[Gen-art] RE: Last Call: 'IPv6 Router Advertisement Option for DNS Configuration' to Experimental RFC (draft-jeong-dnsop-ipv6-dns-discovery)
"Jaehoon Jeong" <jeong015@umn.edu> Tue, 11 July 2006 15:59 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0Ke9-0007Un-ID; Tue, 11 Jul 2006 11:59:37 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0KM5-0005BJ-P7 for gen-art@ietf.org; Tue, 11 Jul 2006 11:40:57 -0400
Received: from mtaout-a.tc.umn.edu ([134.84.119.206]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G0KDT-0008Km-Jw for gen-art@ietf.org; Tue, 11 Jul 2006 11:32:04 -0400
Received: from JAEHOON (x84-5-115.vpn.umn.edu [134.84.5.115]) by mtaout-a.tc.umn.edu with ESMTP; Tue, 11 Jul 2006 10:32:02 -0500 (CDT)
X-Umn-Remote-Mta: [N] x84-5-115.vpn.umn.edu [134.84.5.115] #+LO+TS+AU+HN
From: Jaehoon Jeong <jeong015@umn.edu>
To: "'Gray, Eric'" <Eric.Gray@marconi.com>
Date: Tue, 11 Jul 2006 10:32:01 -0500
Message-ID: <001201c6a4ff$280c0550$48055486@JAEHOON>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <0BF76B30C100624BA997C9CED19D81250A5F75@uspitsmsgusr08.win.marconi.com>
Thread-Index: AcacaC/aePEkkkl3QWCemT3p3cKYvwIlneqA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 6907f330301e69261fa73bed91449a20
Cc: jjeong@cs.umn.edu, 'Mark Townsley' <townsley@cisco.com>, gen-art@ietf.org, bob.hinden@nokia.com
Subject: [Gen-art] RE: Last Call: 'IPv6 Router Advertisement Option for DNS Configuration' to Experimental RFC (draft-jeong-dnsop-ipv6-dns-discovery)
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Hi Eric, I tried to qualify my claim in section 7 (security considerations). You can see the following revised draft reflecting all the comments from you and others during this last call: http://www-users.cs.umn.edu/~jjeong/publications/ietf-internet-draft/draft-j eong-dnsop-ipv6-dns-discovery-09.txt Thanks. Paul > -----Original Message----- > From: Gray, Eric [mailto:Eric.Gray@marconi.com] > Sent: Friday, June 30, 2006 11:54 AM > To: jjeong@cs.umn.edu > Cc: gen-art@ietf.org; Mark Townsley > Subject: RE: Last Call: 'IPv6 Router Advertisement Option for DNS Configuration' to > Experimental RFC (draft-jeong-dnsop-ipv6-dns-discovery) > > Paul, > > This change would also satisfy my concerns with section 7 > (with the exception that you should also qualify the statements > that currently imply that the proposal does not introduce new > security risks). > > I omitted the IPv6 mailing list as they have not seen my > comments... > > -- > Eric > > --> -----Original Message----- > --> From: jjeong@cs.umn.edu [mailto:jjeong@cs.umn.edu] > --> Sent: Friday, June 30, 2006 10:37 AM > --> To: pekkas@netcore.fi; jinmei@wide.ad.jp > --> Cc: ipv6@ietf.org; iesg@ietf.org > --> Subject: RE: Last Call: 'IPv6 Router Advertisement Option > --> for DNS Configuration' to Experimental RFC > --> (draft-jeong-dnsop-ipv6-dns-discovery) > --> > --> Hi Pekka and Jinmei, > --> > --> I agree with you at the security issue related to "S flag" > --> for the open > --> RDNSS service. So I would like to add the following text to > --> the next > --> version of my draft: > --> > --> ------------------------------------------------------------ > --> --------------- > --> In page 6, > --> OLD: > --> S 1-bit "Service open" flag. When set, > --> it indicates > --> that RDNSS(es) in the option can be > --> available for > --> IPv6 hosts when they are detached > --> from the origin > --> subnet where they obtained the > --> RDNSSes. This flag > --> SHOULD be set only if the routers or > --> firewalls in > --> the network allow DNS Query messages > --> to be routed > --> to the destination RDNSS without > --> being filtered > --> out, and the RDNSS is configured to perform > --> recursive queries for all hosts regardless of > --> their addresses. > --> > --> NEW: > --> S 1-bit "Service open" flag. When set, > --> it indicates > --> that RDNSS(es) in the option can be > --> available for > --> IPv6 hosts when they are detached > --> from the origin > --> subnet where they obtained the > --> RDNSSes. This flag > --> SHOULD be set only if the routers or > --> firewalls in > --> the network allow DNS Query messages > --> to be routed > --> to the destination RDNSS without > --> being filtered > --> out, and the RDNSS is configured to perform > --> recursive queries for all hosts regardless of > --> their addresses. Refer to Section 7 (Security > --> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > --> Considerations) for the security > --> issue related to > --> > --> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > --> S flag. > --> ^^^^^^^ > --> > --> In page 10, > --> NEW: > --> 7. Security Considerations > --> ... > --> > --> When the RDNSSes are open to any hosts with "S flag", > --> they might be > --> used as reflectors on DOS attacks [14]. In order to > --> prevent such DoS > --> attacks from the hosts using spoofed source addresses, > --> the ingress > --> filtering can be applied for the source IP addresses of DNS Query > --> messages [15]. The locally roaming hosts can be > --> provided with the > --> recursive DNS resolution service within an > --> administratively managed > --> network, such as company network and campus network, > --> with the ingress > --> filtering based on the source IP addresses of DNS Query > --> messages. To > --> provide the globally roaming hosts with the recursive > --> DNS resolution > --> service, the TSIG-based authentication can be used for > --> authenticating > --> the hosts [14][16]. > --> > --> ... > --> > --> [14] Damas, J. and F. Neves, "Preventing Use of Nameservers in > --> Reflector Attacks", > --> draft-ietf-dnsop-reflectors-are-evil-01.txt (Work > --> in Progress), > --> June 2006. > --> > --> [15] Ferguson, P. and D. Senie, "Network Ingress Filtering: > --> Defeating Denial of Service Attacks which employ IP Source > --> Address Spoofing", BCP 38, RFC 2827, May 2000. > --> > --> [16] Vixie, P., Gudmundsson, O., Eastlake, D., and B. > --> Wellington, > --> "Secret Key Transaction Authentication for DNS (TSIG)", > --> RFC 2845, May 2000. > --> ------------------------------------------------------------ > --> --------------- > --> > --> Thanks. > --> > --> Paul > --> > --> > -----Original Message----- From: Pekka Savola > --> [mailto:pekkas@netcore.fi] > --> > Sent: Friday, June 30, 2006 2:01 AM To: JINMEI Tatuya Cc: > --> ipv6@ietf.org; > --> > iesg@ietf.org Subject: Re: Last Call: 'IPv6 Router > --> Advertisement Option > --> > for DNS Configuration' to Experimental RFC > --> > (draft-jeong-dnsop-ipv6-dns-discovery) > --> > > --> > On Fri, 30 Jun 2006, JINMEI Tatuya wrote: > --> > > This time I'm also copying the ipv6 list. In fact, > --> ipv6@ietf would be > --> > > more suitable place for discussions on this proposal, > --> since it's an > --> > > extension to ND. > --> > ... > --> > > --> > Disclaimer: router-side support for this has been added (as it was > --> > contributed by others) to radvd which I maintain. > --> However, I do not > --> > have a strong opinion on this topic one way or the other. > --> > > --> > If this goes forward, as an implementor I'd like to get > --> IANA codepoint > --> > assigned quickly so that experiments would interoperate (and > --> > implementors wouldn't need to steal the next unused value > --> or wait for > --> > draft-fenner-iana-exp-2780-05.txt to get published). > --> > > --> > [whether IPv6 ND was designed for applictions above layer-3] > --> > > So, > --> > > + I'd first like to confirm whether my understanding about the > --> > > 'design principle' is correct. If it's wrong, then > --> I'm fine and > --> > > this concern will be resolved. > --> > > + if my understanding is correct, I'd like this > --> document to discuss > --> > > why this particular option is so special and needs > --> to be defined > --> > > despite the violation of the principle, and to add > --> an explicit > --> > > note that configuration information around this > --> layer should not > --> > > be provided via RA unless there is a very strong reason. > --> > > --> > The IETF doesn't do a very good job of documenting (and gaining > --> > consensus on) its design principles, so for any opinions > --> you might get > --> > on this, you would also have opposite opinions, and hence > --> I'm not sure > --> > how useful pursuing this line of argument is. > --> > > --> > I guess this underlines that to avoid fuss like this in > --> the future, > --> > better documentation of design principles might avoid ratholes. > --> > > --> > >> This flag > --> > >> SHOULD be set only if the routers > --> or firewalls in > --> > >> the network allow DNS Query > --> messages to be routed > --> > >> to the destination RDNSS without > --> being filtered > --> > >> out, and the RDNSS is configured to perform > --> > >> recursive queries for all hosts > --> regardless of > --> > >> their addresses. > --> > > > --> > >My understanding is that current operational trend is generally > --> > >against such "open recursive servers" as documented in > --> > >draft-ietf-dnsop-reflectors-are-evil-00.txt. So I'm > --> skeptical about > --> > >the usefulness of this flag. Standardizing such a > --> practice may even > --> > >be regarded as a conflict with the operational trend. > --> > > > --> > >I don't have a strong opinion by pointing it out, but I might > --> > >consider removing this flag. > --> > > --> > This is a good point and at the very least should be > --> pointed out in > --> > the security considerations. However, the text as > --> written does not > --> > preclude DNS server requiring other form of identification (e.g., > --> > TSIG) instead of addresses. In practice, I doubt such > --> authentication > --> > would be used very often. > --> > > --> > -- > --> > Pekka Savola "You each name yourselves > --> king, yet the > --> > Netcore Oy kingdom bleeds." > --> > Systems. Networks. Security. -- George R.R. Martin: A > --> Clash of Kings > --> > --> > --> -------------------------------------------------------------------- > --> IETF IPv6 working group mailing list > --> ipv6@ietf.org > --> Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 > --> -------------------------------------------------------------------- > --> _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] RE: Last Call: 'IPv6 Router Advertiseme… Gray, Eric
- [Gen-art] RE: Last Call: 'IPv6 Router Advertiseme… Jaehoon Jeong