On Tue, 12 Aug 2008, Mark Andrews wrote:
> TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
> in the security model which are being exploited today.
I don't know of any TCP exploits today. Though TCP is not secure against
anyone in the path of the packets, its pretty invulnerable to spoofing
attacks conducted if the attacker can't see the packets. TCP is
vulnerable to other kinds of DOS attacks such as synflood or connection
reset. Synfloods are handled by existing mitigation techniques. The
shorter the transaction, the harder it is to effect connection reset,
but connection caching improves efficiency. TCP is pretty robust in most
situations.
TCP: Get truth or nothing, unless liar in the path
UDP: Get something, even a lie from anywhere
DNSSEC: Everybody might get nothing, but the TLD and root operators are
entrenched. No alternate roots.
Pick your poison (pun intended ;-)
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
