IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

Paul Vixie <paul@redbarn.org> Mon, 28 September 2015 18:25 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9741B1B2AD5 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 11:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Px472POGEA0K for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 11:25:57 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 979751B2AD4 for <dnsop@ietf.org>; Mon, 28 Sep 2015 11:25:57 -0700 (PDT)
Received: from [IPv6:2001:559:8000:cb:854c:3e7c:bb76:5a15] (unknown [IPv6:2001:559:8000:cb:854c:3e7c:bb76:5a15]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 802B313B51; Mon, 28 Sep 2015 18:25:57 +0000 (UTC)
Message-ID: <56098631.4060607@redbarn.org>
Date: Mon, 28 Sep 2015 11:25:53 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 4.0.5 (Windows/20150923)
MIME-Version: 1.0
To: Robert Edmonds <edmonds@mycre.ws>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <20150928173028.GA2328@mycre.ws> <20150928173255.GA23429@jurassic.l0.malgudi.org> <20150928182004.GA3197@mycre.ws>
In-Reply-To: <20150928182004.GA3197@mycre.ws>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/KS9j-to5xbWl0dKHG5kgtGLrqMw>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 18:25:58 -0000


Robert Edmonds wrote:
> ...
>
> I am also curious why a cryptographic hash function (SHA-1) is needed
> for this.  Is a fast non-cryptographic checksum not suitable (e.g.,
> CRC-32C, which can be computed in hardware on x86 CPUs)?

in currently theorized attacks, the udp checksum is fooled by altering
two parts of a fragment:

first, alter the part you want to use to inject poison into a cache.

second, alter something else to fix up the checksum based on the first
alteration.

if CRC-32C is immune to that attack, i havn't heard, but i'd believe.

> Also, there is a long deployment tail for new EDNS options.  If it's
> urgent to deploy a countermeasure against off-path fragment spoofing,
> why not something like Unbound's "referral path hardening", or
> advertising a smaller EDNS buffer size which is much less likely to
> result in fragmentation?  (E.g., I believe OpenDNS advertises a ~1.4
> Kbyte EDNS buffer size.)  Those countermeasures can be deployed
> unilaterally by the resolver, and on a shorter time scale than a new
> EDNS option.
>

those things should also be done in the short term.

but it's the internet. it'll outlive us all. we ought to have a long
term plan as well.

-- 
Paul Vixie

v2.23.0 | Report a Bug | By Email