Re: [DNSOP] Seeking discussion of draft-ietf-dnsop-cookies-01
神明達哉 <jinmei@wide.ad.jp> Thu, 07 May 2015 16:11 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE0DF1ACCF0 for <dnsop@ietfa.amsl.com>; Thu, 7 May 2015 09:11:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15V4MDE-YB3P for <dnsop@ietfa.amsl.com>; Thu, 7 May 2015 09:11:54 -0700 (PDT)
Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC1E1AC410 for <dnsop@ietf.org>; Thu, 7 May 2015 09:11:54 -0700 (PDT)
Received: by iget9 with SMTP id t9so14417712ige.1 for <dnsop@ietf.org>; Thu, 07 May 2015 09:11:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=yBDf+/I5fpge8erECXwSiXBbsPl0o1qpv/w9Wc0WIgs=; b=w7z8+GOmfbxK6UF7MSVi24x+GCflq1752N5CD0mHTqaj92syFtW6E8EP90EqBqjrDJ lCkCH3/B+0rZ8WyJvKbRUYlVGuMhn8LM1oiB0ATZZIBaLRneojGkg44+ONYKRzrQsdjB 7jAgZhPIOClZRCwk9RiPt1+DqEJqdGtDfeVMUDkcqNiYGigc3Hr4s4cJEAtTL5Lq4oba j6TXPEcC0L049dIMuwBl4XoyxHGIWOJecb1goDsh2loB6aXRHjNv6fqb2EgGBNj3qH+F yBJw94FD3c8QYY061rT4gkQoIqpge76Tkxk82/i0KSHAjysCWapxaEWaYxITwX8J9yD4 nv8A==
MIME-Version: 1.0
X-Received: by 10.107.128.17 with SMTP id b17mr5759796iod.24.1431015113618; Thu, 07 May 2015 09:11:53 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Thu, 7 May 2015 09:11:53 -0700 (PDT)
In-Reply-To: <20150506183324.GA67107@isc.org>
References: <20150501232130.GA13049@isc.org> <CAJE_bqe2FhYgCrOzh4ZRZYOO=YoJC3_QOoMwq1KLPbc30Y==mw@mail.gmail.com> <20150506183324.GA67107@isc.org>
Date: Thu, 07 May 2015 09:11:53 -0700
X-Google-Sender-Auth: AmYii6ZK8OUsvTRjyKCWW8_1hWE
Message-ID: <CAJE_bqc0uNC6DTsJLs8oeEka2MEXXPhbgijqAxFn7_awvQ_CPw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Evan Hunt <each@isc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/uJT-QR1xhdRe3OVXu_D9ZJiMGB8>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Seeking discussion of draft-ietf-dnsop-cookies-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 16:11:55 -0000
At Wed, 6 May 2015 18:33:24 +0000, Evan Hunt <each@isc.org> wrote: > > Can someone explain why we'd need the separate error codes based on > > the position of supporting them (i.e, not to persuade others on > > dropping them)? msg13984.html was basically written to argue against > > them, so it could potentially and unintentionally be biased. I'll try > > to find any such explanation myself, but if someone already knows it > > better can do that, it would also help. > > "Next by thread" from msg13984 has Donald explaining his position, > though not in great detail. If I understand him correctly, he wants to > enable a server to include cookie errors even if it's chosen in this > case to return an otherwise normal NOERROR response to the client. Okay, so it seems to be a case where the YAGNI principle can apply. On the other hand, on reading the draft and https://www.ietf.org/mail-archive/web/dnsop/current/msg13984.html more closely, I can see some not-so-trivial difference. Assume DNS cookies are deployed sufficiently and some operators start refusing queries without cookies. Then an attacker that wants to spoof a victim client (probably for an amplification attack) would send queries with an invalid server cookie anyway. According to Section 7.2.4.1 of draft-ietf-dnsop-cookies-01, the server will still return the full size of response, so the attack will still be effective. On the other hand, a server implementation with the separate error code field can choose to send a minimal response with a valid server cookie according to Section 5.2.3 of the draft, thereby minimizing the risk of allowing amplification attacks while still allowing legitimate clients to bootstrap or re-synchronize. In the following part of msg13984.html: >> For (b) retrying should succeed. That said tc=1 would also be just as >> effective at triggering a retry. perhaps Mark tried to say we could achieve the same effect if the server returns a minimal size of response with TC bit on and with the correct server cookie. If it was his intent, it's true to some extent. But these two approaches are not entirely the same since using the TC bit has a side effect of forcing the use of TCP. So the choice does not seem to be a no-brainer to me. But, in the end, I wouldn't be opposed to the idea of removing the separate error code field. The above difference wouldn't be so substantial anyway, and wouldn't justify the introduction of a generic error code field. One last point I'd like to make is that, assuming the above understanding of mine is correct, I'd suggest including the TC bit hack in the initial protocol description. Since it has a side effect it's better to have it sooner so we can update the spec if early deployments suggest the need for it. -- JINMEI, Tatuya
- [DNSOP] Seeking discussion of draft-ietf-dnsop-co… Evan Hunt
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… Wessels, Duane
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… Shane Kerr
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… 神明達哉
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… Tim Wicinski
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… Evan Hunt
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… 神明達哉
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… Evan Hunt
- Re: [DNSOP] Seeking discussion of draft-ietf-dnso… Mark Andrews