Re: [DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-25 Thread Florian Weimer 

On 09/21/2017 06:50 AM, Paul Vixie wrote:
both ideas are wrong. what we have to do is arrange to fragment, using 
the ipv6 extension header, all ipv6 udp, for a period of not less than 
five years. noone who blocks ipv6 extension headers should be able to 
get reliable ipv6 udp services. we have to make this problem felt where 
it is made. we must NOT work around it to insulate the makers of the 
problem from the costs of their actions.


I disagree with this approach.  Just avoid fragmentation altogether.  We 
know that it's harmful and can be used to bypass existing DNS hardening 
features.  Within five or ten years, packet rates have increased so much 
that the additional protection afforded by the 32-bit reassembly ID in 
IPv6 isn't sufficient anymore, either.


IP fragmentation is dead.  Use something else.

Thanks,
Florian

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-23 Thread william manning 
there is some evidence to suggest that two factors will drive increasingly
large responses.  first is signing with multiple algorithms and second is
increases in key sizes.  in a worst case model, we have to shift to
the McEliece
cryptosystem, post quantum crypto. for a standard selection of parameters,
the public key is 512 kilobits long.  for quantum computing, key sizes must
be increased by a factor of four due to improvements in information set
decoding.  Attacking and defending the *McEliece cryptosystem*

 - ‎Bernstein      so, yes, bigger responses should be planned for.
Anyone for DNS over BitTorrent?  :)

/Wm

On Wed, Sep 20, 2017 at 8:22 PM, Davey Song(宋林健)  wrote:

> Thank you.
>
>
>
> The large DNS response in IPv6 is a real problem. ATR is one option to 
> adopted in authoritative  server alone. If someone or party have more 
> influence on both resolver and authoritative side (cloud and app provider who 
> can choose their own DNS resolution path),  Mukund’s proposal to fragment the 
> DNS message is a good solution.   
> https://tools.ietf.org/html/draft-muks-dns-message-fragments-00
>
>
>
> So I do recommend ATR and DNS message fragments should be both considered
>  in a tool box for large DNS response issues.
>
>
>
> Davey
>
>
>
> *发件人:* DNSOP [mailto:dnsop-boun...@ietf.org] *代表 *william manning
> *发送时间:* 2017年9月21日 1:30
> *收件人:* Davey Song
> *抄送:* dnsop
> *主题:* Re: [DNSOP] Fwd: I-D Action: draft-song-atr-large-resp-00.txt
>
>
>
> i think this is a worthy document for consideration.
>
>
>
> /Wm
>
>
>
> On Sun, Sep 10, 2017 at 9:29 PM, Davey Song  wrote:
>
> Hi folks,
>
>
>
> I just submit a draft dealing with issue of large DNS response especially
> in IPv6. Commnets are welcome.
>
>
>
> If chairs think it is in the scope of dnsop wg and encourage us to discuss
> it in this mailing list, I can submit it as a draft listed in dnsop wg.
>
>
>
> Davey
>
>
>
>
>
> -- Forwarded message --
> From: 
> Date: 11 September 2017 at 10:13
> Subject: I-D Action: draft-song-atr-large-resp-00.txt
> To: i-d-annou...@ietf.org
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
>
> Title   : ATR: Additional Truncated Response for Large DNS
> Response
> Author  : Linjian Song
> Filename: draft-song-atr-large-resp-00.txt
> Pages   : 8
> Date: 2017-09-10
>
> Abstract:
>As the increasing use of DNSSEC and IPv6, there are more public
>evidence and concerns on IPv6 fragmentation issues due to larger DNS
>payloads over IPv6.  This memo introduces an simple improvement on
>authoritative server by replying additional truncated response just
>after the normal large response.
>
>REMOVE BEFORE PUBLICATION: The source of the document with test
>script is currently placed at GitHub [ATR-Github].  Comments and pull
>request are welcome.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-song-atr-large-resp/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-song-atr-large-resp-00
> https://datatracker.ietf.org/doc/html/draft-song-atr-large-resp-00
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> ___
> I-D-Announce mailing list
> i-d-annou...@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>
>
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-21 Thread Andrew Sullivan 
Hi,

On Wed, Sep 20, 2017 at 09:50:24PM -0700, Paul Vixie wrote:
> 
>  what we have to do is arrange to fragment, using the
> ipv6 extension header, all ipv6 udp, for a period of not less than five
> years. noone who blocks ipv6 extension headers should be able to get
> reliable ipv6 udp services. we have to make this problem felt where it is
> made. we must NOT work around it to insulate the makers of the problem from
> the costs of their actions.

I think that the above suggestion needs to define carefully who "we"
is in each sentence.  Because I am very far from convinced that the
"we" in each case is the same people, and also very far from convinced
that we are going to be able to "make" this happen, given our lack of
protocol police.  Operators have one incentive, which is to make their
customers stop calling; if our plan is to make IPv6 even less reliable
than it has been historically, I think the operators are going to point
us to the nearest short pier and tell us to take a long walk.

Best regards,

A

-- 
Andrew Sullivan
a...@anvilwalrusden.com

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-20 Thread Paul Vixie 



Davey Song(宋林健) wrote:

Thank you.

The large DNS response in IPv6 is a real problem. ATR is one option
to adopted in authoritative  server alone. If someone or party have
more influence on both resolver and authoritative side (cloud and app
provider who can choose their own DNS resolution path),  Mukund’s
proposal to fragment the DNS message is a good
solution.https://tools.ietf.org/html/draft-muks-dns-message-fragments-00


both ideas are wrong. what we have to do is arrange to fragment, using 
the ipv6 extension header, all ipv6 udp, for a period of not less than 
five years. noone who blocks ipv6 extension headers should be able to 
get reliable ipv6 udp services. we have to make this problem felt where 
it is made. we must NOT work around it to insulate the makers of the 
problem from the costs of their actions.



So I do recommend ATR and DNS message fragments should be both
considered  in a tool box for large DNS response issues.


can a freebsd kernel hacker please contact me? i need some patches, but 
i'm traveling extensively, and i can't do the investigation and software 
engineering myself.


--
P Vixie

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-20 Thread 宋林健 
Thank you. 

 

The large DNS response in IPv6 is a real problem. ATR is one option to adopted 
in authoritative  server alone. If someone or party have more influence on both 
resolver and authoritative side (cloud and app provider who can choose their 
own DNS resolution path),  Mukund’s proposal to fragment the DNS message is a 
good solution.   
https://tools.ietf.org/html/draft-muks-dns-message-fragments-00 

 

So I do recommend ATR and DNS message fragments should be both considered  in a 
tool box for large DNS response issues. 

 

Davey  

 

发件人: DNSOP [mailto:dnsop-boun...@ietf.org] 代表 william manning
发送时间: 2017年9月21日 1:30
收件人: Davey Song
抄送: dnsop
主题: Re: [DNSOP] Fwd: I-D Action: draft-song-atr-large-resp-00.txt

 

i think this is a worthy document for consideration.  

 

/Wm

 

On Sun, Sep 10, 2017 at 9:29 PM, Davey Song  wrote:

Hi folks, 

 

I just submit a draft dealing with issue of large DNS response especially in 
IPv6. Commnets are welcome. 

 

If chairs think it is in the scope of dnsop wg and encourage us to discuss it 
in this mailing list, I can submit it as a draft listed in dnsop wg.

 

Davey

  

 

-- Forwarded message --
From: 
Date: 11 September 2017 at 10:13
Subject: I-D Action: draft-song-atr-large-resp-00.txt
To: i-d-annou...@ietf.org



A New Internet-Draft is available from the on-line Internet-Drafts directories.


Title   : ATR: Additional Truncated Response for Large DNS 
Response
Author  : Linjian Song
Filename: draft-song-atr-large-resp-00.txt
Pages   : 8
Date: 2017-09-10

Abstract:
   As the increasing use of DNSSEC and IPv6, there are more public
   evidence and concerns on IPv6 fragmentation issues due to larger DNS
   payloads over IPv6.  This memo introduces an simple improvement on
   authoritative server by replying additional truncated response just
   after the normal large response.

   REMOVE BEFORE PUBLICATION: The source of the document with test
   script is currently placed at GitHub [ATR-Github].  Comments and pull
   request are welcome.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-song-atr-large-resp/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-song-atr-large-resp-00
https://datatracker.ietf.org/doc/html/draft-song-atr-large-resp-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
I-D-Announce mailing list
i-d-annou...@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce 
 
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

 


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

 

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-13 Thread 宋林健 
Sorry, You are right.

> -邮件原件-
> 发件人: Davey Song(宋林健) [mailto:ljs...@biigroup.cn]
> 发送时间: 2017年9月13日 17:56
> 收件人: 'Lanlan Pan'; 'Davey Song'
> 抄送: 'dnsop'
> 主题: 答复: [DNSOP] Fwd: I-D Action: draft-song-atr-large-resp-00.txt
> 
> 
> > ATR make Authoritative Servers send normal big response packet before they
> try to send TC response for large RRsets ?
> 
> No. big response packet first, then TC response.
> 
> Davey

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

2017-09-13 Thread 宋林健 

> ATR make Authoritative Servers send normal big response packet before they 
> try to send TC response for large RRsets ? 

No. big response packet first, then TC response.

Davey

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop