* Daisuke HIGASHI:
> draft-fujiwara-dnsop-fragment-attack-01:
>
>> 3. Current status
>>
>> [Brandt2018] showed that Linux version 3.13 and older versions are
>> vulnerable to crafted ICMP fragmentation needed and DF set packet and
>> off-path attackers can set some of authoritative servers'
draft-fujiwara-dnsop-fragment-attack-01:
> 3. Current status
>
> [Brandt2018] showed that Linux version 3.13 and older versions are
> vulnerable to crafted ICMP fragmentation needed and DF set packet and
> off-path attackers can set some of authoritative servers' path MTU
> size to 296.
>
You specify a well known TSIG key (e.g. name=“.”, algorithm=hmac-sha256,
key=<32-zero-bytes>)
then you use it when you don’t have a more specific key. If the server support
the WKK you
will get back a TSIG signed response that can’t have been forged by a off path
attacker if it
matched the resp
At Mon, 04 Mar 2019 20:43:14 +0900 (JST),
fujiw...@jprs.co.jp wrote:
> > - Section 3
> >
> >Linux 2.6.32, Linux 4.18.20
> >and FreeBSD 12.0 accept crafted "ICMPv6 Packet Too Big" packet and
> >path MTU decreased to 1280.
> >
> > I suspect this often doesn't matter much in practice.
> From: Mark Andrews
> Or one can use TSIG with a well known key to get a cryptograph hash of the
> response. Below is how
> how the servers for the Alexa to 1 Million handle unexpected TSIG. It’s well
> under a day to add
> this to a recursive server that supports TSIG already. It’s a couple
> From: 神明達哉
>>https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01
>>
>> It summarized DNS cache poisoning attack using IP fragmentation
>> and countermeasures.
>>
>> If the draft is interested, I will request timeslot at IETF 104.
>
> I've read the draft. I think it's genera
Mark Andrews wrote on 2019-03-01 12:00:
Or one can use TSIG with a well known key to get a cryptograph hash
of the response. ...
i prefer this approach. no matter how bad fragmentation was in V4 and no
matter how much worse it is in V6, we must not lock ourselves into
packets whose size is
At Fri, 01 Mar 2019 21:14:48 +0900 (JST),
fujiw...@jprs.co.jp wrote:
> Dear DNSOP,
>
> I submitted draft-fujiwara-dnsop-fragment-attack-01.
>
>https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01
>
> It summarized DNS cache poisoning attack using IP fragmentation
> and counterme
Or one can use TSIG with a well known key to get a cryptograph hash of the
response. Below is how
how the servers for the Alexa to 1 Million handle unexpected TSIG. It’s well
under a day to add
this to a recursive server that supports TSIG already. It’s a couple of
minutes of configuration
ti
Dear DNSOP,
I submitted draft-fujiwara-dnsop-fragment-attack-01.
https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01
It summarized DNS cache poisoning attack using IP fragmentation
and countermeasures.
If the draft is interested, I will request timeslot at IETF 104.
I think
10 matches
Mail list logo
