IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt

Dean Anderson <dean@av8.com> Mon, 10 December 2007 14:15 UTC

Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1jPz-0006yN-0I; Mon, 10 Dec 2007 09:15:35 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1jPx-0006yH-9x for dnsop@ietf.org; Mon, 10 Dec 2007 09:15:33 -0500
Received: from cirrus.av8.net ([130.105.36.66]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1J1jPw-0004r4-OM for dnsop@ietf.org; Mon, 10 Dec 2007 09:15:33 -0500
Received: from [130.105.12.10] ([130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id lBAEFRGI028021 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 10 Dec 2007 09:15:32 -0500
Date: Mon, 10 Dec 2007 09:15:26 -0500
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
In-Reply-To: <a0624080fc37ba787c4f6@[130.129.67.81]>
Message-ID: <Pine.LNX.4.44.0712100857150.18281-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 32b73d73e8047ed17386f9799119ce43
Cc: dnsop@ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org

On Tue, 4 Dec 2007, Edward Lewis wrote:

> http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt
> 
> 1) (Somewhat jokingly) I would strike the first word ("Recently") as 
> the attacks were almost two years ago now.  

Yes. And those attacks seemed to be contrived at the time. Perhaps the
attack described isn't (as I previously argued) a genuine concern.

"generation of massive amounts of traffic" is also a misnomer. None of
the attacks generated very large amounts of traffic in comparison with
other types of DOS attacks.  Perhaps 'generation of a significant amount
of traffic'

The draft still asserts incorrectly that 

   DNS authoritative servers which do not provide recursion to clients
   can also be used as amplifiers; however, the amplification potential
   is greatly reduced when authoritative servers are used. 

The exact same traffic can be generated with authority servers.  
Authority abuse traffic is much more difficult to mitigate, and so is a
much worse problem that recursor traffic. The draft should state the
facts, otherwise it is misleading.

> In the spirit of "sending text" it might be more appropriate to start
> with "Once upon a time...".

I disagree. IETF Documents should have a serious subject, and a serious
tone.

> 2) I guess I should get over the fact that "are-evil" is part of the 
> the file name and that will go away when this document gets out of 
> the RFC Editor.  I think the tone of the document is right as is, 
> recommending ways to have name servers not offer free and unchecked 
> services unless the owner is aware.

I'm not sure this should be ignored. Anyone who looks up the document
history will find that name.  It doesn't ever really go away.  While
there are no official requirements on document names, I think they
should avoid religious and unprofessional terms. If nothing else, it
reflects both on the author, and on the IETF because the IETF accepted
to work on the document with the offensive name.  I think this is a good
reason to oppose this document.

> 3) I was a bit troubled by the discussion in the room on Monday. 
> Parts of the discussion were hard to hear (the acoustics plus my 
> aging ears) and I my laptop was off (no jabber for me).  It sounded 
> like someone (not present) claimed that they required open resolvers 
> for roaming.  The discussion seemed to criticize that comment because 
> it is not generalizable, but I think that wasn't the intent.  I 
> thought the comment was offered as a reason why a blanket prohibition 
> against open resolvers was a bad idea.
> 
> I would be against a campaign to cajole people into closing open 
> resolvers.  One reason is that I don't believe that the problem is 
> the open resolvers but the inherent nature of UDP involved.  Two is 
> that it is up to operators to decide how to responsibly operate their 
> network (and it is up to the IETF to give them the educational 
> materials they need).
> 
> I think the document is a good balance.  It recommends closing access 
> to resolvers but does not berate those that leave them open.  (Unless 
> I missed something.)  It lists approaches to selective openness.  I 
> apologize if I lost the train of thought of the mic discussion.

I think the document needs to include discussion of the more serious 
attack vectors using authority servers. Even though this has been 
discussed, and is more difficult to mitigate, and a more serious problem 
that administrators may need guidance in how to handle, this is 
completely ignored. 

This document is just an 'open relays are bad' document, couched in DNS 
terms.  

I am strongly opposed to this document, so long as it contains incorrect
and misleading claims.


		--Dean




-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email