[DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
fujiwara@jprs.co.jp Fri, 01 March 2019 12:14 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A293A130E70 for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 04:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEbkVYFwyrEA for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 04:14:52 -0800 (PST)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ECDF129441 for <dnsop@ietf.org>; Fri, 1 Mar 2019 04:14:51 -0800 (PST)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id x21CEn4u012853 for <dnsop@ietf.org>; Fri, 1 Mar 2019 21:14:49 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id A8E931800B6 for <dnsop@ietf.org>; Fri, 1 Mar 2019 21:14:48 +0900 (JST)
Received: from localhost (off-cpu05.osa.jprs.co.jp [172.23.4.15]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id 8DDDE1800B2 for <dnsop@ietf.org>; Fri, 1 Mar 2019 21:14:48 +0900 (JST)
Date: Fri, 01 Mar 2019 21:14:48 +0900
Message-Id: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp>
To: dnsop@ietf.org
From: fujiwara@jprs.co.jp
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.2.0.1013-24462.007
X-TM-AS-Result: No--5.890-5.0-31-10
X-imss-scan-details: No--5.890-5.0-31-10
X-TMASE-MatchedRID: /LMjpC511dNCXIGdsOwlUh5+URxv1WlBZodCyXXZLewR34ro7k23nZv7 xQdsdUBYR7E/wXWd4ebCDs5DLCeu3g/kmd/VHTA2o65WJt1k1O/DHSNFHFxB8yJ8zskw0dbrG8M NadG0RkZf65U6YeRC8PV5ipLVWzXmZyOqH+Hnn7nOUnHdMlbPm+Bgp+G3IXxrPILl10bYlyB0zq VmWYjG/XMg8r6EMd+4OvJEVLSByOcmfxOgBOFpIpyebS/i2xjjh+w9Wz/xXDr4JyR+b5tvoG5jR 2ympOIEDaXbL30deXiNskOq8x35XiT+WdgRcTqTpFf2dGv7wxt9LQinZ4QefL6qvLNjDYTwGsZg 41y2yrWtXQ6KI0vTGERwZjp2iRLvxEHRux+uk8h+ICquNi0WJDDmE1lqbeqGmm7dd0J/U8oIi5/ 1aTwCFmAQCbF3cYJoftwZ3X11IV0=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RJd63OStfI3o0I8tcsFZCsYU620>
Subject: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 12:14:55 -0000
Dear DNSOP, I submitted draft-fujiwara-dnsop-fragment-attack-01. https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 It summarized DNS cache poisoning attack using IP fragmentation and countermeasures. If the draft is interested, I will request timeslot at IETF 104. I think it is time to consider to avoid IP Fragmentation in DNS. It is possible to avoid IP fragmentation as much as possible. It is not good that DNS is the biggest user of IP fragmentation. Regards, -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp> A new version of I-D, draft-fujiwara-dnsop-fragment-attack-01.txt has been successfully submitted by Kazunori Fujiwara and posted to the IETF repository. Name: draft-fujiwara-dnsop-fragment-attack Revision: 01 Title: Measures against cache poisoning attacks using IP fragmentation in DNS Document date: 2019-03-01 Group: Individual Submission Pages: 13 URL: https://www.ietf.org/internet-drafts/draft-fujiwara-dnsop-fragment-attack-01.txt Status: https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-fragment-attack/ Htmlized: https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-fragment-attack Diff: https://www.ietf.org/rfcdiff?url2=draft-fujiwara-dnsop-fragment-attack-01 Abstract: Researchers proposed practical DNS cache poisoning attacks using IP fragmentation. This document shows feasible and adequate measures at full-service resolvers and authoritative servers against these attacks. To protect resolvers from these attacks, avoid fragmentation (limit requestor's UDP payload size to 1220/1232), drop fragmented UDP DNS responses and use TCP at resolver side. To make a domain name robust against these attacks, limit EDNS0 Responder's maximum payload size to 1220, set DONTFRAG option to DNS response packets and use good random fragmentation ID at authoritative server side.
- [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.t… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Daisuke HIGASHI
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Florian Weimer