On Dec 1, 2013, at 1:20 PM, Ted Lemon <ted.le...@nominum.com> wrote: > On Dec 1, 2013, at 4:06 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: >> Here's a start: "Padding the DNS query stream will have a negative effect on >> the DNS systems as a whole, but will only thwart passive surveillance for >> those attackers who cannot store and process the larger stream. There is no >> current evidence that the bad actors in question have such limitations." > > I thought the point of padding was to prevent the attacker from using the > length of the encrypted query or response to make correlations and guess the > plaintext.
That's not how Stephane has it defined in the draft in question: padding (sending random queries from time to time) For instance, padding, sending gratuitous queries from time to time (queries where you're not interested in the replies, just to disturb the analysis), is useful against all sorts of observers. It is a costly technique, because it increases the traffic on the network but it seriously blurs the picture for the observer. Maybe a different word would be useful, but I still think that the proposal is silly unless we believe that the attacker cannot determine which are real queries and which are not. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
