secdir review of draft-ietf-dnsop-reflectors-are-evil-04.txt
"Stephen Hanna" <shanna@juniper.net> Mon, 24 September 2007 19:51 UTC
Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IZtyE-0005fM-6q; Mon, 24 Sep 2007 15:51:54 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IZtyC-0005aU-8J; Mon, 24 Sep 2007 15:51:52 -0400
Received: from exprod7og50.obsmtp.com ([64.18.2.155]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IZtyB-0005bC-AO; Mon, 24 Sep 2007 15:51:51 -0400
Received: from source ([66.129.224.36]) by exprod7ob50.obsmtp.com ([64.18.6.12]) with SMTP; Mon, 24 Sep 2007 12:51:41 PDT
Received: from proton.jnpr.net ([10.10.2.37]) by emailsmtp55.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Mon, 24 Sep 2007 12:51:40 -0700
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 24 Sep 2007 15:51:38 -0400
Message-ID: <A6398B0DB62A474C82F61554EE93728703DF7D9D@proton.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-dnsop-reflectors-are-evil-04.txt
Thread-Index: Acf+2UOtT2DLETsATceZ3pArOSN4vg==
From: Stephen Hanna <shanna@juniper.net>
To: ietf@ietf.org, dnsop-chairs@ietf.org, iesg@ietf.org, secdir@mit.edu, Joao_Damas@isc.org, fneves@registro.br
X-OriginalArrivalTime: 24 Sep 2007 19:51:40.0533 (UTC) FILETIME=[53350250:01C7FEE4]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc:
Subject: secdir review of draft-ietf-dnsop-reflectors-are-evil-04.txt
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. DNS is not my area of expertise but the document clearly explains the nature of the problem to be solved (DOS attacks that employ DNS servers as amplifiers) and the recommendations for solving the problem (employing ingress filtering to prevent IP address spoofing and changing nameservers to provide recursive name lookup service only to the intended clients). I have no issue with the main content of the document. It does seem like a worthwhile recommendation. However, I have a few comments. The Introduction seems a bit defensive in stating that the DOS attacks are not due to any flaw in the design of DNS or its implementations. While the blame for the attacks lies with the attackers, some aspects of nameserver configuration, behavior, and even protocol design make the systems vulnerable to these attacks. I suggest that the defensive language be removed. Although I agree that ingress filtering is a good solution to this problem and provides many other benefits since it addresses many different attacks that involve spoofed IP addresses, the document states repeatedly that ingress filtering is the only solution to the problem. Ingress filtering may be the best solution but it is NOT the only solution, as evidenced by the other measures described in the document. None of these measures (including increased use of ingress filtering) will provide complete and absolute protection against DOS attacks that use nameservers as attack amplifiers. Employing all of the measures as appropriate while emphasizing the huge benefits of ingress filtering seems like the best approach. So I suggest that the wording in the document be toned down to take a more balanced approach to the problem. Finally, I wonder whether other more fundamental techniques for addressing the problem have been explored. For instance, if DNS clients were required to perform a simple handshake before a DNS server sent a long response, fake requests would provide little amplification. For example, requests that elicit long responses could prompt a shift to TCP. Of course, this would have other unpleasant side effects such as slowing down the processing of DNS requests with long responses and troubles getting DNS requests through firewalls. I'm not suggesting that this approach be discussed in this document, simply that it be considered (which probably has already been done). Thanks, Steve _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- secdir review of draft-ietf-dnsop-reflectors-are-… Stephen Hanna
- Re: secdir review of draft-ietf-dnsop-reflectors-… Mark Andrews
- Re: secdir review of draft-ietf-dnsop-reflectors-… Edward Lewis
- RE: [secdir] secdir review ofdraft-ietf-dnsop-ref… michael.dillon
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Danny McPherson
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Mark Andrews
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Mark Andrews
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Mark Andrews
- RE: [secdir] secdir review ofdraft-ietf-dnsop-ref… Eastlake III Donald-LDE008
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Danny McPherson
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Danny McPherson
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Mark Andrews
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Danny McPherson
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Mark Andrews
- Re: [secdir] secdir review of draft-ietf-dnsop-re… John Kristoff
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Noel Chiappa
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Noel Chiappa
- Re: [secdir] secdir review of draft-ietf-dnsop-re… Simon Leinen