Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Mark Andrews
In message <55daa47d-bc41-4416-a7f1-bd21c9dc7...@vpnc.org>, Paul Hoffman writes : > On Jul 6, 2015, at 8:02 AM, Mark Andrews wrote: > >> It really doesn't matter if they are "already broken" in your view: > what matt > >> ers is creating a protocol that doesn't unnecessarily cause damage to > the

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Paul Hoffman
On Jul 6, 2015, at 8:00 AM, Donald Eastlake wrote: >> Substantial: >> >> In Sections 4.1 and 4.2, it says that the cookies MUST NOT be the same for >> all recipients. This should be SHOULD NOT, to match the SHOULDs above. If an >> implementation does a stupid and uses the same cookies everywher

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Ray Bellis
On 06/07/2015 16:42, Paul Hoffman wrote: > Because there are lots of other systems that watch either end. A > logger that expects a query is the one I am most concerned about, but > there are probably others as well. I understand that you feel "they > are broken and we shouldn't care about them"

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Paul Hoffman
On Jul 6, 2015, at 8:02 AM, Mark Andrews wrote: >> It really doesn't matter if they are "already broken" in your view: what matt >> ers is creating a protocol that doesn't unnecessarily cause damage to the DNS >> . > > How can a intrinsically hop-by-hop "extension" "damage" the protocol? Because

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Mark Andrews
In message <23a55564-aaf1-4786-9663-c38a019c9...@vpnc.org>, Paul Hoffman writes : > On Jul 5, 2015, at 6:16 PM, Mark Andrews wrote: > > > > > > In message , Paul Hoffman wr > ites > > : > >> Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had > no > >> t looked at carefu

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Donald Eastlake
Hi, I'll just reply where Mark did not: On Sun, Jul 5, 2015 at 7:48 PM, Paul Hoffman wrote: > Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had > not looked at carefully in some time. In short: it looks great, the document > is complete and easy-to-read, and we probabl

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-06 Thread Paul Hoffman
On Jul 5, 2015, at 6:16 PM, Mark Andrews wrote: > > > In message , Paul Hoffman > writes > : >> Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had no >> t looked at carefully in some time. In short: it looks great, the document is >> complete and easy-to-read, and we pro

Re: [DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-05 Thread Mark Andrews
In message , Paul Hoffman writes : > Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had no > t looked at carefully in some time. In short: it looks great, the document is > complete and easy-to-read, and we probably should have done this nearly a de > cade ago when Donald

[DNSOP] Review of draft-ietf-dnsop-cookies

2015-07-05 Thread Paul Hoffman
Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had not looked at carefully in some time. In short: it looks great, the document is complete and easy-to-read, and we probably should have done this nearly a decade ago when Donald started the work. Substantial: In Sections

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi Paul On Tue, Dec 16, 2014 at 10:32:08AM -0800, P Vixie wrote: > >It's 2 round trips to get at the data, answer the question. FIN is > >later. > > The total transaction time includes all time during which state is > held. That third round trip is in your departmental budget and will > show up a

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread P Vixie
On December 16, 2014 9:47:34 AM PST, Mukund Sivaraman wrote: >Hi Paul > >On Tue, Dec 16, 2014 at 09:20:12AM -0800, Paul Vixie wrote: >> 3 round trips, 7 packets, for an isolated tcp/53 query. >> >> s -> >> <- s+a >> a -> >> q -> >> <- r+a >> f+a -> >> <- f+a > >It's 2 round tr

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi Paul On Tue, Dec 16, 2014 at 09:20:12AM -0800, Paul Vixie wrote: > 3 round trips, 7 packets, for an isolated tcp/53 query. > > s -> > <- s+a > a -> > q -> > <- r+a > f+a -> > <- f+a It's 2 round trips to get at the data, answer the question. FIN is later. Mu

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Paul Vixie
> Mukund Sivaraman > Tuesday, December 16, 2014 9:13 AM > > Sorry, TCP also takes 2 RTT similar to UDP with DNS cookies. I had > included the initial UDP query by mistake, but this won't be involved if > TCP is directly tried. 3 round trips, 7 packets, for an isolated tcp/5

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
On Tue, Dec 16, 2014 at 08:55:12PM +0530, Mukund Sivaraman wrote: > Given the risk of EDNS payload size related drops from an uknown server > and extra roundtrips, what are the reasons why this option should be > used in preference to TCP (that is just 1 RTT longer to get an answer > from) and has

[DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi all As a part of DNS fragments drafting (which requires protection against UDP amplification attacks), I reviewed draft-ietf-dnsop-cookies-00. Its use in fragments would be narrow and I mainly read the draft from that point-of-view. The draft describes different types of attacks and the COOKIE