IETF Logo Mail Archive

[DNSOP]Re: draft-ietf-dnsop-avoid-fragmentation-17.txt - implementer notes

Petr Špaček <pspacek@isc.org> Tue, 07 May 2024 08:28 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2016C14F5EB; Tue, 7 May 2024 01:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="HZyxwm+7"; dkim=pass (1024-bit key) header.d=isc.org header.b="IvcZS04h"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqrGNBCFyOkP; Tue, 7 May 2024 01:28:09 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1E31C14F5E6; Tue, 7 May 2024 01:28:08 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 37AA73AB231; Tue, 07 May 2024 08:28:08 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 37AA73AB231
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1715070488; cv=none; b=LB5u5EDTj8jqBw9fgesAiD49yhvoFIFir8nF5UArhO4I4IsNDzS0lGjFacZiClTaZ3h+vebOkM71XNeWTkAa3N8NckLjgEs1xsUioScZJAGrasa1+j1d3OUo4aSFLvePGtLsifMg26ApoH7mcmAyTq5sO5ptifnJEPYxxkBgbuM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1715070488; c=relaxed/relaxed; bh=8rR9IBuCsbLX+PGtozFtwcn3gR9gBzkOzBDfX6hKYrk=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=FgR4vC+tDoJM5t/cC7biSNR9MpmEYn7cibGyu5FQQ4IMFZmlKEFQ9S/l676KJpHEszsVS7tjLKVOvRRF8RBeFiX1FfK7XeD/mBvMdtzYZcIh9BD0dATGQZHpIi18GrIoYtOflQnSwsAsA79sBhCbQDcIPZh2oenHMmnJwUGty/U=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 37AA73AB231
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1715070488; bh=KaKlnE9zWbde7dqjtTKAlMT8ppUVAZLLDpFmvKBPcbU=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=HZyxwm+7q7CQqHcR/CbZO1bEh1qNw0eA4Wk7sO2JyYGZ91dnNa89hrO+opVsf7TGq LsmrBqcOiMhUvf4ndhSdmNewsXzniutcBfVOdVm0RmJZNKLhxf4PjMExPcZub8cyc2 LTyCHET+U64jkeGg6bmC74nBi4L1AAaCfmiP/4Jk=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 32FA6116353E; Tue, 7 May 2024 08:28:08 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 121901163550; Tue, 7 May 2024 08:28:08 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 121901163550
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1715070488; bh=8rR9IBuCsbLX+PGtozFtwcn3gR9gBzkOzBDfX6hKYrk=; h=Message-ID:Date:MIME-Version:To:From; b=IvcZS04hRw0RUzrZ9r6wqD49NCAPVyFFuLWuqvooXdL9DJOlv3I/vtnNj2Qvpxij1 KF6RBtG+A63jJLqX970lZL7dGsP6eKUJ4mF/lBdFrg83IZFNSh7Rz2z/dLo/1nrLcO v6N4C0UQ8qaGmknIivKbpYBJOffI7jOut6YTOpJU=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id brsTRkxI72dS; Tue, 7 May 2024 08:28:08 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-236-123.bb.vodafone.cz [86.49.236.123]) by zimbrang.isc.org (Postfix) with ESMTPSA id 4D1D9116353E; Tue, 7 May 2024 08:28:07 +0000 (UTC)
Message-ID: <e18d32ea-1da6-46c3-8c2b-b33ad4ad5ebb@isc.org>
Date: Tue, 07 May 2024 10:28:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "C. M. Heard" <heard@pobox.com>
References: <170926168476.21652.3145041523766661930@ietfa.amsl.com> <c998f646-bc1c-4671-9ad9-d0b1d3558d86@isc.org> <CACL_3VHg=oZDMS5U+tDjMLDpxtLRD9Bxnvnnh9PbUaq4FqX6rA@mail.gmail.com>
From: Petr Špaček <pspacek@isc.org>
Content-Language: en-US
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmWT+REFCQelsxMACgkQq9WHzfBlga7y 2Q//Ug58UI9mlnD/guf9mHqpJIMrBs/vX8HlzylsDcZUBTp2TJpzNh/CygPWrHY+IvA9I9+t Ygp0sB+Z9OtVZgW3bpWJ0iWe6N89Q0kwOuhJ75LsfR1V73L5C826M6bLQjYTj6HiwS9Nf+N0 jADhEV/p1KtCuZfwBkYJ4ZM+Na0zWerGPkGw9T9O0gfs0ePehzJ5V0OK0nCqMuC1h8o/rhCb vRCmxdAbNjrOrgKa7HN5DadP/tKstJMM09aXlT5q96fRIyCQyqXQoCrijCWvgAxgjABdh1TB /XsYvBC8+4wy5ZBtTcnxXGrMhrSxU2/vIK6RjDju7OIRClMNepEzvt0gNzxwwxIXVOzl5ioC i/Okovk1rZneFFxbVvaMyIJgY/hShJV7Ei+5S9UZUv6UUmRQ6zukeiSVZrtXs6fWLVlUnBDl Cv/fXi25hrymqNfPSBSB0tyc6YepR1Rq9omTni6DYmEHQuhPMHJ2fuiNNyBaH+9EI7go5e0J LvXVLJGXkMdTcmYHja1pDjmQ1K71gewfPWGFmn0JTa92GuZJaR/4MVePvoV0NTpCP0HiKIg5 0+AOdpvkJReFKTQOX08SwkUkgvy9h9WjBMpD5ymMs4gjJwXtcT1+aVtj9Xcw6tQde9Yyjxde a6UZ3TUfys8qZ8ZKmMKTaCUFukKzWDJMZ91V1b/OwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC ZZP5UgUJB6WzVAAKCRCr1YfN8GWBrgxpD/949Tz7EtrE9e2yJ4np+y7uW8EDusVM3QsBdkYk yaQTupITew8WWQtNF/QK/MKRi+e/382t78nBq+T7G9PrRi7E4WS9dXdgJiFz25h3mC4TABJZ b6MLcEreLWTaqnR/D6F3AnNXh7GJFY4E6PAwC60W0R9G6R0E+2XeZX011NEGiBMvgZnqzzjU L9h8Gz7a/EsQync4cvLbruPt/UaOV0khKTefsOFj3q3wLY6qN2qw7HfgFRBCh6ME2XRvnwAd iv0pF4HRbXoFalkAsNEYkWQ6mkJjdYCHOWm3TWqXhalgGKqIOrQyMpH2mJpZllKBQiBiQMUz qz0cO9OqBk3xvNLplI3VNcC0WeQ8LEqyYKth2T78hVaIw8K0IcVmZQwXVxL03gojaJ5bK2O+ 2FfqKMcIiU+bqaTXntx+FYRQKblsUBYD77uU9sPVyKWIiHvukLTx7GY1ttn6gZDSIek/tTR7 oaei+xLh5JUgZpMZ4JHnirDWHbrJzYN95e8HWA/+qAOTsa+igZGsc6yA1oJIAnCwkclcLAgc x3GVVeEL+/b9CugZ+1OfbxlRK7gAeu0kyKiEXrUvCQPnPByIIfj4I4IvZO4552cmmnbn31f9 X/9nw+M4qAqOK7bRg65ucv71TayUehNJrfJSYx6P1tXIwzu19tIgtdWTcsszNWALfaUFtg==
In-Reply-To: <CACL_3VHg=oZDMS5U+tDjMLDpxtLRD9Bxnvnnh9PbUaq4FqX6rA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: TEJ7KLIQ3LHLZHSYY7ZDX6DCTBJNOFJJ
X-Message-ID-Hash: TEJ7KLIQ3LHLZHSYY7ZDX6DCTBJNOFJJ
X-MailFrom: pspacek@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, "draft-ietf-dnsop-avoid-fragmentation.authors" <draft-ietf-dnsop-avoid-fragmentation.authors@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Re: draft-ietf-dnsop-avoid-fragmentation-17.txt - implementer notes
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/exsQm7zmzGxCIP47OuKpNAIQ6e8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 07. 05. 24 2:54, C. M. Heard wrote:
> On Mon, May 6, 2024 at 6:59 AM Petr Špaček wrote:
>> Warren asked implementers to provide feedback on the current text, so
>> I'm doing just that.
> 
> [ ... ]
> 
>>>   3.1. Recommendations for UDP responders
>>>
>>> R1. UDP responders SHOULD NOT use IPv6 fragmentation [RFC8200].
>>
>> Operational impact of this recommendation is unclear.
>>
>> Why? Because clients belong to several sets:
>> - One set clients cannot receive fragmented answers,
>> - another set of clients cannot use TCP to overcome unfragmented UDP
>> size limitations,
>> - yet another set of clients actually depend on large answers to
>> function (say because they DNSSEC validate, or need to follow huge NS
>> sets generated by MS AD, or they need large RRs to deliver e-mail, or ...).
>>
>> It's unclear what proportion of clients belong to intersection of these
>> three sets. Banning fragmentation on the **outgoing** side might break
>> these clients, and it's extremely hard to measure and debug from the
>> server side.
> 
> This complaint is really unclear. The recommendation is specifically
> for responders, i.e., servers. It's not a priori whether the term
> "outgoing" means the requestor to responder direction or the responder
> to requestor direction. I presume the latter, but it would be better
> if this was made obvious by using the same terminology as the draft.
> 
> What I think you are saying is that clients that cannot re-send
> truncated queries using TCP will be hurt by the recommendation. Aren't
> such clients non-conformant with current DNS standards? If so, are they
> sufficiently prevalent that it is necessary to continue using
> workarounds to accommodate them?

I said:
"Operational impact of this recommendation is unclear."

That means that answer to your question is unknown.

This recommendation is not backed with data. If the data exist they are 
not linked. To the best of my knowledge there is no significant 
operational experience with it. If the experience exists I have not seen 
it published.


On paper the recommendation does not sound bad. Maybe it's good enough 
as aspirational, forward-looking recommendation...

But that's not what the document does. Version 17 currently says it's:
- Best
- Current
- Practice

As I implementer I claim these three words are either not supported by 
data or outright incorrect:
- Best - impact is unknown, experience is lacking
- Current - not deployed at scale
- Practice - well, not even implementable with current OS APIs!


 > Wasn't the whole point of DNS Flag Day
> to break what was broken and get it fixed?

There was not a flag day for TCP support (yet?).

If you are up for organizing one I'm happy to share first-hand 
experience from organizing previous two DNS Flag Days!


> [ ... ]
> 
>>> R6. UDP requestors SHOULD drop fragmented DNS/UDP responses without IP reassembly to avoid cache poisoning attacks.
>>
>> AFAIK this is impossible to do using normal socket API. The application
>> has no access to information about UDP reassembly.
>>
>> Having said that, even if it was implementable it's IMHO not the best
>> advice for requestor.
>>
>> IF the requestor is able to detect that a fragment was received then it
>> would be MUCH better to trigger retry using different protocol right
>> away. Just dropping the packet:
>> a] causes timeouts
>> b] leaves a time window open for another attack attempt
> 
> I wondered about this after I read the draft (which was after WG last
> call, or I would have commented). I'm not aware of any stack that
> allows the application to disable IP reassembly, nor any that indicates
> whether a received UDP datagram was received in a single IP datagram or
> in multiple IP fragments. If that is indeed the case, this
> recommendation should be removed, since it is not actionable.
> 
> Additionally, my understanding of the motivation for this is to prevent
> off-path cache poisoning attacks. If I correctly understand what I
> have read, these are a problem for IPv4 (which has only a 16-bit
> datagram ID) or for IPv6 stacks that emit predictable datagram IDs.
> It seems to me that the advice to avoid reassembly would need to be
> more nuanced, even if it were actionable.

Generally I agree. Having said that, paradoxically I think R6 advice is 
much better than R1... **if** it were practically implementable. Again, 
this can be aspirational forward-looking recommendation.

If we can get API to detect fragmented (even partial) datagrams we can 
harden the client side and most of other recommendations will be moot.

Example: The requestor could treat any fragmented answer as equivalent 
to TC=1 answer with no data inside. That should take care of all known 
fragmentation-based attacks (I think) and it does not depend on 
responder side at all.

-- 
Petr Špaček
Internet Systems Consortium

v2.31.3 | Report a Bug | By Email | System Status