IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

Mukund Sivaraman <muks@isc.org> Sun, 27 September 2015 02:59 UTC

Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229511A8866 for <dnsop@ietfa.amsl.com>; Sat, 26 Sep 2015 19:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1KFk4AdT9_U for <dnsop@ietfa.amsl.com>; Sat, 26 Sep 2015 19:59:22 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id E2B051A8863 for <dnsop@ietf.org>; Sat, 26 Sep 2015 19:59:21 -0700 (PDT)
Received: from jurassic.l0.malgudi.org (unknown [115.118.154.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id E94E72BA0A7E; Sun, 27 Sep 2015 02:59:18 +0000 (GMT)
Date: Sun, 27 Sep 2015 08:29:14 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20150927025914.GA31910@jurassic.l0.malgudi.org>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <6944DF48-2A47-4E75-801F-37BEA19A1CCD@vpnc.org> <20150927000309.GA17973@jurassic.l0.malgudi.org> <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Content-Disposition: inline
In-Reply-To: <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/GZZ6ZIgJorEMUMoUCbrGmQwnV18>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Sep 2015 02:59:23 -0000

Hi Paul

I'm CC'ing this reply to the dnsop@ list as it is relevant info for
others to read too. So I've not quoted your email.

UDP has a header checksum that can notice message modification when in
use. Sometimes this may be 0 if the sender host did not generate a
checksum. This draft adds one in the application layer alongside a nonce
known to the client. Together they are meant to thwart any possibility
of different kinds of off-path cache-poisoning attacks. It is a simpler
lesser form of DNS cookies that goes a little further from the client's
perspective.

If some countermeasures such as source port randomization are either
turned off (perhaps when DNS cookies are in use; typically source port
randomization has a significant performance penalty) or ineffective
perhaps due to NAT, there is a remote possibility of poisoning with IP
fragmentation.

Note that this draft still cannot prevent some kinds of attack such as
response and NS blocking and NS pinning as described in Herzberg and
Shulman's paper (cited in the draft).

There are practical issues with TCP which are still currently prevelant:

1. The 3 way handshake doubles the number of roundtrips necessary before
an answer is received. With iteration, it can result in conspicuously
increased average turnaround time in applications such as web-browsing
as DNS is the starting point. This becomes noticable in a location such
as where I live (India) from where the RTT to many of the
mediumly-popular websites' DNS nameservers is quite high. There are some
efforts to solve this such as TCP fast open, but not widely
deployed. Once the records are cached everything is faster, but a delay
is still a delay. RTT to almost everywhere significant is high from
here. Also, OTOH, use of DNS cookies with UDP itself may require
additional roundtrips.

2. There are concerns on whether using TCP is scalable for DNS. The
dns-dev-coord list was setup to discuss this topic and try to improve
TCP performance across implementations.

But I agree, TCP-only is becoming more and more appealing/relevant with
the number of issues in using UDP.

		Mukund

v2.23.0 | Report a Bug | By Email