On Aug 5, 2015, at 9:39 PM, Mark Andrews wrote:
> If the attacker has a good cookie then you have a high degree of
> confidence that the IP address is correct even if it a UDP request
> and you can take steps like contacting the operators of the network
> / server.
After some pretty intense crit
Hi,
On Wed, Aug 5, 2015 at 4:58 AM, Ralf Weber wrote:
> ...
>
> But lets focus on the way the server handles cookies. I think I
> discussed that with you or Donald in Prague. There are two ways to
> do this so that each client gets a different cookie, which is what
> the draft suggest:
> - provid
At Wed, 05 Aug 2015 10:58:56 +0200,
"Ralf Weber" wrote:
> But lets focus on the way the server handles cookies. I think I
> discussed that with you or Donald in Prague. There are two ways to
> do this so that each client gets a different cookie, which is what
> the draft suggest:
[...]
> - provid
In message , "Ralf Weber" write
s:
> Moin!
>
> On 5 Aug 2015, at 17:05, Paul Hoffman wrote:
>
> > On 5 Aug 2015, at 1:58, Ralf Weber wrote:
> >
> >> On 5 Aug 2015, at 5:36, Mark Andrews wrote:
> >>> The analysis above is lacking.
> >>>
> >>> "has cookie" is not the determining factor. "has good
On Aug 5, 2015, at 4:32 PM, Stephane Bortzmeyer wrote:
> The vast majority of open resolvers are broken CPE, with a poor and
> limited implementation of DNS, or very old BIND not maintained for
> years. I think it's unlikely they will be upgraded to support cookies.
Right, but it wouldn’t surpris
Moin!
On 5 Aug 2015, at 22:32, Stephane Bortzmeyer wrote:
> On Tue, Aug 04, 2015 at 06:15:43PM -0400,
> Ted Lemon wrote
> a message of 312 lines which said:
>
>> because the client may be an open resolver that implements cookies,
>> and indeed open resolvers that implement cookies will now be
>>
On Tue, Aug 04, 2015 at 06:15:43PM -0400,
Ted Lemon wrote
a message of 312 lines which said:
> because the client may be an open resolver that implements cookies,
> and indeed open resolvers that implement cookies will now be
> specially favored as attack vectors.
The vast majority of open re
On Aug 5, 2015, at 2:05 PM, Ted Lemon wrote:
>> Actually there are good reasons for clients to implement cookies.
>> They reduce the amount of port randomisation that needs to happen
>> in a recursive server (if the server supports cookies you don't
>> need to randomise the source port) and client
Moin!
On 5 Aug 2015, at 17:05, Paul Hoffman wrote:
On 5 Aug 2015, at 1:58, Ralf Weber wrote:
On 5 Aug 2015, at 5:36, Mark Andrews wrote:
The analysis above is lacking.
"has cookie" is not the determining factor. "has good server
cookie"
is the determining factor.
For the attack that Ted
On Aug 5, 2015, at 12:42 PM, Paul Vixie wrote:
> t-shirt idea!
Want.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
On Aug 5, 2015, at 11:05 AM, Paul Hoffman wrote:
> If an attacker is causing a system that does cookies to be an attack vector,
> then this proposal does no harm or good.
Can you explain why this is the case?
___
DNSOP mailing list
DNSOP@ietf.org
htt
Moin!
On 5 Aug 2015, at 12:50, Mark Andrews wrote:
In message <44d34c00-2ada-443e-9387-ef79171b4...@fl1ger.de>, "Ralf
Weber" writes:
- provide a deterministic function that takes the client IP and a
secret to generate the cookie. That way you can generate the same
cookie on every request.
Re
On Aug 4, 2015, at 11:36 PM, Mark Andrews wrote:
>> Actually we can make a lot of predictions. First, if there is no
>> incentive to implement it, vendors won’t implement it, so we can safely
>> assume that adoption on stub resolvers will be very slow.
>
> Well there are multiple vendors who ha
Mark Andrews wrote:
> ...
>
> Read the draft. It does not say that.
t-shirt idea!
--
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
On 5 Aug 2015, at 1:58, Ralf Weber wrote:
On 5 Aug 2015, at 5:36, Mark Andrews wrote:
The analysis above is lacking.
"has cookie" is not the determining factor. "has good server cookie"
is the determining factor.
For the attack that Ted describes later these attackers will have a
good server
In message <44d34c00-2ada-443e-9387-ef79171b4...@fl1ger.de>, "Ralf Weber"
writes:
> Moin!
>
> On 5 Aug 2015, at 5:36, Mark Andrews wrote:
> > The analysis above is lacking.
> >
> > "has cookie" is not the determining factor. "has good server cookie"
> > is the determining factor.
> For the attac
Moin!
On 5 Aug 2015, at 5:36, Mark Andrews wrote:
> The analysis above is lacking.
>
> "has cookie" is not the determining factor. "has good server cookie"
> is the determining factor.
For the attack that Ted describes later these attackers will have a
good server cookie as they are behind open
In message <63d21888-478d-42f8-8576-e89131cfe...@nominum.com>, Ted Lemon writes:
> On Aug 4, 2015, at 5:39 PM, Donald Eastlake wrote:
> > From that it does not follow that it
> > "wouldn't make sense" to use COOKIEs in connection with TSIG. The
> > non-cryptographic calculations you do for COOKIE
On Aug 4, 2015, at 5:39 PM, Donald Eastlake wrote:
> From that it does not follow that it
> "wouldn't make sense" to use COOKIEs in connection with TSIG. The
> non-cryptographic calculations you do for COOKIE verification are
> going to be at least two orders of magnitude cheaper than the
> crypto
On Tue, Aug 4, 2015 at 4:21 PM, Ted Lemon wrote:
> On Aug 4, 2015, at 3:01 PM, Paul Hoffman wrote:
>> +1 to Donald's response, and -1 to Ted Lemon calling cookies a "kludge".
>
> Sigh. The actual proposal, particularly the key rollover bit, is quite
> elegant, if a bit underspecified, so you’re
On Aug 4, 2015, at 3:01 PM, Paul Hoffman wrote:
> +1 to Donald's response, and -1 to Ted Lemon calling cookies a "kludge".
Sigh. The actual proposal, particularly the key rollover bit, is quite
elegant, if a bit underspecified, so you’re right to call me out for this
choice of terminology.
On 4 Aug 2015, at 10:06, Donald Eastlake wrote:
On Tue, Aug 4, 2015 at 12:39 PM, Ted Lemon
wrote:
On Aug 4, 2015, at 12:30 PM, Donald Eastlake
wrote:
I think Mark was pointing out that if you
are under attack and want to use weak authentication to help resist
that attack, there is no particu
On Tue, Aug 4, 2015 at 12:39 PM, Ted Lemon wrote:
> On Aug 4, 2015, at 12:30 PM, Donald Eastlake wrote:
>> I think Mark was pointing out that if you
>> are under attack and want to use weak authentication to help resist
>> that attack, there is no particular reason to push cookie supporting
>> c
On Aug 4, 2015, at 12:30 PM, Donald Eastlake wrote:
> I think Mark was pointing out that if you
> are under attack and want to use weak authentication to help resist
> that attack, there is no particular reason to push cookie supporting
> clients to TCP to provide that authentication. COOKIEs pro
Hi Ted,
On Tue, Aug 4, 2015 at 11:50 AM, Ted Lemon wrote:
> On Aug 4, 2015, at 4:20 AM, Mark Andrews wrote:
>> If you are under attack the current method drop or send back TC=1. TC=1
>> means managing many more TCP session on both the server and client side.
>> With cookies it is drop or BADCOO
On Aug 4, 2015, at 4:20 AM, Mark Andrews wrote:
> If you are under attack the current method drop or send back TC=1. TC=1
> means managing many more TCP session on both the server and client side.
> With cookies it is drop or BADCOOKIE which keeps the traffic on UDP if there
> isn't a good server
In message <86be15f2-2a2e-42e7-8d0d-51c2dbbd7...@nominum.com>, Ted Lemon writes:
>
> On Aug 2, 2015, at 9:46 PM, Zhiwei Yan wrote:
> > -DDOS: the current situation is that it is very very easy to construct
> > a DNS packet and then the bandwidth requirement to defend DDOS continuely
> > increases
On Aug 2, 2015, at 9:46 PM, Zhiwei Yan wrote:
> -DDOS: the current situation is that it is very very easy to construct a DNS
> packet and then the bandwidth requirement to defend DDOS continuely
> increases. the additional cost will be introduced in the "cookies" scheme,
> but it will be more f
On , Zhiwei Yan wrote:
-DDOS: the current situation is that it is very very easy to construct
a DNS packet and then the bandwidth requirement to defend DDOS
continuely increases. the additional cost will be introduced in the
"cookies" scheme, but it will be more flexible in this case because
".
2015-08-03
Zhiwei Yan
发件人: Ted Lemon
发送时间: 2015-08-01 22:36:03
收件人: Paul Hoffman
抄送:
主题: Re: [DNSOP] Seeking more WG Last Call review fordraft-ietf-dnsop-cookies
I sent this out on July 20, but unfortunately just to Paul Hoffman. I was
puzzled as to why it didn’t get an
30 matches
Mail list logo
