IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-01.txt

Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 31 July 2020 21:35 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DBE83A0BF0 for <dnsop@ietfa.amsl.com>; Fri, 31 Jul 2020 14:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.63
X-Spam-Level:
X-Spam-Status: No, score=-1.63 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.267, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id du_fqyMN8LYB for <dnsop@ietfa.amsl.com>; Fri, 31 Jul 2020 14:35:17 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C6B3A0BED for <dnsop@ietf.org>; Fri, 31 Jul 2020 14:35:17 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id D19B86A29C; Fri, 31 Jul 2020 23:35:15 +0200 (CEST)
Received: from plato (e82143.upc-e.chello.nl [213.93.82.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 9F1153C0045; Fri, 31 Jul 2020 23:35:15 +0200 (CEST)
Message-ID: <a9c3d241cd80cce3ea02afcc05b79c5a91af9fef.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Fri, 31 Jul 2020 23:35:14 +0200
In-Reply-To: <alpine.DEB.2.20.2007302346290.16320@grey.csi.cam.ac.uk>
References: <159590342976.31577.14549446943084723826@ietfa.amsl.com> <1894748.tN5slbBgEf@linux-9daj> <alpine.DEB.2.20.2007302346290.16320@grey.csi.cam.ac.uk>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LmeEoEZHuHhTc1lFnG0RswwA7iU>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 21:35:21 -0000

On Fri, 2020-07-31 at 00:23 +0100, Tony Finch wrote:
> * should set the DONTFRAG option on responses
> 
> * should listen for ICMP frag needed packets, and react by re-sending the
>   response (which is embedded in the ICMP packet) with a TC bit set

Only part of the response is embedded in the ICMP packet. With some luck, enough of the query is embedded in the ICMP packet (I'm unsure about EDNS). I'm unsure it's even easy for a user space process to get that ICMP packet.

That all said, this sounds like a splendid way to allow 'request spoofing' even if everybody does BCP38 (ingress filtering). The ICMP packet could come from any IP (so no spoofing protection), but the ICMP *payload* which you then treat as believable IP headers is not subject to BCP38 checking, as far as I understand. I know we have a state problem in DNS servers forgetting about a query the moment they responded to it, but I don't think scavenging that query from incoming ICMP packets is the solution.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email