IETF Logo Mail Archive

Re: increasing DNS message entropy, a solution for NATs

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Mon, 21 July 2008 23:18 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A208F3A69B4; Mon, 21 Jul 2008 16:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.196
X-Spam-Level:
X-Spam-Status: No, score=0.196 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_JP=1.244, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKhf8Iz-VncW; Mon, 21 Jul 2008 16:18:03 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CA63B3A68E4; Mon, 21 Jul 2008 16:18:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KL4Ye-000Kpg-EY for namedroppers-data@psg.com; Mon, 21 Jul 2008 23:12:44 +0000
Received: from [131.112.32.132] (helo=necom830.hpcl.titech.ac.jp) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from <mohta@necom830.hpcl.titech.ac.jp>) id 1KL4Ya-000Kp0-Si for namedroppers@ops.ietf.org; Mon, 21 Jul 2008 23:12:42 +0000
Received: (qmail 43511 invoked from network); 21 Jul 2008 23:56:09 -0000
Received: from softbank219001188017.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.1.188.17) by necom830.hpcl.titech.ac.jp with SMTP; 21 Jul 2008 23:56:09 -0000
Message-ID: <488517CE.6060404@necom830.hpcl.titech.ac.jp>
Date: Tue, 22 Jul 2008 08:12:14 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Roy Arends <roy@nominet.org.uk>
CC: namedroppers@ops.ietf.org, Alessandro.Linari@nominet.org.uk
Subject: Re: increasing DNS message entropy, a solution for NATs
References: <OF6B63EC19.5E0A6D58-ON8025748D.003A54A9-C125748D.003E1133@nominet.org.uk>
In-Reply-To: <OF6B63EC19.5E0A6D58-ON8025748D.003A54A9-C125748D.003E1133@nominet.org.uk>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Roy Arends wrote:

> The proposed solution to solve the problem highlighted by Dan Kaminsky is

The proper reference is section 2.2 of RFC3833 published in 2004.
 
> randomizing source ports. As some have mentioned, NAT/PAT scenarios do not 
> benefit from this solution. 

> No, this discussion is about resolvers talking to authoritative servers.

What? Resolvers behind NAT/PAT are directly talking to authoritative
servers?

You should first document all the possible senarios to combine DNS
and NAT/PAT.

> This does 
> require a change to the resolver, but not to the authoritative server.

Given possible chaching on NAT/PAT and everywhere, you must update
entire resolver chains between stub resolvers and authoritative
servers, which is practically impossible.

						Masataka Ohta



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.36.0 | Report a Bug | By Email | System Status