IETF Logo Mail Archive

Re: [DNSOP] Seeking discussion of draft-ietf-dnsop-cookies-01

Mark Andrews <marka@isc.org> Fri, 08 May 2015 02:24 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485211A873C for <dnsop@ietfa.amsl.com>; Thu, 7 May 2015 19:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.611
X-Spam-Level:
X-Spam-Status: No, score=-1.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpgJiQHirOQf for <dnsop@ietfa.amsl.com>; Thu, 7 May 2015 19:24:16 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D81C1A8737 for <dnsop@ietf.org>; Thu, 7 May 2015 19:24:16 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 8B5BB1FCADC; Fri, 8 May 2015 02:24:12 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D6021160083; Fri, 8 May 2015 02:24:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A68FC160082; Fri, 8 May 2015 02:24:26 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wauuIaPZ27Vf; Fri, 8 May 2015 02:24:26 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id E7D7D160033; Fri, 8 May 2015 02:24:25 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4147D2DEB525; Fri, 8 May 2015 12:24:08 +1000 (EST)
To: 神明達哉 <jinmei@wide.ad.jp>
From: Mark Andrews <marka@isc.org>
References: <20150501232130.GA13049@isc.org> <CAJE_bqe2FhYgCrOzh4ZRZYOO=YoJC3_QOoMwq1KLPbc30Y==mw@mail.gmail.com> <20150506183324.GA67107@isc.org> <CAJE_bqc0uNC6DTsJLs8oeEka2MEXXPhbgijqAxFn7_awvQ_CPw@mail.gmail.com>
In-reply-to: Your message of "Thu, 07 May 2015 09:11:53 -0700." <CAJE_bqc0uNC6DTsJLs8oeEka2MEXXPhbgijqAxFn7_awvQ_CPw@mail.gmail.com>
Date: Fri, 08 May 2015 12:24:07 +1000
Message-Id: <20150508022408.4147D2DEB525@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/y1uM0jbmc5r6JNcd8YpKv3pYC98>
Cc: Evan Hunt <each@isc.org>, IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Seeking discussion of draft-ietf-dnsop-cookies-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2015 02:24:18 -0000

In message <CAJE_bqc0uNC6DTsJLs8oeEka2MEXXPhbgijqAxFn7_awvQ_CPw@mail.gmail.com>
, =?UTF-8?B?56We5piO6YGU5ZOJ?= writes:
> At Wed, 6 May 2015 18:33:24 +0000,
> Evan Hunt <each@isc.org> wrote:
> 
> > > Can someone explain why we'd need the separate error codes based on
> > > the position of supporting them (i.e, not to persuade others on
> > > dropping them)?  msg13984.html was basically written to argue against
> > > them, so it could potentially and unintentionally be biased.  I'll try
> > > to find any such explanation myself, but if someone already knows it
> > > better can do that, it would also help.
> >
> > "Next by thread" from msg13984 has Donald explaining his position,
> > though not in great detail. If I understand him correctly, he wants to
> > enable a server to include cookie errors even if it's chosen in this
> > case to return an otherwise normal NOERROR response to the client.
> 
> Okay, so it seems to be a case where the YAGNI principle can apply.
> 
> On the other hand, on reading the draft and
> https://www.ietf.org/mail-archive/web/dnsop/current/msg13984.html
> more closely, I can see some not-so-trivial difference.  Assume DNS
> cookies are deployed sufficiently and some operators start refusing
> queries without cookies.  Then an attacker that wants to spoof a
> victim client (probably for an amplification attack) would send
> queries with an invalid server cookie anyway.  According to Section
> 7.2.4.1 of draft-ietf-dnsop-cookies-01, the server will still return
> the full size of response, so the attack will still be effective.  On
> the other hand, a server implementation with the separate error code
> field can choose to send a minimal response with a valid server cookie
> according to Section 5.2.3 of the draft, thereby minimizing the risk
> of allowing amplification attacks while still allowing legitimate
> clients to bootstrap or re-synchronize.
> 
> In the following part of msg13984.html:
> 
> >> For (b) retrying should succeed.  That said tc=1 would also be just as
> >> effective at triggering a retry.
> 
> perhaps Mark tried to say we could achieve the same effect if the
> server returns a minimal size of response with TC bit on and with the
> correct server cookie.  If it was his intent, it's true to some
> extent.  But these two approaches are not entirely the same since
> using the TC bit has a side effect of forcing the use of TCP.

Which gets the client/server what is needed for this and future
transaction.  It avoids the two denial of service senarios below.

Just sending back BADCOOKIE leads to a potential denial of service
with misconfigured anycast servers with differing shared secrets /
server cookie algorithms.

Just sending back NEEDCOOKIE leads to a potential denial of service
when DNS COOKIE is not understood.

Additionally a server can choose to send a minimal response rather
than a full response or TC=1.  In both cases it is a unverified
query source and should be handled like all unverified query sources.

I also have a hard time envisioning a client that supports DNS
COOKIES not sending a DNS COOKIE by the time one could reliably
send back NEEDCOOKIE and have it reliably acted on.  The only reason
for not sending a DNS COOKIE in the first place would be to handle
broken EDNS servers and that is a solvable problem if everyone that
depend on the DNS for their pay cheque does their bit to fix it.

At the moment sending back NEEDCOOKIE would be equivalent to REFUSED
and I don't see the equivalence changing.

> So the choice does not seem to be a no-brainer to me.  But, in the
> end, I wouldn't be opposed to the idea of removing the separate error
> code field.  The above difference wouldn't be so substantial anyway,
> and wouldn't justify the introduction of a generic error code field.
> 
> One last point I'd like to make is that, assuming the above
> understanding of mine is correct, I'd suggest including the TC bit
> hack in the initial protocol description.  Since it has a side effect
> it's better to have it sooner so we can update the spec if early
> deployments suggest the need for it.
>
> --
> JINMEI, Tatuya
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email