On 2013-09-04 17:25, Colm MacCárthaigh wrote:
I don't think there's any requirement to fragment exactly at the
MTU/MSS boundary. It's ok to fragment at a lower point, so there's an
opportunity for additional entropy by randomising the point of
fragmentation on a datagram by datagram basis. If the spoofer doesn't
know the point of fragmentation then it's hard for the payload to make
sense.
That's clever idea how to mitigate that, but it needs to be implemented
by the IP stack.
Maybe, you can mangle incoming ICMP packets and randomly change their
value in the interval <N-const,N), so it could be implemented even
without native support in the kernel.
It'd be interesting to work out what the total entropy is by
using that along with truly random IP IDs.
It's only 16-bit and it's not much since you can preload the second
fragments even before the query is sent.
It also seems prudent for clients to validate that the IP TTL of all
fragments in a datagram are
the same.
That's also only visible on IP level, not on application level, and the
information is useless because you don't have any information about
network topology at the defragmentation point. Different IP TTLs for
fragments are not likely, but still valid.
Neither of those mitigations are easy for everyone, but they may be
helpful for some. Obviously there's TC=1 too.
On Wed, Sep 4, 2013 at 6:08 AM, Ondřej Surý <ondrej.s...@nic.cz>
wrote:
Hi all,
for all those who haven't been on saag WG at IETF 88...
Amir Herzbert and Haya Shulman has presented a quite interesting
attack on UDP fragmentation that allows Kaminsky-style attacks to be
real again.
The saag presentation is here:
http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf [1]
The paper describing the attack is here:
http://arxiv.org/pdf/1205.4011v1.pdf [2]
More Haya Shulman's publications can be found here:
https://sites.google.com/site/hayashulman/publications [3]
And some papers are also available from Google Scholar:
n&q=Amir+Herzberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp=
[4]
We gave it some thoughts here at CZ.NIC Labs and we think that the
threat is real and we are now trying to write a PoC code to prove
the theoretical concept.
So what are the views of other people on this list?
Ondrej
--
Ondřej Surý -- Chief Science Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.s...@nic.cz http://nic.cz/ [5]
tel:+420.222745110 [6] fax:+420.222745112 [7]
-------------------------------------------
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs [8]
--
Colm
Links:
------
[1] http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf
[2] http://arxiv.org/pdf/1205.4011v1.pdf
[3] https://sites.google.com/site/hayashulman/publications
[4]
zberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp=
[5] http://nic.cz/
[6] tel:%2B420.222745110
[7] tel:%2B420.222745112
[8] https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
