IETF Logo Mail Archive

[DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt

fujiwara@jprs.co.jp Fri, 01 March 2019 12:14 UTC

Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A293A130E70 for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 04:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEbkVYFwyrEA for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 04:14:52 -0800 (PST)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ECDF129441 for <dnsop@ietf.org>; Fri, 1 Mar 2019 04:14:51 -0800 (PST)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id x21CEn4u012853 for <dnsop@ietf.org>; Fri, 1 Mar 2019 21:14:49 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id A8E931800B6 for <dnsop@ietf.org>; Fri, 1 Mar 2019 21:14:48 +0900 (JST)
Received: from localhost (off-cpu05.osa.jprs.co.jp [172.23.4.15]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id 8DDDE1800B2 for <dnsop@ietf.org>; Fri, 1 Mar 2019 21:14:48 +0900 (JST)
Date: Fri, 01 Mar 2019 21:14:48 +0900
Message-Id: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp>
To: dnsop@ietf.org
From: fujiwara@jprs.co.jp
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.2.0.1013-24462.007
X-TM-AS-Result: No--5.890-5.0-31-10
X-imss-scan-details: No--5.890-5.0-31-10
X-TMASE-MatchedRID: /LMjpC511dNCXIGdsOwlUh5+URxv1WlBZodCyXXZLewR34ro7k23nZv7 xQdsdUBYR7E/wXWd4ebCDs5DLCeu3g/kmd/VHTA2o65WJt1k1O/DHSNFHFxB8yJ8zskw0dbrG8M NadG0RkZf65U6YeRC8PV5ipLVWzXmZyOqH+Hnn7nOUnHdMlbPm+Bgp+G3IXxrPILl10bYlyB0zq VmWYjG/XMg8r6EMd+4OvJEVLSByOcmfxOgBOFpIpyebS/i2xjjh+w9Wz/xXDr4JyR+b5tvoG5jR 2ympOIEDaXbL30deXiNskOq8x35XiT+WdgRcTqTpFf2dGv7wxt9LQinZ4QefL6qvLNjDYTwGsZg 41y2yrWtXQ6KI0vTGERwZjp2iRLvxEHRux+uk8h+ICquNi0WJDDmE1lqbeqGmm7dd0J/U8oIi5/ 1aTwCFmAQCbF3cYJoftwZ3X11IV0=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RJd63OStfI3o0I8tcsFZCsYU620>
Subject: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 12:14:55 -0000

Dear DNSOP,

I submitted draft-fujiwara-dnsop-fragment-attack-01.

   https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01

It summarized DNS cache poisoning attack using IP fragmentation
and countermeasures.

If the draft is interested, I will request timeslot at IETF 104.

I think it is time to consider to avoid IP Fragmentation in DNS.
It is possible to avoid IP fragmentation as much as possible.

It is not good that DNS is the biggest user of IP fragmentation.

Regards,

--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>

A new version of I-D, draft-fujiwara-dnsop-fragment-attack-01.txt
has been successfully submitted by Kazunori Fujiwara and posted to the
IETF repository.

Name:		draft-fujiwara-dnsop-fragment-attack
Revision:	01
Title:		Measures against cache poisoning attacks using IP fragmentation in DNS
Document date:	2019-03-01
Group:		Individual Submission
Pages:		13
URL:            https://www.ietf.org/internet-drafts/draft-fujiwara-dnsop-fragment-attack-01.txt
Status:         https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-fragment-attack/
Htmlized:       https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-fragment-attack
Diff:           https://www.ietf.org/rfcdiff?url2=draft-fujiwara-dnsop-fragment-attack-01

Abstract:
   Researchers proposed practical DNS cache poisoning attacks using IP
   fragmentation.  This document shows feasible and adequate measures at
   full-service resolvers and authoritative servers against these
   attacks.  To protect resolvers from these attacks, avoid
   fragmentation (limit requestor's UDP payload size to 1220/1232), drop
   fragmented UDP DNS responses and use TCP at resolver side.  To make a
   domain name robust against these attacks, limit EDNS0 Responder's
   maximum payload size to 1220, set DONTFRAG option to DNS response
   packets and use good random fragmentation ID at authoritative server
   side.

v2.23.0 | Report a Bug | By Email