IETF Logo Mail Archive

[DNSOP] Introduction section of draft-ietf-dnsop-avoid-fragmentation

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 March 2021 04:39 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6483A20C5 for <dnsop@ietfa.amsl.com>; Tue, 23 Mar 2021 21:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_EDX2_ETXF9 for <dnsop@ietfa.amsl.com>; Tue, 23 Mar 2021 21:39:25 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A4A23A20C3 for <dnsop@ietf.org>; Tue, 23 Mar 2021 21:39:25 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id c2so7469959uaj.3 for <dnsop@ietf.org>; Tue, 23 Mar 2021 21:39:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XIqPMPhKhQR9qrPAiS7PiVVAl9mC5VNBxQo3t9DVSFs=; b=c0yGn26cvPDdSGg8bDPSZGsfSgnjgJmLHzyoKinUuXw54adNIkutl9peXptn1/V0Va pTMrsGm8nQ5SkWBQAQzeyOFwY5Aqo6Ys7jz8FZMDnu8nYudQQ65oGdEVbjrGbdEh5yRQ XqBlM0G399Wk/Qq5swfbYKaSwBupK8dhxcv/TbNqHzLp36U0XmZB96gu+42SIWXXJewl w21DpIT2MhYJnAsjOYGRALQ7y7Xu36JZ4gHevQozDk5skxQW33USdP0IhRbvM1KeLB+O 5KgzmJvEJj93D6RrG8eh7xUhI9CJEDBY/l5MNP1VnhCdMexZ7kkaiwm6jhbUTrSQ7Xxu /Xuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XIqPMPhKhQR9qrPAiS7PiVVAl9mC5VNBxQo3t9DVSFs=; b=RFGbmZm2r0wQK7jxMA3U85Lp188UNxRRwbM/VFBxtvnhwfPw2MWaxoPyW2qQwdl3A7 rnyKTuCiDBPLtI7fV/WnPiEQwsUvXcO3ZsYqaXRC49UAj7FHmj4Y0d5rCHCE42pmeRpp kqf3wgYamlwV0CwiHypVZlCU2R2KrXYALYPy/Pp1JczAcoT4umjEQGPkYznQ82sLdA/R Jreskcjpt45mSpMjO8XtlHyE5A1RonaQYLb/qsPzAFjanDJP57G8xO5DQv/vbEgbNMCK XmV/JGuGspAfDebPtIY/bZUQgHb9JMbT91FDI69/WM8x+Z8Ps58KX49DDZbc4DUGMv86 MnFQ==
X-Gm-Message-State: AOAM532O8h1ooWqlSmW+ToMJ0D0rUSzdYBwDMucviyuO6GAjT9/BIO7U WmhK1zJjvdr9tqRGLLyA0FTNqta6iSxJF+voIaQt3btIzVA=
X-Google-Smtp-Source: ABdhPJyWqGWW0gu0kGMhO41mIWzLOKQaMwkSM+UR1+ysi9wr9rreieRK91gyWe2BSG8BW77kPKujJ13fNXFs8d+KA2g=
X-Received: by 2002:ab0:7035:: with SMTP id u21mr644638ual.62.1616560763743; Tue, 23 Mar 2021 21:39:23 -0700 (PDT)
MIME-Version: 1.0
References: <20210315.131604.152003594194628775.fujiwara@jprs.co.jp>
In-Reply-To: <20210315.131604.152003594194628775.fujiwara@jprs.co.jp>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 23 Mar 2021 21:39:12 -0700
Message-ID: <CAH1iCirvfLysBajqW9g7-YKVSw4p_+_FGcFwO2jsx8zHViNr=g@mail.gmail.com>
To: fujiwara@jprs.co.jp
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014b25f05be40e246"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Xf4bpI2slVQHFEH4wtOzvvvCdso>
Subject: [DNSOP] Introduction section of draft-ietf-dnsop-avoid-fragmentation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2021 04:39:27 -0000

Fujiwara-san,

I have a suggestion on tweaking the wording of Section 1, Introduction.
The intent is to simplify it a bit. Feel free to ignore this if it doesn't
work,
or use whatever parts of it you feel are useful.

DNS has EDNS0 [RFC6891] mechanism.  It enables a DNS server to send
   large responses using UDP.  EDNS0 is now widely deployed, and DNS
   (over UDP) is said to be the biggest source of IP fragments.

Fragmented DNS UDP responses have systemic weaknesses, which expose
the requestor to DNS cache poisoning from off-path attackers. (See appendix
for references and details.) The primary weakness is the UDP checksum
itself,
and the fact that the UDP header and DNS header will be in the first
fragment only.
In addition, the IPv4 fragmentation and reassembly relies solely on the
IPv4 ID,
a 16-bit value which is weak enough to permit feasible brute force attacks.

UDP has no inherent ability to react to ICMP messages that would otherwise
alert
the sender to dropped packets with DF=1, due to MTU being exceeded.
Additionally, fragmentation can adversely affect TCP performance, thus the
same logic
is applicable to both UDP and TCP. Fragmentation SHOULD be avoided.

This document proposes to set IP_DONTFRAG / IPV6_DONTFRAG in DNS/UDP
   messages in order to avoid IP fragmentation, and describes how to
   avoid packet losses due to IP_DONTFRAG / IPV6_DONTFRAG.

(Place the rest of the original introduction text and references into an
Appendix.)

Feedback concerning this suggestion is welcome.

Sincerely,
Brian Dickson

v2.23.0 | Report a Bug | By Email