Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
Mukund Sivaraman <muks@isc.org> Sun, 27 September 2015 02:59 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229511A8866 for <dnsop@ietfa.amsl.com>; Sat, 26 Sep 2015 19:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1KFk4AdT9_U for <dnsop@ietfa.amsl.com>; Sat, 26 Sep 2015 19:59:22 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id E2B051A8863 for <dnsop@ietf.org>; Sat, 26 Sep 2015 19:59:21 -0700 (PDT)
Received: from jurassic.l0.malgudi.org (unknown [115.118.154.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id E94E72BA0A7E; Sun, 27 Sep 2015 02:59:18 +0000 (GMT)
Date: Sun, 27 Sep 2015 08:29:14 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20150927025914.GA31910@jurassic.l0.malgudi.org>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <6944DF48-2A47-4E75-801F-37BEA19A1CCD@vpnc.org> <20150927000309.GA17973@jurassic.l0.malgudi.org> <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Content-Disposition: inline
In-Reply-To: <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/GZZ6ZIgJorEMUMoUCbrGmQwnV18>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Sep 2015 02:59:23 -0000
Hi Paul I'm CC'ing this reply to the dnsop@ list as it is relevant info for others to read too. So I've not quoted your email. UDP has a header checksum that can notice message modification when in use. Sometimes this may be 0 if the sender host did not generate a checksum. This draft adds one in the application layer alongside a nonce known to the client. Together they are meant to thwart any possibility of different kinds of off-path cache-poisoning attacks. It is a simpler lesser form of DNS cookies that goes a little further from the client's perspective. If some countermeasures such as source port randomization are either turned off (perhaps when DNS cookies are in use; typically source port randomization has a significant performance penalty) or ineffective perhaps due to NAT, there is a remote possibility of poisoning with IP fragmentation. Note that this draft still cannot prevent some kinds of attack such as response and NS blocking and NS pinning as described in Herzberg and Shulman's paper (cited in the draft). There are practical issues with TCP which are still currently prevelant: 1. The 3 way handshake doubles the number of roundtrips necessary before an answer is received. With iteration, it can result in conspicuously increased average turnaround time in applications such as web-browsing as DNS is the starting point. This becomes noticable in a location such as where I live (India) from where the RTT to many of the mediumly-popular websites' DNS nameservers is quite high. There are some efforts to solve this such as TCP fast open, but not widely deployed. Once the records are cached everything is faster, but a delay is still a delay. RTT to almost everywhere significant is high from here. Also, OTOH, use of DNS cookies with UDP itself may require additional roundtrips. 2. There are concerns on whether using TCP is scalable for DNS. The dns-dev-coord list was setup to discuss this topic and try to improve TCP performance across implementations. But I agree, TCP-only is becoming more and more appealing/relevant with the number of issues in using UDP. Mukund
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-mu… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-mu… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-mu… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-mu… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Davey Song
- Re: [DNSOP] New Version Notification for draft-mu… Ólafur Guðmundsson