On Tue, Aug 4, 2015 at 12:39 PM, Ted Lemon <ted.le...@nominum.com> wrote:
> On Aug 4, 2015, at 12:30 PM, Donald Eastlake <d3e...@gmail.com> wrote:
>>  I think Mark was pointing out that if you
>> are under attack and want to use weak authentication to help resist
>> that attack, there is no particular reason to push cookie supporting
>> clients to TCP to provide that authentication. COOKIEs provide weak
>> authentication roughly equivalent to TCP while continue to use less
>> burdensome UDP.
>
> I think it’s a fair point that static cookies can be a more effective
> fallback than TCP, given the way TCP is generally implemented in host
> operating system stacks.   I’m not sure this is the best cure for that
> problem, however.   Essentially, you are fixing a transport layer problem
> with an app-layer kludge.

No, it is not a "transport layer problem". It is simply an
authentication problem. It can be solved in various ways.

COOKIEs are an application layer solution against off path attackers.
TSIG is an application layer solution against on or off path
attackers. TCP is a transport layer solution against off path
attackers. TLS/DTLS is a transport layer solution agains on or off
path attackers. The stronger solutions which also protect against on
path attackers are inherently more expensive in requiring
cryptography, more configuration, prior agreement, and the like.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e...@gmail.com

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to