Hi Duane, On Mon, Nov 29, 2021 at 11:53:48PM +0000, Wessels, Duane wrote: > > > > On Oct 26, 2021, at 4:35 AM, Lars Eggert via Datatracker <nore...@ietf.org> > > wrote: [...] > > Section 4.2. , paragraph 3, comment: > >> DNS server software MAY provide a configurable limit on the number of > >> transactions per TCP connection. > > > > What does that limit protect against? > > proposed new text: > > DNS server software MAY provide a configurable limit on the number of > transactions per TCP connection. This can help protect against > unfair connection use (e.g., not releasing connection slots to other > clients) and network evasion attacks. > > > > > > Section 4.2. , paragraph 2, comment: > >> Similarly, DNS server software MAY provide a configurable limit on > >> the total duration of a TCP connection. > > > > What does that limit protect against? > > Proposed new text: > > Similarly, DNS server software MAY provide a configurable limit on > the total duration of a TCP connection. This can help protect > against unfair connection use, slow read attacks, and network evasion > attacks.
Maybe I'm just being dense today, or lost too much state in the intervening weeks, but how do these limits protect against network evasion attacks? What are "network evasion attacks" in this context, anyway? The draft references [phrack] in a different location surrounding use of that term, in the context of applications doing TCP stream reassembly from packet captures. In that location it seems that the TCP segmentation could cause the reassembling application to miss actual DNS protocol messages, but I'm not sure how transaction or time limits on a connection would protect against a similar loss of processing of DNS protocol messages by the reassembling application. Thanks, Ben _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
