Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Thu, 23 December 2021 18:29 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA673A0899; Thu, 23 Dec 2021 10:29:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pf6oxalwQ-Fd; Thu, 23 Dec 2021 10:29:04 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6658A3A0894; Thu, 23 Dec 2021 10:29:04 -0800 (PST)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1BNISm8g001069 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Dec 2021 13:28:55 -0500
Date: Thu, 23 Dec 2021 10:28:48 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: Lars Eggert <lars@eggert.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, The IESG <iesg@ietf.org>
Message-ID: <20211223182848.GU11486@mit.edu>
References: <163524814397.6773.7925615506385048342@ietfa.amsl.com> <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/X-HL5DsNOyUhRE02XGwGfveM8QE>
Subject: Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Dec 2021 18:29:08 -0000
Hi Duane, On Mon, Nov 29, 2021 at 11:53:48PM +0000, Wessels, Duane wrote: > > > > On Oct 26, 2021, at 4:35 AM, Lars Eggert via Datatracker <noreply@ietf.org> wrote: [...] > > Section 4.2. , paragraph 3, comment: > >> DNS server software MAY provide a configurable limit on the number of > >> transactions per TCP connection. > > > > What does that limit protect against? > > proposed new text: > > DNS server software MAY provide a configurable limit on the number of > transactions per TCP connection. This can help protect against > unfair connection use (e.g., not releasing connection slots to other > clients) and network evasion attacks. > > > > > > Section 4.2. , paragraph 2, comment: > >> Similarly, DNS server software MAY provide a configurable limit on > >> the total duration of a TCP connection. > > > > What does that limit protect against? > > Proposed new text: > > Similarly, DNS server software MAY provide a configurable limit on > the total duration of a TCP connection. This can help protect > against unfair connection use, slow read attacks, and network evasion > attacks. Maybe I'm just being dense today, or lost too much state in the intervening weeks, but how do these limits protect against network evasion attacks? What are "network evasion attacks" in this context, anyway? The draft references [phrack] in a different location surrounding use of that term, in the context of applications doing TCP stream reassembly from packet captures. In that location it seems that the TCP segmentation could cause the reassembling application to miss actual DNS protocol messages, but I'm not sure how transaction or time limits on a connection would protect against a similar loss of processing of DNS protocol messages by the reassembling application. Thanks, Ben
- [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop… Lars Eggert via Datatracker
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Lars Eggert
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane