rdAMnhrJg+GZHQLkpqu/3hK+jf0W+OEqM29hkek7Xd0vE+2pLwGbnsp5O052MzLrKBc 2ctUsoWmX3XXIEyqcLAsFvXH2XLBglPCAsfAiuNOG5dRZCgxC3cOU2OeTiRIua5P4PsuDqT+TUu EDszCu7UT8soflkgc4vnh8ihWv+/+2a5h7qBTRXZwmQqXe/8sMVATEbq/G3PPgnJH5vm2+gBB2y rv+tAVJjtC+Ij5SqgR5K3CGh7bCD3yrJOsLaRnkpa6LJktEjgIPAtNs5CO8OmHy7uaiMrL7CjLJ m4KdS/mCVTinXAnJf3s883kUtqmIJ6wzMnv4Oz32vdGJjFKc9udcAdgVI8xnI9EDAP/dptrYVCx +TiDpczUhNS1C/nraaiesM0ASpe3U02ifyev4YfuyIS1ZjfruL/KYnYVWDlDnZfxjBVQRbYU3L3 ZLgEn6N/ziTW5bneKc3Rxh/HtJoLJiQLRvk9Ypc/msUC5wFQX0tCKdnhB58vqq8s2MNhPC5kdju glC8DZYzX80HJ4XXsvUPdmSpWNrOFywbGAXrgiq2rl3dzGQ1tsl1cesvX39cCwfYZHrjmxVAH3i stKjgEEKYXNBKw+9BrPSU4LyP0Q==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CVWd76AlXqGnOOAjtgxPM2XvnU8>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 11:43:22 -0000
> From: 神明達哉 <jinmei@wide.ad.jp> >> https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 >> >> It summarized DNS cache poisoning attack using IP fragmentation >> and countermeasures. >> >> If the draft is interested, I will request timeslot at IETF 104. > > I've read the draft. I think it's generally well written and contains > useful information. Thanks very much. > Some specific comments follow: > > - general: I wonder whether the effect of this problem can be > substantially different between IPv6 and IPv4. As the draft itself > discusses, IPv6 has a much larger ID space for fragmentation (the > existence of implementations that generate predictable IDs is an > implementation issue; in the case of IPv4 it's a protocol issue). > IPv6 also has a much larger minimum MTU. In practice, I suspect > most (unsigned) important responses can fit in the minimum MTU, > substantially affecting the practical severity of the attack. I'm > not saying that we don't have to take any measure for the IPv6 case, > but I think this difference is worth noting in the draft explicitly. I agree and need to consider how to update. > - general: the draft the term "full-service resolver" in Abstract and > throughout the document. It may be only me, but I always feel this > term is confusing and misleading, even after the publication of > RFC8499. It's not very clear to me whether "full-service" excludes > "forwarding only" resolvers. RFC8499 refers to RFC1123, and its > definition is also unclear to me in this sense. If this confusion > is not only mine, I think the use of the term is rather harmful, > since the issue discussed in this draft shouldn't exclude forwarding > only resolvers. What matters here is a resolver with a cache, and > in that sense I'd rather suggest just saying "(recursive) resolver"; > it should be obvious that it's about a resolver with the cache from > the context. I will consider the comment. > - general: on a related point, I suspect the discussion about > authoritative servers is not actually specific to authoritative > servers; consider the case of a recursive server that takes queries > from forwarding only resolvers. It should be generally applicable > to any DNS "responder", and I'd suggest revising the draft > accordingly. DNS forwarders and stub resolvers may be target of cache poisoning attacks. Then, path MTU attack targets are DNS responders (auth/resolver servers). > - general: since this is about off-path cache poisoning attacks, you > may also want to refer to DNS cookies (RFC7873) as a possible measure. I agree. > - Section 3 > > Linux 2.6.32, Linux 4.18.20 > and FreeBSD 12.0 accept crafted "ICMPv6 Packet Too Big" packet and > path MTU decreased to 1280. > > I suspect this often doesn't matter much in practice. Since IPv6 > doesn't allow fragmentation and PMTU discovery isn't very effective for ^^^^^^^^^^^^^ on-path fragmentation ? > DNS responders, the server implementation should set > IPV6_USE_MIN_MTU and expect that MTU anyway (several implementations > actually set this option; some others don't, but they are just lucky > to not encounter the problem or receive complaints about it). If setting IPV6_USE_MIN_MTU, does the server use 1280 as all path MTU value ? Without IPV6_DONTFRAG option, are responses larger than 1280 fragmented ? I observed many fragmented IPv6 DNS responses whose packet size are 1496 or 1500. # What I was interested in was that many implementations accept # crafted "ICMPv6 Packet Too Big". > - Section 4.2 > > Limiting EDNS0 requestor's UDP payload size [RFC6891] to 1220/1232 on > IPv6 is a measure of path MTU attacks on IPv6 because minimal MTU > size of IPv6 is 1280 and most of implementations ignore ICMPv6 packet > too big packets whose MTU size is smaller than 1280. > > I suggest removing "and most of implementations..." since even if an > implementation accepts ICMPv6 PMTU with MTU < 1280, it doesn't mean > they fragment packets at that size. > > - Section 4.8 > > Some operators that support [RFC8078] said that they use TCP only for > transport to avoid cache poisoning attacks. > > It's not clear (to me at least) how RFC8078 is related to a TCP-only > operation. Some more explanation may help. > > - Section 5 > > o Full-service resolvers may retry name resolution by TCP. > > I don't get exactly what this means...in which case does it suggest > the retry with TCP? I will add texts. -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
- [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.t… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Daisuke HIGASHI
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Florian Weimer