Re: [DNSOP] Artart telechat review of draft-ietf-dnsop-avoid-fragmentation-16
Paul Vixie <paul@redbarn.org> Sat, 30 December 2023 04:49 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD66FC14F61A; Fri, 29 Dec 2023 20:49:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.198
X-Spam-Level:
X-Spam-Status: No, score=-7.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuHRFUCQ8T7z; Fri, 29 Dec 2023 20:49:21 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C1E9C14F5F4; Fri, 29 Dec 2023 20:49:09 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL Global TLS RSA4096 SHA256 2022 CA1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id 28ECA160BE6; Sat, 30 Dec 2023 04:49:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1703911747; bh=GPsqK5Hk19+MuXePFoThvQ/2BajCo1q4k04XEVxl6jc=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=Sgg8Lmy8DuGF9FXJizkBbNdC2wRlM47bxxYj4nea6UtMiAPz7hBG+JXTU8US94bB6 plccR01HPudGtGm4cH4fhhAXWoxFGXuh9IZgqgf28RM2eWKld5wTDrcGDZrBPRnKYR 9xSBoeJPqyKY/H2v675tGmA1bl01iPwj2Bo8RD/4=
Received: from [24.104.150.149] (dhcp-149.access.rits.tisf.net [24.104.150.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 06545FEBEE; Sat, 30 Dec 2023 04:49:07 +0000 (UTC)
To: Barry Leiba <barryleiba@computer.org>
Cc: art@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-avoid-fragmentation.all@ietf.org, last-call@ietf.org
References: <170390765227.35660.13790056130891751625@ietfa.amsl.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <7d4a7b15-c815-dcf3-3e9b-302cc5c4c71e@redbarn.org>
Date: Fri, 29 Dec 2023 20:49:03 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.60
MIME-Version: 1.0
In-Reply-To: <170390765227.35660.13790056130891751625@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SaRfSMCgpd4wWEST5pkb6hQNpKs>
Subject: Re: [DNSOP] Artart telechat review of draft-ietf-dnsop-avoid-fragmentation-16
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Dec 2023 04:49:28 -0000
Barry Leiba via Datatracker wrote on 2023-12-29 19:40: > Reviewer: Barry Leiba > Review result: Ready with Nits > > Thanks for addressing most comments from my earlier review. One remains, and I > didn’t see an email response about it, so I don’t know whether there was a > reason not to make a change or if it just got overlooked: > > — Section 7.2 — > > If a UDP response packet is dropped (for any reason), it increases > the attack window for poisoning the requestor's cache. > > But Section 3.2 says this: > > R7. UDP requestors MAY drop fragmented DNS/UDP responses without IP > reassembly to avoid cache poisoning attacks. > > …which seems to be contradictory. Can you clarify this apparent contradiction > in one place or both? the requirements are in conflict, and this is a good catch. in 7.2 we should say "dropped in transit, up to and including the network stack of the initiator" since if it's dropped by the initiator (in user mode) the attack window will be closed thereby. in 3.2 we should say "SHOULD" not "MAY", per mr. wouters' earlier comments. in addition we should say "SHOULD detect reassembled DNS/UDP responses in the DNS response processing logic, since the fragments thereof would have been subject to off-path cache poisoning attacks." it's a very subtle point and has been wordsmithed more than once here. we don't want the initiator's window of willingness to receive a response to be any longer than possible, because of off-path (TID guessing) attacks. and we don't want to reassemble, because of off-path (fragment replacement) attacks. so we really do not want fragmentation to occur because it makes both of those attacks easier to launch. TID guessing is made easier if the network drops fragments or drops oversized packets. fragment replacement is made easier if there were in fact ever any fragments. by recommending that the initiator detect when fragments are present (or were present, if the network stack reassembled them first) and drop them, we reduce the chance of bad fragments getting through, because no fragments will get through. we also disincentivize the generation of fragments in the first place, because they'll be silently dropped by (a growing number of) initiators. as you can see i've fought the words and lost. -- P Vixie
- [DNSOP] Artart telechat review of draft-ietf-dnso… Barry Leiba via Datatracker
- Re: [DNSOP] Artart telechat review of draft-ietf-… Paul Vixie