[DNSOP] Introduction section of draft-ietf-dnsop-avoid-fragmentation
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 March 2021 04:39 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6483A20C5 for <dnsop@ietfa.amsl.com>; Tue, 23 Mar 2021 21:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_EDX2_ETXF9 for <dnsop@ietfa.amsl.com>; Tue, 23 Mar 2021 21:39:25 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A4A23A20C3 for <dnsop@ietf.org>; Tue, 23 Mar 2021 21:39:25 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id c2so7469959uaj.3 for <dnsop@ietf.org>; Tue, 23 Mar 2021 21:39:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XIqPMPhKhQR9qrPAiS7PiVVAl9mC5VNBxQo3t9DVSFs=; b=c0yGn26cvPDdSGg8bDPSZGsfSgnjgJmLHzyoKinUuXw54adNIkutl9peXptn1/V0Va pTMrsGm8nQ5SkWBQAQzeyOFwY5Aqo6Ys7jz8FZMDnu8nYudQQ65oGdEVbjrGbdEh5yRQ XqBlM0G399Wk/Qq5swfbYKaSwBupK8dhxcv/TbNqHzLp36U0XmZB96gu+42SIWXXJewl w21DpIT2MhYJnAsjOYGRALQ7y7Xu36JZ4gHevQozDk5skxQW33USdP0IhRbvM1KeLB+O 5KgzmJvEJj93D6RrG8eh7xUhI9CJEDBY/l5MNP1VnhCdMexZ7kkaiwm6jhbUTrSQ7Xxu /Xuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XIqPMPhKhQR9qrPAiS7PiVVAl9mC5VNBxQo3t9DVSFs=; b=RFGbmZm2r0wQK7jxMA3U85Lp188UNxRRwbM/VFBxtvnhwfPw2MWaxoPyW2qQwdl3A7 rnyKTuCiDBPLtI7fV/WnPiEQwsUvXcO3ZsYqaXRC49UAj7FHmj4Y0d5rCHCE42pmeRpp kqf3wgYamlwV0CwiHypVZlCU2R2KrXYALYPy/Pp1JczAcoT4umjEQGPkYznQ82sLdA/R Jreskcjpt45mSpMjO8XtlHyE5A1RonaQYLb/qsPzAFjanDJP57G8xO5DQv/vbEgbNMCK XmV/JGuGspAfDebPtIY/bZUQgHb9JMbT91FDI69/WM8x+Z8Ps58KX49DDZbc4DUGMv86 MnFQ==
X-Gm-Message-State: AOAM532O8h1ooWqlSmW+ToMJ0D0rUSzdYBwDMucviyuO6GAjT9/BIO7U WmhK1zJjvdr9tqRGLLyA0FTNqta6iSxJF+voIaQt3btIzVA=
X-Google-Smtp-Source: ABdhPJyWqGWW0gu0kGMhO41mIWzLOKQaMwkSM+UR1+ysi9wr9rreieRK91gyWe2BSG8BW77kPKujJ13fNXFs8d+KA2g=
X-Received: by 2002:ab0:7035:: with SMTP id u21mr644638ual.62.1616560763743; Tue, 23 Mar 2021 21:39:23 -0700 (PDT)
MIME-Version: 1.0
References: <20210315.131604.152003594194628775.fujiwara@jprs.co.jp>
In-Reply-To: <20210315.131604.152003594194628775.fujiwara@jprs.co.jp>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 23 Mar 2021 21:39:12 -0700
Message-ID: <CAH1iCirvfLysBajqW9g7-YKVSw4p_+_FGcFwO2jsx8zHViNr=g@mail.gmail.com>
To: fujiwara@jprs.co.jp
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014b25f05be40e246"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Xf4bpI2slVQHFEH4wtOzvvvCdso>
Subject: [DNSOP] Introduction section of draft-ietf-dnsop-avoid-fragmentation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2021 04:39:27 -0000
Fujiwara-san, I have a suggestion on tweaking the wording of Section 1, Introduction. The intent is to simplify it a bit. Feel free to ignore this if it doesn't work, or use whatever parts of it you feel are useful. DNS has EDNS0 [RFC6891] mechanism. It enables a DNS server to send large responses using UDP. EDNS0 is now widely deployed, and DNS (over UDP) is said to be the biggest source of IP fragments. Fragmented DNS UDP responses have systemic weaknesses, which expose the requestor to DNS cache poisoning from off-path attackers. (See appendix for references and details.) The primary weakness is the UDP checksum itself, and the fact that the UDP header and DNS header will be in the first fragment only. In addition, the IPv4 fragmentation and reassembly relies solely on the IPv4 ID, a 16-bit value which is weak enough to permit feasible brute force attacks. UDP has no inherent ability to react to ICMP messages that would otherwise alert the sender to dropped packets with DF=1, due to MTU being exceeded. Additionally, fragmentation can adversely affect TCP performance, thus the same logic is applicable to both UDP and TCP. Fragmentation SHOULD be avoided. This document proposes to set IP_DONTFRAG / IPV6_DONTFRAG in DNS/UDP messages in order to avoid IP fragmentation, and describes how to avoid packet losses due to IP_DONTFRAG / IPV6_DONTFRAG. (Place the rest of the original introduction text and references into an Appendix.) Feedback concerning this suggestion is welcome. Sincerely, Brian Dickson
- [DNSOP] default value of draft-ietf-dnsop-avoid-f… fujiwara
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Jim Reid
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Viktor Dukhovni
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Donald Eastlake
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Jim Reid
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Brian Dickson
- [DNSOP] Introduction section of draft-ietf-dnsop-… Brian Dickson
- Re: [DNSOP] Introduction section of draft-ietf-dn… fujiwara