ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

2009-05-27 13:58:13
from [Douglas Otis] [Permanent Link] 

On May 27, 2009, at 9:05 AM, Alessandro Vesely wrote:


Douglas Otis wrote:
The safest method for deploying DNSSEC could be by using SCTP as a preferred transport for DNS.
Just using TCP would prevent most of the DNS poisoning attacks that Amir's paper reports.
TCP is prone to DDoS attack. As such,TCP is seldom used with DNS. TCP is also the first transport dropped when resources are exhausted on DNS servers. Whereas SCTP offers extremely important defenses against DDoS abuse and should not need abandonment. SCTP returns a cookie as a place-holder for resources that are not committed until the cookie is returned. This provides the benefit of being able to safely exchange data sooner, while also being assured source IP addresses are not being spoofed. SCTP has its own 32 bit transactional ID that further extends 16 bit transactional ID within the DNS message. SCTP can also sustain virtual connections while consuming little system overhead. Such connections can offer lower latency than UDP. SCTP would also eliminate the need for EDSNS0.
A single SCTP connection can support thousands of simultaneous streams, where queries and responses are not exposed to head of queue blocking or complex buffering, which is often a problem when using TCP. SCTP also provides a means to support multi-homing, where one address can identify alternative paths When one path fails to respond, an alternative is immediately employed. Such fail-over method is likely many times faster than exponential back-off used during DNS UDP recovery and the locating of a different authoritative DNS server.
SCTP provides about the same error detection rate for Jumbo frames as does the IEEE CRC for 1.5 KB frames. The SCTP error detection algorithm is now supported in several NICs and now has dedicated instructions within the i7 core processors. There is also OS support for UDP tunneling of SCTP when supporting legacy NATs and firewalls. Until there is an significant incentive to make DNS more robust, use of SCTP is likely to remain just a good and under appreciated option. 

-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review, Alessandro Vesely
Next by Date:  Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review, der Mouse
Previous by Thread:  Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review, Alessandro Vesely
Next by Thread:  [Asrg] DNS over SCTP (was: Re: DNS-based Email Sender Authentication Mechanisms: a Critical Review, Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]