IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

Robert Edmonds <edmonds@mycre.ws> Mon, 28 September 2015 18:20 UTC

Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E7AB1B2AB4 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 11:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7y8NZnRkCTn for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 11:20:07 -0700 (PDT)
Received: from chase.mycre.ws (chase.mycre.ws [70.89.251.89]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C25521B2AA6 for <dnsop@ietf.org>; Mon, 28 Sep 2015 11:20:04 -0700 (PDT)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 28BFE1C40232; Mon, 28 Sep 2015 14:20:04 -0400 (EDT)
Date: Mon, 28 Sep 2015 14:20:04 -0400
From: Robert Edmonds <edmonds@mycre.ws>
To: dnsop@ietf.org
Message-ID: <20150928182004.GA3197@mycre.ws>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <20150928173028.GA2328@mycre.ws> <20150928173255.GA23429@jurassic.l0.malgudi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150928173255.GA23429@jurassic.l0.malgudi.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/VpY_IVIW__wdVTGua4y7-PibLxg>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 18:20:12 -0000

Mukund Sivaraman wrote:
> Hi Robert
> 
> On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote:
> > 16 bits is an awful lot of space for the ALGORITHM field.  Compare to
> > the DNSSEC algorithm number field, which is only 8 bits.
> 
> Do you suggest changing it to 8 bits too?

If you keep an algorithm field, yes, I suggest changing it to 8 bits.
It seems unlikely more than one or two algorithms would ever be
implemented.  Is algorithm agility really needed, though, given that
there are ~65000 unused EDNS0 option codes?

I am also curious why a cryptographic hash function (SHA-1) is needed
for this.  Is a fast non-cryptographic checksum not suitable (e.g.,
CRC-32C, which can be computed in hardware on x86 CPUs)?

Also, there is a long deployment tail for new EDNS options.  If it's
urgent to deploy a countermeasure against off-path fragment spoofing,
why not something like Unbound's "referral path hardening", or
advertising a smaller EDNS buffer size which is much less likely to
result in fragmentation?  (E.g., I believe OpenDNS advertises a ~1.4
Kbyte EDNS buffer size.)  Those countermeasures can be deployed
unilaterally by the resolver, and on a shorter time scale than a new
EDNS option.

-- 
Robert Edmonds

v2.23.0 | Report a Bug | By Email