Re: resolver side mitigation
JINMEI Tatuya / 神明達哉 <Jinmei_Tatuya@isc.org> Thu, 28 August 2008 17:37 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1546B3A6CA8; Thu, 28 Aug 2008 10:37:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.4
X-Spam-Level:
X-Spam-Status: No, score=-99.4 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZ6wnIf7Ebqc; Thu, 28 Aug 2008 10:37:54 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 318613A688F; Thu, 28 Aug 2008 10:37:54 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KYlJn-000P6p-DS for namedroppers-data@psg.com; Thu, 28 Aug 2008 17:29:59 +0000
Received: from [2001:4f8:3:36::162] (helo=mon.jinmei.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <Jinmei_Tatuya@isc.org>) id 1KYlJa-000P59-T7 for namedroppers@ops.ietf.org; Thu, 28 Aug 2008 17:29:57 +0000
Received: from jmb.jinmei.org (unknown [IPv6:2001:4f8:3:bb:217:f2ff:fee0:a91f]) by mon.jinmei.org (Postfix) with ESMTP id 65E1033C59; Thu, 28 Aug 2008 10:29:46 -0700 (PDT)
Date: Thu, 28 Aug 2008 10:29:46 -0700
Message-ID: <m2vdxljbed.wl%Jinmei_Tatuya@isc.org>
From: JINMEI Tatuya / 神明達哉 <Jinmei_Tatuya@isc.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: resolver side mitigation
In-Reply-To: <20080828150415.GA18080@nic.fr>
References: <48B29A74.8020205@nlnetlabs.nl> <20080828150415.GA18080@nic.fr>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.1 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
At Thu, 28 Aug 2008 17:04:15 +0200, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > http://www.ietf.org/internet-drafts/draft-wijngaards-dnsext-resolver-side-mitigation-00.txt > > > o source address randomisation > > > > If the resolver has multiple public IP addresses these can be used > > to randomise with. > > With IPv4, this would add only one or two bits of entropy. > > But, with IPv6, there is a huge potential for randomisation, may be 64 > bits of entropy if the resolver has a full /64. > > However, it has implications for the router's Neighbor Discovery > cache. Did anyone tried aggressive source address randomisation with > IPv6 to see until where the router and/or server OS can go? I've not played with this idea yet, but if I were to do it, I would reserve a separate /64 for the server machine, assign any addresses under that prefix on some "loopback" interface (with disabling DAD), and let the server announce the prefix for neighboring routers (and have them accept the route). --- JINMEI, Tatuya Internet Systems Consortium, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- resolver side mitigation W.C.A. Wijngaards
- Re: resolver side mitigation Florian Weimer
- Re: resolver side mitigation W.C.A. Wijngaards
- Re: resolver side mitigation Florian Weimer
- Re: resolver side mitigation Nicholas Weaver
- Re: resolver side mitigation Nicholas Weaver
- Re: resolver side mitigation Stephane Bortzmeyer
- Re: resolver side mitigation Nicholas Weaver
- Re: resolver side mitigation JINMEI Tatuya / 神明達哉