Dear DNSOP, I submitted draft-fujiwara-dnsop-fragment-attack-01.
https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 It summarized DNS cache poisoning attack using IP fragmentation and countermeasures. If the draft is interested, I will request timeslot at IETF 104. I think it is time to consider to avoid IP Fragmentation in DNS. It is possible to avoid IP fragmentation as much as possible. It is not good that DNS is the biggest user of IP fragmentation. Regards, -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> A new version of I-D, draft-fujiwara-dnsop-fragment-attack-01.txt has been successfully submitted by Kazunori Fujiwara and posted to the IETF repository. Name: draft-fujiwara-dnsop-fragment-attack Revision: 01 Title: Measures against cache poisoning attacks using IP fragmentation in DNS Document date: 2019-03-01 Group: Individual Submission Pages: 13 URL: https://www.ietf.org/internet-drafts/draft-fujiwara-dnsop-fragment-attack-01.txt Status: https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-fragment-attack/ Htmlized: https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-fragment-attack Diff: https://www.ietf.org/rfcdiff?url2=draft-fujiwara-dnsop-fragment-attack-01 Abstract: Researchers proposed practical DNS cache poisoning attacks using IP fragmentation. This document shows feasible and adequate measures at full-service resolvers and authoritative servers against these attacks. To protect resolvers from these attacks, avoid fragmentation (limit requestor's UDP payload size to 1220/1232), drop fragmented UDP DNS responses and use TCP at resolver side. To make a domain name robust against these attacks, limit EDNS0 Responder's maximum payload size to 1220, set DONTFRAG option to DNS response packets and use good random fragmentation ID at authoritative server side. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
