[DNSOP] Fwd: Comments on draft-ietf-dnsop-cookies
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 29 December 2014 22:21 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504F01A923A for <dnsop@ietfa.amsl.com>; Mon, 29 Dec 2014 14:21:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SDh1S0t-Zqtj for <dnsop@ietfa.amsl.com>; Mon, 29 Dec 2014 14:21:42 -0800 (PST)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFACC1A9172 for <dnsop@ietf.org>; Mon, 29 Dec 2014 14:21:41 -0800 (PST)
Received: by mail-ie0-f181.google.com with SMTP id rl12so11060056iec.40 for <dnsop@ietf.org>; Mon, 29 Dec 2014 14:21:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=iie9w0HNBfm+BX/xZ5NbjIKJq6g2lCVKC9enXhBhDyY=; b=hOo0Z3+XB4uYolh3ny6dYATsi/jWJV+xuK4dP/sc1UrMsn2vUAXNfWSvaMfeRyYNm9 IytgDQqNnpbk5mLfC9Xb0JnmvtooNXqvnRLcEAHCqbkMr+VLijg6lz7YOIXvOIIbNgQb l7cs/s9ic9ehhaSpTjJ49J0MOyDLq07/cT3VBmyxVxJRPi3RTPc9rFEz4ds5QG5gGDd0 y/0nTJCHVeyi3EpCeSrfNWy0YuUBmPbhLEVgeYUxqEzW+Ur4iuZYglNROJaQvUx5X7yU TqctvQwHwCsTweNPAhJMCfgnRWMVcNayqxJ1YMqA+OGSjSFKcUl2Q1j0WH059ASHHtmN 57Ng==
MIME-Version: 1.0
X-Received: by 10.43.120.69 with SMTP id fx5mr44166642icc.45.1419891701100; Mon, 29 Dec 2014 14:21:41 -0800 (PST)
Received: by 10.64.69.167 with HTTP; Mon, 29 Dec 2014 14:21:41 -0800 (PST)
In-Reply-To: <CAH1iCipA2T9DZ_WAQOcHqhJyRCwf9FK+rYs6jhPB3LJrBNiobA@mail.gmail.com>
References: <CAH1iCipA2T9DZ_WAQOcHqhJyRCwf9FK+rYs6jhPB3LJrBNiobA@mail.gmail.com>
Date: Mon, 29 Dec 2014 14:21:41 -0800
Message-ID: <CAH1iCir6L4r2GUnYiDJd7yMhXbFi+CpzVF+d8y9+Jozh-RxH1Q@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="bcaec5186d5c76b67c050b624c2f"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/ew4tF8oFPboSfL7YOl_Q-ghp5O0
Subject: [DNSOP] Fwd: Comments on draft-ietf-dnsop-cookies
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 22:21:44 -0000
I'm a big fan of these cookies, and have been waiting eagerly for the draft to finally get picked up. These comments are meant to be constructive, and with the goal of improving the draft quality and/or quality of the underlying protocol. And, of course, I speak only for myself. In no particular order: - Attacks/weaknesses of DNS protocol: I think it would be very helpful to add a subsection to either Section 2 or Section 3, concerning UDP fragmentation, and how currently all anti-spoofing protections (vs off-path attackers) are found in only the UDP header, DNS message header, and question section. Adding extra text concerning the EDSN(0) flexibility of OPT RR placement inside the Additional section, means it is probably also RECOMMENDED that the OPT RR (containing the DNS cookies) be placed at the end of the Additional section. This provides a much stronger defense against spoofing, by requiring the attacker to have the correct DNS cookies to poison a cache which implements cookies. - It may be worth including an analysis of the overhead of cookies in various states, and the comparative costs of cookies vs TCP. For instance, once the client and server have established mutual cookies, the cost of validating cookies becomes the cost of looking up a cookie via a hash table, and a cmp() operation. Keeping one old server cookie in addition to the current server cookie, would further reduce the overhead in cases where secret rollover has occurred. (If any value of BADCOOKIE other than the most recent server cookie is seen, IMHO it would be fair to discard the query silently, or do a minimum response WITHOUT a valid server cookie.) - It may also be worth pointing out that there is an additional benefit to clients in protecting themselves against arbitrary DDOS spoofing of authority server(s), by being able to white-list cookie-enabled authority servers, and to enforce the presence of cookies from those servers, and even to also statically add cookie values to the server white-lists (with fall-through logic for cookie mismatches, of course). Specifically, this attack vector appears to the victim as if it is an amplification attack, but in actuality bypasses the authority-as-amplifier, with packets sent directly from a bot-net to the victim, spoofing the authority servers' source address(es). - It may be worth explicitly making the distinction between black-listing IP addresses and filtering based on cookies. Both are effective at blocking DDOS traffic, but only cookies facilitate valid traffic flowing while attack traffic is blocked. Maybe something in an Appendix? Hope this is helpful. Brian Dickson
- [DNSOP] Fwd: Comments on draft-ietf-dnsop-cookies Brian Dickson