On Tue, Aug 4, 2015 at 12:39 PM, Ted Lemon <ted.le...@nominum.com> wrote: > On Aug 4, 2015, at 12:30 PM, Donald Eastlake <d3e...@gmail.com> wrote: >> I think Mark was pointing out that if you >> are under attack and want to use weak authentication to help resist >> that attack, there is no particular reason to push cookie supporting >> clients to TCP to provide that authentication. COOKIEs provide weak >> authentication roughly equivalent to TCP while continue to use less >> burdensome UDP. > > I think it’s a fair point that static cookies can be a more effective > fallback than TCP, given the way TCP is generally implemented in host > operating system stacks. I’m not sure this is the best cure for that > problem, however. Essentially, you are fixing a transport layer problem > with an app-layer kludge.
No, it is not a "transport layer problem". It is simply an authentication problem. It can be solved in various ways. COOKIEs are an application layer solution against off path attackers. TSIG is an application layer solution against on or off path attackers. TCP is a transport layer solution against off path attackers. TLS/DTLS is a transport layer solution agains on or off path attackers. The stronger solutions which also protect against on path attackers are inherently more expensive in requiring cryptography, more configuration, prior agreement, and the like. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e...@gmail.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
