In message <[email protected]>, Fernando Gont writes: > Hi, Mark, > > On 12/15/2011 10:19 PM, Mark Andrews wrote: > > When thinking about this draft please consider the following: > > > > http://tools.ietf.org/html/draft-andrews-6man-force-fragmentation-00 > > http://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-00 > > I've just read both of them. The relationship I've found with these two > and the two I've authored is that your I-D's will lead to an increase of > IPv6 "atomic fragments". This means that: > > * > <http://tools.ietf.org/id/draft-gont-6man-ipv6-atomic-fragments-00.txt> > is even more desirable, as it would completely mitigate > fragmentation-related attacks against DNS traffic that is not really > split into several packets (but still contains a Fragment Header. > > * Implementation of > <http://tools.ietf.org/id/draft-gont-6man-predictable-fragment-id-00.txt> at > the sending node would help mitigate some fragmentation-related attacks > against receivers that do not yet implement the "atomic packets" > behaviour described above, or in scenarios in which DNS traffic is > really fragmented (i.e., packets are split into multiple pieces). > > Does this agree with your assessment? Am I missing something? > > P.S.: I'll be sending feedback about your I-Ds in separate e-mails. > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
The real worry is the amount of state that busy authoritative servers will be maintaining. At 13K+ mostly unique clients a second to answer that's a lot of state. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
