Re: [secdir] SecDir Review of draft-ietf-dnsop-cookies-07

Yoav Nir <> Thu, 21 January 2016 13:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0C4C81B30F8; Thu, 21 Jan 2016 05:12:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ew9T6zqimzpl; Thu, 21 Jan 2016 05:12:43 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 338DE1B30F6; Thu, 21 Jan 2016 05:12:43 -0800 (PST)
Received: by with SMTP id r129so171638081wmr.0; Thu, 21 Jan 2016 05:12:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=K4omoXovJEzeGfzZZ5YLcw9cEy19X5ID8l3xwZaT/3M=; b=ojhNzojVMFWYyVs3WdTaV4BjNLFD3efpMsJuQMsiaz1Jp7FVZRxeiJfn9+ZSaKaPoL TL9KddSVClObCuIqLNtb/Fv/e2c8N2A5uoU6PsF94MVH5gYxaI+zLbm6Hl/GRUFwO2uw 3fgVL4KnTwpHZ0/xHojXDWOS4KzgejsDmG2mzKvJfQT0TKkBJgb7KOY1IKhJHmtIhzfq zzihv0Z/TnGwwb5TUc2etudwcaqOMhO8ype0kKSGxMO2oN3Vn9YP54qlBQZmOD04Sv3f U/8ICAZgiTps1HudIm2FjAAf9PE+rGJyyF8xbg86LQHPpKzl48vCNkPpTVm9TAN0MLmc MxfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=K4omoXovJEzeGfzZZ5YLcw9cEy19X5ID8l3xwZaT/3M=; b=D9vgJ62w5AYM/PlsheG6NqaSPtCfJwtv8K8MnE18dhxT6/KvpKpfRWpvnJp1RWzYwy 36iBq+uXlSOgDDp7isVHPVqKCumsDWhlL9MPe79PZiac6HIymW8DUBKKP5cmvCb78EaA 1yLux6nqTeDxDuJDVUj9wKoAMzznKfOFD9iqBdcnaGnnH/tCzlZdLMOEZH36MLXydvgP IfoCnLfbvD5wv/R51CA9OXxEC8iiSTc0Sj2Kdn98ddQG6C1KSegP1YM7bCmnEevN8U4k m53vxl3LGqPOrBn+j5HhQLK1b9EF6srkqVXzPRzOs2roBofleVOazhkaG27XELCL2zEz Sa3A==
X-Gm-Message-State: AG10YOSGE+g+9OqkChpCdBwsrTYudVEl2O9VejRfQLzjHWoMXpOnM1qSLtY3FIWmeGRn0w==
X-Received: by with SMTP id 132mr9555707wmo.25.1453381961735; Thu, 21 Jan 2016 05:12:41 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id l67sm29812637wmf.11.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Jan 2016 05:12:40 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Thu, 21 Jan 2016 15:12:38 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: secdir <>, The IESG <>,
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Subject: Re: [secdir] SecDir Review of draft-ietf-dnsop-cookies-07
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 13:12:45 -0000

Version -09 looks good to me. 

I still think they’re over-emphasizing how much this mechanism is weak, but this is style, not substance.


> On 8 Dec 2015, at 8:52 AM, Yoav Nir <> wrote:
> Hi.
> I have reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the Security Area Directors.  Document authors, document editors, and WG chairs should treat these comments just as they would any other IETF Last Call comments.
> Version reviewed: draft-ietf-dnsop-cookies-07
> Summary: has issues.
> The draft describes a cookie mechanism (a little more complex than SYN cookies or IKEv2 cookies) to prevent DoS, specifically amplification attacks on the DNS, where an off-path attacker sends requests with spoofed source to a DNS server, causing a lot of DNS traffic towards the spoofed source.
> Section 5.5 describes what happens when a server rolls over its secret. If the server receives a server cookie fitting the previous server secret, it MUST reply with the new, correct, server cookie. This is implied, but IMO should be stated explicitly, because it is temptingly efficient to just copy the server cookie if it's valid (and a cookie matching the previous secret is considered valid for a while) into the response rather than re-calculating the server cookie before sending.
> An attacker could bypass the whole mechanism by not including the OPT, and the way to deal with this is rate limiting on the server for clients without valid cookies. I think this should be said explicitly in the Security Considerations section.
> Section 9.1 suggests as a cookie algorithm "HMAC-SHA256-64 [RFC6234]", which I take to be SHA-256 truncated to 64 bits. There is no such function (not any other truncation) in RFC 6234. Even shortened hashes that do exist in other documents, such as SHA512-256 are not simple truncations but also change the initialization vectors for the original hash function, although shortened HMACs such as those used in IPSec *are* simple truncations.
> Same section, it is not clear what the criteria are for selecting an algorithm. Specifically, I don't know what makes FNV strong enough whereas something else (CRC?) is not. I don't think there's a practical issue with FNV, but it would be better to state the goals.
> "To bypass the weak protection provided by using TCP requires, among other things, that an off-path attacker guessing the 32-bit TCP sequence number in use."
> s/guessing/guess/  or s/that an off-path attacker guessing/an off-path attacker to guess/
> The word "weak" is mentioned 18 times, in addition to related terms such as "limited protection". The mechanism does what it does. Sure it does not include 521-bit elliptic curve cryptography, but I don't think this needs to be mentioned so often.
> I think it should be mentioned that the cookie mechanism is stateless. Of course all of DNS is stateless, but it should be mentioned that the mechanism requires no per-client state on the *server*, but does require per-server state on the *client*.
> Section A.1: As mentioned above, I don't know the requirements for an algorithm. But just looking at the following example, I don't like the construction. So I set the secret to 0x3132333435363738, and considered two IP addresses: and Running both through FNV, I get the following:
>     FNV64("12345678abcd") = 0xb7fd1aee15822b05
>     FNV64("12345678abce") = 0xb7fd1aee15822b04
> On the other hand, if we reverse the order of secret and IP address, we get:
> 	FNV64("abcd12345678") = 0x6c1e749e200cc845
> 	FNV64("abce12345678") = 0x5d17f5e450f9a52c
> It seems like the FNV function is more sensitive to changes in earlier bytes than to changes in later bytes. So placing the IP address first makes this look more like a hash function. This is not a cryptographic argument, but I believe it should be better to put the IP address first.