On 4 Aug 2015, at 10:06, Donald Eastlake wrote:
On Tue, Aug 4, 2015 at 12:39 PM, Ted Lemon <ted.le...@nominum.com>
wrote:
On Aug 4, 2015, at 12:30 PM, Donald Eastlake <d3e...@gmail.com>
wrote:
I think Mark was pointing out that if you
are under attack and want to use weak authentication to help resist
that attack, there is no particular reason to push cookie supporting
clients to TCP to provide that authentication. COOKIEs provide weak
authentication roughly equivalent to TCP while continue to use less
burdensome UDP.
I think it’s a fair point that static cookies can be a more
effective
fallback than TCP, given the way TCP is generally implemented in host
operating system stacks. I’m not sure this is the best cure for
that
problem, however. Essentially, you are fixing a transport layer
problem
with an app-layer kludge.
No, it is not a "transport layer problem". It is simply an
authentication problem. It can be solved in various ways.
COOKIEs are an application layer solution against off path attackers.
TSIG is an application layer solution against on or off path
attackers. TCP is a transport layer solution against off path
attackers. TLS/DTLS is a transport layer solution agains on or off
path attackers. The stronger solutions which also protect against on
path attackers are inherently more expensive in requiring
cryptography, more configuration, prior agreement, and the like.
+1 to Donald's response, and -1 to Ted Lemon calling cookies a "kludge".
The same design has been in IKE and IKEv2 for decades for similar
purposes, and it has worked just fine.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop