IETF Logo Mail Archive

Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Wed, 29 December 2021 21:25 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2B3F3A08FE; Wed, 29 Dec 2021 13:25:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNgC9jecgq2U; Wed, 29 Dec 2021 13:25:44 -0800 (PST)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF9853A08FA; Wed, 29 Dec 2021 13:25:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3105; q=dns/txt; s=VRSN; t=1640813144; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=7AoSN3z5s/XvqIJKmZBkyB4NzHeD4UZpEpLBthan8Cg=; b=Kg7SKxO4mEbucAMMsWr0vhBiTubUuksZQOzcfIu04tCzTWJXgg31saw1 KzD8rI9CtRy764sfFQzBIn6c2Lu2EDdX8oXuAaeJEh20xeCqoVo5M62Sb YinNoCdfIfdpT0Q3ApZNtqaoh+9fKD8600CworsJzttUPJ3JMmZXlfetL Q1xE0D1jnJkc+8TtvoKG2f3ANq5TaLBEfqZlgEUi+B8CqNxw589CyPPbi pUJLcmKxzv2Afy0juaqZnlpeKrlublC25uPuDqnuaHaMEegrnMdvgfi/a 4kHjf3cjMgbqmLlcy0r49GjKkXAIp3pBmGqSvUdzTk58EaX/6pVIGdagR A==;
IronPort-Data: A9a23:kM+W6KBT7VkFBhVW/wDiw5YqxClBgxIJ4kV8jS/XYbTApDJ0hDZTn 2VNWD/Sbq2LNGLyfNElaInlp0oF65GByNdmTANkpHpgcSlH+JHPbTi7wuccHM8zwunrFh8PA xA2M4GYRCwMo/u1Si6FatANl1ElvU2zbue6WL6s1hxZH1c+EX5700M7wIbVv6Yz6TSHK1LV0 T/Ni5CHULOV82Yc3rU8sv/rRLtH5ZweiRtA1rAMTakjUGz2zhH5OKkiyZSZdBMUdGX08tmSH I4vxJnhlo/Q10l1VoP9yt4XeGVSKlLZFVDmZna7x8FOK/WNz8A/+v9TCRYSVatYozS4x4p/5 NJUj4XuZQIqBpD0msc6UBYNRkmSPYUekFPGCVKFl5Ws6WD2KyGq3f5pFllwNIFe5PxsBydF8 vlwxDIlN0jF3r3thuvmEa8w16zPL+GyVG8bkn1/wCrCAPI9aY7OWaTR5NBemjw3g6iiGN6HP JJDMmMzM3wsZTUIOng2MLNvhdy53DqnLSdSjX7J/Kk4tj27IAtZleKF3MDuUt+DSdhWtkOZu iTL83mRKhUTLse3xDWK/2iwwOjVkkvTVJgbGqH99/N2jhifwHcUEFgaU0D+vfKhz1SzQs9eM UER9ywytoAz+VClCN7nUHWQrHifuQY0WtdMHas98g7l4rHJ8RmeHGwIUT9NZfQpscY3QXoh0 Vrht9/vHjt39baVQHOH7Z+VoC+8fy8PIgcqZCIfQiME7sXt5oYpgXryos1LGrSz18LzFCGom XWRsjJ4grQIyMQMka+h+wmBnSi3oN7CSQtdChjrY19JJzhRPOaND7FEI3CChRqcBO51lmW8g UU=
IronPort-HdrOrdr: A9a23:puyqK6NOHVKUEsBcThyjsMiBIKoaSvp037BN7TEVdfU1SL37qy nAppQmPHPP5gr5O0tOpTnoAsDpfZq2z+8X3WB+B9afdTijlmeuIJpr8IfuhxbxcheTysdtkY NtabJ3BtG1L1Rr5PyR3CCIV/It2sOO/qztv/rZ1HsFd2xXQrtt9Bh0ETyWFUBKRA1LbKBTKK ah
X-IronPort-AV: E=Sophos;i="5.88,246,1635206400"; d="scan'208";a="13023147"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.12; Wed, 29 Dec 2021 16:25:40 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2375.012; Wed, 29 Dec 2021 16:25:40 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Lars Eggert <lars@eggert.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: [EXTERNAL] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Thread-Index: AQHX/PqhJ3ZGA5x/5kaRQI65wSoJbw==
Date: Wed, 29 Dec 2021 21:25:40 +0000
Message-ID: <0649F619-045E-44A4-8FD9-5CF28E38CAB3@verisign.com>
References: <163524814397.6773.7925615506385048342@ietfa.amsl.com> <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com> <20211223182848.GU11486@mit.edu>
In-Reply-To: <20211223182848.GU11486@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4677F50E9ACAA2488F1CD90526DFE74D@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aHObPMpvfM6Tbd7WmsxsQoMNCoI>
Subject: Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Dec 2021 21:25:50 -0000


> On Dec 23, 2021, at 10:28 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> 
> Hi Duane,
> 
> On Mon, Nov 29, 2021 at 11:53:48PM +0000, Wessels, Duane wrote:
>> 
>> 
>>> On Oct 26, 2021, at 4:35 AM, Lars Eggert via Datatracker <noreply@ietf.org> wrote:
> [...]
>>> Section 4.2. , paragraph 3, comment:
>>>>  DNS server software MAY provide a configurable limit on the number of
>>>>  transactions per TCP connection.
>>> 
>>> What does that limit protect against?
>> 
>> proposed new text:
>> 
>>   DNS server software MAY provide a configurable limit on the number of
>>   transactions per TCP connection.  This can help protect against
>>   unfair connection use (e.g., not releasing connection slots to other
>>   clients) and network evasion attacks.
>> 
>> 
>>> 
>>> Section 4.2. , paragraph 2, comment:
>>>>  Similarly, DNS server software MAY provide a configurable limit on
>>>>  the total duration of a TCP connection.
>>> 
>>> What does that limit protect against?
>> 
>> Proposed new text:
>> 
>>   Similarly, DNS server software MAY provide a configurable limit on
>>   the total duration of a TCP connection.  This can help protect
>>   against unfair connection use, slow read attacks, and network evasion
>>   attacks.
> 
> Maybe I'm just being dense today, or lost too much state in the intervening
> weeks, but how do these limits protect against network evasion attacks?
> What are "network evasion attacks" in this context, anyway?  The draft
> references [phrack] in a different location surrounding use of that term,
> in the context of applications doing TCP stream reassembly from packet
> captures.  In that location it seems that the TCP segmentation could cause
> the reassembling application to miss actual DNS protocol messages, but I'm
> not sure how transaction or time limits on a connection would protect
> against a similar loss of processing of DNS protocol messages by the
> reassembling application.
> 
> Thanks,
> 
> Ben
> 

Hi Ben,


Yes, network evasion attack has the same meaning here: An application that
does packet capture can miss some DNS messages if it doesnt implement TCP
stream reassembly, or implements it imperfectly.

I will say that I'm not adamant about including evasion attacks here.  It
may be a bit of a stretch.  I guess I tend to think of packet stream
reassembly somewhat probabilistically, in that unless the implementation
and conditions are perfect, the longer that a TCP session lasts then the
more likely it is to miss data.

If the DNS operator knows that their capture-based monitoring is not
perfect, then they may want to limit TCP sessions either by transaction
count or by time.  Similarly, they might know that packet capture drops/loss
in the system could affect stream reassembly.

Maybe this isn't really a network evasion attack, but rather just a workaround
for a poor implementation, and really argues against capture based monitoring.
I'm happy to remove it if it doesnt make sense.

DW

v2.14.0 | Report a Bug | By Email