[dnsext] DNS over SCTP and correcting security concerns
Douglas Otis <dotis@mail-abuse.org> Fri, 21 August 2009 01:55 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 515EF3A6B43; Thu, 20 Aug 2009 18:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.505
X-Spam-Level:
X-Spam-Status: No, score=-4.505 tagged_above=-999 required=5 tests=[AWL=-0.368, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydhZHeCd5LQK; Thu, 20 Aug 2009 18:55:19 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 51BF13A6885; Thu, 20 Aug 2009 18:55:18 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MeJF3-000Pji-5H for namedroppers-data0@psg.com; Fri, 21 Aug 2009 01:48:33 +0000
Received: from [168.61.5.27] (helo=harry.mail-abuse.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <dotis@mail-abuse.org>) id 1MeJEz-000Phy-6i for namedroppers@ops.ietf.org; Fri, 21 Aug 2009 01:48:31 +0000
Received: from SJC-Office-NAT-214.mail-abuse.org (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 97943A9443A; Fri, 21 Aug 2009 01:48:28 +0000 (UTC)
Message-ID: <4A8DFCEC.7090403@mail-abuse.org>
Date: Thu, 20 Aug 2009 18:48:28 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.1) Gecko/20090715 Thunderbird/3.0b3
MIME-Version: 1.0
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>, Michael Tüx en <Michael.Tuexen@lurchi.franken.de>
Subject: [dnsext] DNS over SCTP and correcting security concerns
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
Mea copa. A statement made regarding what was thought to have been security concerns related to SCTP tie-tags turned out to be based upon a dated understanding of SCTP. In reading recent drafts, important changes escaped notice. Michael Tüxen clarified how these issues have been resolved, and also mentioned these improvements have been incorporated in current releases of FreeBSD. FreeBSD also supports SCTP tunneling over UDP port 9899. http://tools.ietf.org/id/draft-ietf-sigtran-sctptunnel-00.txt Although Intel offers 1Gb NICs (82576) and 10Gb NICs (X520) that off-load SCTP checksum calculations, and offer i7-core processors that have CRC32c functions contained within the new SSE4 math coprocessor, it seems doubtful SCTP checksum offloading will work with tunneling. Nevertheless, use of the SSE4 math coprocessor should reduce the overhead for handling an SCTP tunneling option. The SCTP_AUTOCLOSE option in the one-to-many Socket mode appears ideal for DNS. When the SCTP_AUTOCLOSE option is set in a one-to-many socket, the application (DNS) is able to reuse assigned association IDs once the associations terminate automatically. The application would receive association change notifications to track unused association IDs. http://tools.ietf.org/html/draft-ietf-tsvwg-sctpsocket-19 Using SCTP_AUTOCLOSE should allow associations to remain persistent until no longer being used. This approach should reduce the overhead related with establishing an association, where repetitive transactions should obtain a significant benefit. In addition, any number of DNS messages can be bundled into a single packet that fits within the PMTU. Such bundling should also improve performance as well. -Doug
- [dnsext] DNS over SCTP and correcting security co… Douglas Otis