IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

Paul Wouters <paul@nohats.ca> Mon, 28 September 2015 14:39 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0DCE1A92E5 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 07:39:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9iX52B8KKdJ for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 07:39:09 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A804B1A92B7 for <dnsop@ietf.org>; Mon, 28 Sep 2015 07:39:08 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3nPmgv17M3zDc1; Mon, 28 Sep 2015 16:39:07 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=g8Q5bH8H
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 50LrLqIhzAOd; Mon, 28 Sep 2015 16:39:06 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 28 Sep 2015 16:39:06 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 24D1D80030; Mon, 28 Sep 2015 10:39:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1443451145; bh=CmcbsHwyDwjWSwb6CsfDUQQGzurg59WYwFH803Ai2rY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=g8Q5bH8HvM90UE1dTMyj4eqhJZ7JZNpLuhOEqpl8MCPa5A9iqPGhdynMi6q6i9fyv Zex+fmxpQQ+MDYr5T7vR/3yplSpoyTFXv6t+0OJjZdtZD78hNa3xkylUk8lTC/BLg3 0LWoOHM9uHnQbAJEUmxvTi5+0KHZ+TmdwpvlEzhI=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t8SEd4PX026223; Mon, 28 Sep 2015 10:39:04 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 28 Sep 2015 10:39:04 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mukund Sivaraman <muks@isc.org>
In-Reply-To: <20150927025914.GA31910@jurassic.l0.malgudi.org>
Message-ID: <alpine.LFD.2.20.1509281034040.25357@bofh.nohats.ca>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <6944DF48-2A47-4E75-801F-37BEA19A1CCD@vpnc.org> <20150927000309.GA17973@jurassic.l0.malgudi.org> <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org> <20150927025914.GA31910@jurassic.l0.malgudi.org>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/vG_ju5mY-CqxP8l-YhHGhIbl-go>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 14:39:10 -0000

On Sun, 27 Sep 2015, Mukund Sivaraman wrote:

> UDP has a header checksum that can notice message modification when in
> use. Sometimes this may be 0 if the sender host did not generate a
> checksum. This draft adds one in the application layer alongside a nonce
> known to the client. Together they are meant to thwart any possibility
> of different kinds of off-path cache-poisoning attacks.

There is other work happening that accomplishes the same. The DPRIVE
work to add TLS and longlived TCP, the dns cookies, and of course
DNSSEC itself. I don't really see the need to add another mechanism to
help against non-DNSSEC spoofing attacks.

> There are practical issues with TCP which are still currently prevelant:
>
> 1. The 3 way handshake doubles the number of roundtrips necessary before
> an answer is received.

But with clarifications like edns-tcp-keepalive, we are hoping that
clients can keep TCP connections to resolvers open for much longer,
so that TCP does not really have more overhead than UDP.

This draft also does nothing for on-path attackers.

Paul

v2.23.0 | Report a Bug | By Email