IETF Logo Mail Archive

Re: [DNSOP] Asking for TCP and/or cookies: a trend? (Was: my lone hum against draft-wkumari-dnsop-multiple-responses

Paul Wouters <paul@nohats.ca> Fri, 22 July 2016 10:45 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DE512DC77 for <dnsop@ietfa.amsl.com>; Fri, 22 Jul 2016 03:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-Seo24YrmYj for <dnsop@ietfa.amsl.com>; Fri, 22 Jul 2016 03:45:22 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB41A12DAA7 for <dnsop@ietf.org>; Fri, 22 Jul 2016 03:45:21 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3rwnNZ69Xgz25X; Fri, 22 Jul 2016 12:45:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469184318; bh=GchE0eHE/MAXEZXdoD+vFdzAdVEioN08fVsD7+Qa7Uk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=twJ8xhzWunzNodf1puO04lHRhmlsB3ggII10fIOqw0A4ehHBGXi1E9g385ZpMRHZh A329SCQUBhrrtOwohHVoOEBzpgEvKUVjrwyfFarbqKxWa5Vs+Sr3YQNF5G1zgtpsIj dNal5Wx71Bmqln6VhvbNira3WEW7ikv6JiRwj1VY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RnN8vXu2IfKf; Fri, 22 Jul 2016 12:45:18 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 22 Jul 2016 12:45:18 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 21627393D67; Fri, 22 Jul 2016 06:45:17 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 21627393D67
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 192CE40D6F5B; Fri, 22 Jul 2016 06:45:17 -0400 (EDT)
Date: Fri, 22 Jul 2016 06:45:16 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mukund Sivaraman <muks@isc.org>
In-Reply-To: <20160721153845.GA13632@jurassic>
Message-ID: <alpine.LRH.2.20.1607220638520.12891@bofh.nohats.ca>
References: <b00ec4.3833.15606420d47.Coremail.yzw_iplab@163.com> <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de> <20160720051949.8FC154EF155E@rock.dv.isc.org> <36A593C1-1F01-4FE1-BC9A-3279F6460358@rfc1035.com> <D65E8617-107E-4B13-986F-24088D0C57C2@powerdns.com> <20160721133730.GA10324@nic.fr> <alpine.LRH.2.20.1607211101590.17541@bofh.nohats.ca> <20160721153845.GA13632@jurassic>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VWWMfNnTNNDm5b-NKixmSF-h7yw>
Cc: IETF dnsop WG <dnsop@ietf.org>, Peter van Dijk <peter.van.dijk@powerdns.com>
Subject: Re: [DNSOP] Asking for TCP and/or cookies: a trend? (Was: my lone hum against draft-wkumari-dnsop-multiple-responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2016 10:45:24 -0000

On Thu, 21 Jul 2016, Mukund Sivaraman wrote:

> On Thu, Jul 21, 2016 at 11:10:10AM -0400, Paul Wouters wrote:
>> And I have been wondering if we should allow for a DNS padding in the
>> query packet to ensure answer packets (over UDP) are going to be
>> smaller then the query packet. And therefore prevents DDOS
>> amplification.
>
> This has been mentioned before. Some thoughts:
>
> For DNS, this can affect some cases such as query packets not making it
> to the server due to size, lack of ability of the client to guess what
> the answer's message size may be, and also EDNS UDP payload size
> behavior.

We only need to make it less attractive, we don't have to guarantee the
question is larger. Just close the gap between question and answer.
So doing a 1200 byte dns query packet could be safe?

> Once a client cookie has been established (associated with a source IP
> address), there's no need to use padding, so perhaps this could be a
> step in the initial handshake when the cookie is established - there
> could be message size limits to these cookie-establishment query and
> reply.

That's very true, but it requires we have a lot more clients supporting
COOKIEs before we can punish those small questions that don't. Which I
guess applies to the padding question too, so yeah I guess my idea is
not enough too late and we should just deploy cookies.

> DJB's curveCP comes to mind about how it prevents amplification for the
> initial handshake.

some googling only finds marketing material, not a specification I can
read :P

Paul

v2.23.0 | Report a Bug | By Email