IETF Logo Mail Archive

Re: increasing DNS message entropy, a solution for NATs

bmanning@vacation.karoshi.com Thu, 31 July 2008 09:58 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9771B3A6B11; Thu, 31 Jul 2008 02:58:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.485
X-Spam-Level:
X-Spam-Status: No, score=-102.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uf3udkhZHMJ9; Thu, 31 Jul 2008 02:58:15 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 882833A6885; Thu, 31 Jul 2008 02:58:15 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KOUm2-000O0Z-5L for namedroppers-data@psg.com; Thu, 31 Jul 2008 09:48:42 +0000
Received: from [2001:478:6:0:230:48ff:fe11:220a] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <bmanning@karoshi.com>) id 1KOUlx-000Nmf-LA for namedroppers@ops.ietf.org; Thu, 31 Jul 2008 09:48:40 +0000
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id m6V9l9up023378; Thu, 31 Jul 2008 09:47:10 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id m6V9l9Yw023377; Thu, 31 Jul 2008 09:47:09 GMT
Date: Thu, 31 Jul 2008 09:47:09 +0000
From: bmanning@vacation.karoshi.com
To: Ray.Bellis@nominet.org.uk
Cc: Duane <duane@e164.org>, namedroppers@ops.ietf.org
Subject: Re: increasing DNS message entropy, a solution for NATs
Message-ID: <20080731094709.GA23362@vacation.karoshi.com.>
References: <48917DC8.7070004@e164.org> <OFCCB95657.08BB98E3-ON80257497.0032B72A-80257497.00337032@nominet.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <OFCCB95657.08BB98E3-ON80257497.0032B72A-80257497.00337032@nominet.org.uk>
User-Agent: Mutt/1.4.1i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Thu, Jul 31, 2008 at 10:21:50AM +0100, Ray.Bellis@nominet.org.uk wrote:
> > Ok, so problem solved as far as I can see, someone just needs to tell
> > hardware companies to fix NAT + DNS and that's that.
> 
> Actually there's stacks of other stuff that the router manufacturers need 
> to fix relating to DNS, particularly w.r.t the DNS proxies contained in 
> most CPE:
> 
> -  tcp/53 support - currently almost non-existent
> -  DNSSEC support - some mfrs block DNSSEC queries
> -  EDNS0 - many DNS proxies can't do UDP fragment reassembly
> -  open udp/53 ports on the WAN interface
> -  probable "poor" PRNGs for port and QID selection (c.f. Ben's blog 
> article)
> 
> There's going to be a report published fairly soon containing the results 
> of a joint study between myself and a US-based researcher detailing which 
> routers have various deficiencies.
> 
> Ray
> 

	as long as your going to point fingers, jumbograms in general
	get the short shrift.  4k UDP... 9k large frame...  don't fit
	nicely in a SoHo device.

	Make sure you use/refer to David Piscatellos excellent study of
	firewalls.


--bill
	

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.45.0 | Report a Bug | By Email | System Status