Re: [DNSOP] fragmentation itself (Re: FYI: draft-andrews-dnsop-defeat-frag-attack)

Paul Vixie <paul@redbarn.org> Mon, 15 July 2019 14:49 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328BD120116 for <dnsop@ietfa.amsl.com>; Mon, 15 Jul 2019 07:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ch-wV1nqZu9U for <dnsop@ietfa.amsl.com>; Mon, 15 Jul 2019 07:49:22 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A199A12016B for <dnsop@ietf.org>; Mon, 15 Jul 2019 07:49:22 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id C912F892E8; Mon, 15 Jul 2019 14:49:20 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: dnsop@ietf.org
Cc: Tim Wicinski <tjw.ietf@gmail.com>
Date: Mon, 15 Jul 2019 14:49:20 +0000
Message-ID: <10784891.sH38upkJ4Y@linux-9daj>
Organization: none
In-Reply-To: <CADyWQ+G8O_UOUxeu5CKbu6AoN-Q680BOn3NfOmB9R+9=0-6Ypw@mail.gmail.com>
References: <01BAC484-5E62-4573-A162-F3BD4F0DCF34@isc.org> <7E608829-535A-4540-A30F-607434F0E28D@isc.org> <CADyWQ+G8O_UOUxeu5CKbu6AoN-Q680BOn3NfOmB9R+9=0-6Ypw@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZyOuxOpLhHVaDPjqmdH2311IxiY>
Subject: Re: [DNSOP] fragmentation itself (Re: FYI: draft-andrews-dnsop-defeat-frag-attack)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 14:49:24 -0000

On Monday, 15 July 2019 13:35:33 UTC Tim Wicinski wrote:
> The chairs felt that fujiwara-san's draft was one that needed in person
> discussion in Montreal.

hopefully kazunori will suggest a bar bof for monday night. i leave tuesday 
morning and so will miss the WG meeting. my own concern is more for packet 
size than for fragmentation itself. i'd like to explain my concerns to 
$somebody.

> Also, if folks did not see his presentation at OARC, here are the slides:
> 
> https://indico.dns-oarc.net/event/31/contributions/692/attachments/660/1115/
> fujiwara-5.pdf

possibly to be argued, but to be not dismissed. as i wrote up-thread, the 
state mass of fragmentation, harshest on receivers but also present on 
transmitters, means the original EDNS0 spec ought to have said "SHOULD be of a 
size that allows the full packet with all headers to fit the local interface 
MTU and next-hop MTU" and possibly also "MAY set the DF bit if capable of 
hearing and interpreting ICMP messages".

-- 
Paul