Re: [secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
"Wessels, Duane" <dwessels@verisign.com> Tue, 07 September 2021 16:37 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1025B3A1333; Tue, 7 Sep 2021 09:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpp1HtL7F0MQ; Tue, 7 Sep 2021 09:37:11 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468D03A132F; Tue, 7 Sep 2021 09:37:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10581; q=dns/txt; s=VRSN; t=1631032631; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=KxyAxjTMPrOx6+u9W4Sbh26sUHVaxbLom7n9Q9FJwVw=; b=dk/Wq/wllK09FOvkfqSscV38QA7Wjb0DQ2ANfVBx5cRERbsS1DWSbeLJ yXeFCxkchoWTini/78sgEP0DCMuVBaUHPHB9NKL/Dub+CHBt8931p8cbS q2j/fkrIIMQo3VnZ+W+MgoC6VYqlZlv1aMtZCSJxRlPZzpxuAxFx7BWI1 nLf80TCGNSk9nEYPdJ8HJlX+YAkCGvcV5nj7Ri1VyuWJ45FfaSulD9bqF ZoSBQSkUXJe5+ZvLtNgDwfGTJg/WwdPxuwTs9mbdMHjWIr9bhGjl2fFzg 6NgoIFwF+t0Ku2bmptH31cdhRUT0yUgbihILxVWAZLhaUYbEv3vzO8AMD w==;
IronPort-SDR: 5tcTk5Ij46ppS/PAb1EFQ8VPZFpKGpfFnHCfbpDTqPyd8eZLfPx2f8hF8sxEHP3UpjKtmLuSk6 q+uvDEbyiZl9n6mLArrJeE6Z0gJQyzC64uXaw1ohyRWo1M0DvHNtcyLr0ItUWmIkplYkE4xPqx BlCz5/9UIYrx56ImLuyjrbu4bd+k+qBDVOb2kVA2tEk+YnbY5SWwFEH7hdeJlCKKmXFq9OQuIp o43/MJEVwAs5j30zzHoJVfIZ4qcDORd9NfANk2Y2h935ZSa1bf3VAwzUBZ+2k/EUrY3ujXpZDU DMY=
IronPort-HdrOrdr: A9a23:5WGbJ6l9NYTb7Wwp9jSDbUtfmwjpDfIP3DAbv31ZSRFFG/Fwz/ re+Mjy1XfP5Ar5K0tQ/uxoWZPwO080mqQU3WB8B92ftUzdyQ6VxeJZnPbfKl/bak7DH4dmvM 8KT0E9MqyTMbEQt6nHCXyDcurIt+PozEnHv4rjJjxWPGdXgulbnn5E4pbyKDwPeOBpP+tDKK ah
X-IronPort-AV: E=Sophos; i="5.85,274,1624334400"; d="p7s'?scan'208"; a="9526822"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Tue, 7 Sep 2021 12:37:09 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2308.008; Tue, 7 Sep 2021 12:37:09 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Alan DeKok <aland@freeradius.org>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org>
Thread-Topic: [EXTERNAL] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
Thread-Index: AQHXm4IW1D9iX4Pn7k6ITpXUHmZR5auZGT2A
Date: Tue, 07 Sep 2021 16:37:09 +0000
Message-ID: <A0E6D1E5-0226-4AE2-86B3-4C7A1EDF24A8@verisign.com>
References: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org>
In-Reply-To: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_A88A1800-5DDF-4A3A-B083-C640063BFEE2"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/IBXTBMqRi9_269U9pz54fM6wKUA>
Subject: Re: [secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2021 16:37:16 -0000
> On Aug 27, 2021, at 1:28 PM, Alan DeKok <aland@freeradius.org> wrote: > > Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Reviewer: Alan DeKok > Review result: Has nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Over all, I think this document is clear, useful and well written. > > Section 1 says: > > ... Section 6.1.3.2 to clarify that all DNS resolvers and recursive MUST > support and service both TCP and UDP queries. > > NIT: bare "recursive" should perhaps be "recursive servers", to match similar text elsewhere in the document. Done. > > > It may be good to update Section 3 with notes on "head of line blocking". This text could arguably be in RFC 7766, but having it here is a reasonable alternative: > > When using UDP as a transport for DNS, there is no ordering of > packets. If a packet is lost, that loss has no > effect on subsequent packets sent by that client or server. > > Unlike UDP, TCP is subject to issues related to Head of Line (HoL) > blocking. This occurs when a TCP segment is lost and a subsequent > TCP segment arrives out of order. While the DNS implementation can > process DNS packets out of order, the semantics of TCP makes this > impossible. This limitation can lower the maximum packet processing > rate of DNS over TCP. To fit this in I added a whole new subsection to History of DNS over TCP. It might be more than you were expecting but I thought it would be helpful to have the background on head-of-line blocking issues. 2.6. Reuse, Pipelining, and Out-of-Order Processing The idea that a TCP connection can support multiple transactions goes back as far as [RFC0883], which states: "Multiple messages may be sent over a virtual circuit." Although [RFC1035], which updates the former, omits this particular detail, it has been generally accepted that a TCP connection can be used for more than one query and response. [RFC5966] clarified that servers are not required to preserve the order of queries and responses over any transport. [RFC7766], which updates the former, further encourages query pipelining over TCP to achieve performance on par with UDP. A server that sends out-of- order responses to pipelined queries avoids head-of-line blocking when the response for a later query is ready before the response to an earlier query. However, TCP can potentially suffer from a different head-of-line blocking problem due to packet loss. Since TCP itself enforces ordering, a single lost segment delays delivery of data in any following segments until the lost segment is retransmitted and successfully received. > > Section 6 says: > > Developers SHOULD also keep in mind connection reuse, query > pipelining, and out-of-order responses when building and testing DNS > monitoring applications. > > It would also be good to note that if the monitoring software tracks requests and responses, then clients could potentially attack the monitoring software, too. i.e. by sending large volumes of requests to "black hole" IPs, which will never get a response. So the monitoring software should have both timeouts for request/response tracking, and also limit the total number of request/responses which are monitored. This part of section 6 now says: Applications that capture network packets (e.g., with libpcap [libpcap]) SHOULD implement and perform full TCP segment reassembly. Furthermore, as with real TCP, such applications need to protect themselves from resource exhaustion attacks by limiting the amount of memory allocated to tracking unacknowledged connection state data. FYI we are tracking this in github at https://github.com/jtkristoff/draft-ietf-dnsop-dns-tcp-requirements/pull/6/files if that is helpful. DW
- [secdir] Secdir review of draft-ietf-dnsop-dns-tc… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Wessels, Duane