Re: [Tsv-art] [Doh] Tsvart last call review of draft-ietf-doh-dns-over-https-13

Mark Andrews <marka@isc.org> Sun, 12 August 2018 23:42 UTC

Return-Path: <marka@isc.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E33130E46; Sun, 12 Aug 2018 16:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOtGXl8iF0vh; Sun, 12 Aug 2018 16:42:52 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C631130E2C; Sun, 12 Aug 2018 16:42:52 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8A2D23AB03E; Sun, 12 Aug 2018 23:42:51 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 33F3F160051; Sun, 12 Aug 2018 23:42:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1311F16006E; Sun, 12 Aug 2018 23:42:48 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gYnEwJtCP67w; Sun, 12 Aug 2018 23:42:48 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A9699160051; Sun, 12 Aug 2018 23:42:46 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <BYAPR19MB224886BB1EA7595B8D93581B943B0@BYAPR19MB2248.namprd19.prod.outlook.com>
Date: Mon, 13 Aug 2018 09:42:42 +1000
Cc: Fernando Gont <fgont@si6networks.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-doh-dns-over-https.all@ietf.org" <draft-ietf-doh-dns-over-https.all@ietf.org>, "doh@ietf.org" <doh@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4436035B-89D4-437D-AB24-17E352379F88@isc.org>
References: <153397442482.20828.13036371457377811227@ietfa.amsl.com> <BYAPR19MB2248B13FC643D6B7321169BE943B0@BYAPR19MB2248.namprd19.prod.outlook.com> <BYAPR19MB224886BB1EA7595B8D93581B943B0@BYAPR19MB2248.namprd19.prod.outlook.com>
To: Star Brilliant <m13253@hotmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/U5kw-Awifqi-LSkc3_WvO6TsAw4>
Subject: Re: [Tsv-art] [Doh] Tsvart last call review of draft-ietf-doh-dns-over-https-13
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Aug 2018 23:42:54 -0000


> On 12 Aug 2018, at 9:35 am, Star Brilliant <m13253@hotmail.com> wrote:
> 
> Hello Fermando and the maillist,
> 
> I just found that I forgot to address one question in my previous mail. Here is the addition.
> 
> On Sat, Aug 11, 2018 at 6:00 PM Fernando Gont <fgont@si6networks.com> wrote:
>> * Page 15 (Security Considerations):
>> 
>> DoH essentialy switches from a connection-less transport (UDP) to a
>> connection-oriented one (TCP). This means that now the server should take care
>> of all state-exhaustion attacks against TCP (e.g., take a look at:
>> https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf). Defending
>> against such attacks maybe non-trivial. This should at least be mentioned in
>> the security considerations.
> 
> 
> On contrast, by switching from UDP to TCP, the server is now able to defend attacks more *easily*.
> 
> 1) TCP requires 3-way handshake before establishing the connection. This prevented simple DoS attack with spoofed source address since the attacker will not receive the 2nd packet.

Which also exists for DNS over UDP using DNS COOKIE.

> 2) In the past, the server started to allocate resources upon receiving the first SYN packet, making it vulnerable to SYN Flood attack. Now we use SYN Cookies [RFC 4987], so the server does not allocate resources until the 3-way handshake has finished, to mitigate the attack as long as the server's Internet pipe is not full.

DNS COOKIE doesn’t have any server state.

> 3) UDP is vulnerable to UDP Amplification attack, that is to send a very small request, requiring kilobytes of response. Combined with spoofed source address (1), the attacker can make request and response packets bouncing between 2 servers, producing a 2^n amount of junk traffic, preventing the server from operating. Typical amplification victims include DNS and NTP, and they are all UDP .

Not with DNS COOKIE.

> 4) Nowadays, the majority of DDoS attack is to send TB/s or PB/s of arbitrary garbage to fill the server's 100Mbps Internet pipe to make your server offline. Generally you need a powerful hardware firewall to wash out the garbage, and as many as BGP peers with other ISPs so legitimate users can reach your server directly in a clean pipe. For this type of attack, UDP and TCP have no difference.
> 
> 5) We already have many articles talking about TCP/IP security [RFC 4953, 4987, 5961, 6528, etc]. I disagree that we need to talk about everything from TCP to IP to Ethernet in this DoH document.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org