Hi Duane,

On Mon, Nov 29, 2021 at 11:53:48PM +0000, Wessels, Duane wrote:
> 
> 
> > On Oct 26, 2021, at 4:35 AM, Lars Eggert via Datatracker <nore...@ietf.org> 
> > wrote:
[...]
> > Section 4.2. , paragraph 3, comment:
> >>   DNS server software MAY provide a configurable limit on the number of
> >>   transactions per TCP connection.
> > 
> > What does that limit protect against?
> 
> proposed new text:
> 
>    DNS server software MAY provide a configurable limit on the number of
>    transactions per TCP connection.  This can help protect against
>    unfair connection use (e.g., not releasing connection slots to other
>    clients) and network evasion attacks.
> 
> 
> > 
> > Section 4.2. , paragraph 2, comment:
> >>   Similarly, DNS server software MAY provide a configurable limit on
> >>   the total duration of a TCP connection.
> > 
> > What does that limit protect against?
> 
> Proposed new text:
> 
>    Similarly, DNS server software MAY provide a configurable limit on
>    the total duration of a TCP connection.  This can help protect
>    against unfair connection use, slow read attacks, and network evasion
>    attacks.

Maybe I'm just being dense today, or lost too much state in the intervening
weeks, but how do these limits protect against network evasion attacks?
What are "network evasion attacks" in this context, anyway?  The draft
references [phrack] in a different location surrounding use of that term,
in the context of applications doing TCP stream reassembly from packet
captures.  In that location it seems that the TCP segmentation could cause
the reassembling application to miss actual DNS protocol messages, but I'm
not sure how transaction or time limits on a connection would protect
against a similar loss of processing of DNS protocol messages by the
reassembling application.

Thanks,

Ben

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to