ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DNS over SCTP (was: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review

2009-05-29 09:31:38
from [Francis Dupont] [Permanent Link] 
 In your previous mail you wrote:

   I thought TCP was the default when the UDP message size is not enough. 

=> with EDNS0 this is a bit more complex but IMHO this is the idea.
Note the recommended "connection management" (RFC 1025 4.2.2) suggests
multiple queries/responses too.

   That's, AFAIK, the only advantage of TCP over SCTP: it's already in 
   place and ready. (Yes, one needs to run firewalls and all that stuff.)
   
=> this is not a new idea but today no server or resolver implementation
supports DNS over SCTP.
I have a lot of sympathy for SCTP but for DNS we need a transaction
oriented transport, i.e., something more secure than simple stateless
query/response over UDP but without the overhead of opening and closing
TCP connections. This is a very old idea, cf. RFC 955, but as far as
I know this is still an open problem. If I am wrong (I'd like to be :-)
please request a BoF in the transport area ASAP!

   > A single SCTP connection can support thousands of simultaneous streams,
   
   I agree SCTP is better, and it's been around for nearly a decade now. 

=> IMHO it is far less than 10 years but arguing about this point is
out of topic.

   Yet, for those who miss it, good old TCP allows, say, a client to hold 
   a couple of connections to its favorite resolver in order to avoid 
   many of the threats illustrated by Kaminsky...
   
=> TCP is very expensive in terms of resources for the server and
TCP is still vulnerable to in-the-path attacks.

   > There is also OS support for UDP 
   > tunneling of SCTP when supporting legacy NATs and firewalls.  Until 
   > there is an significant incentive to make DNS more robust, use of SCTP 
   > is likely to remain just a good and under appreciated option.
   
   It seems that DNS over SCTP would solve 90% of the problems with 10% 
   of the efforts and resources required to implement DNSSEC. However, I 
   hear more often about the latter than the former. How come?
   
=> DNSSEC is the only available solution which solves the problems.
Others are not available (no specification published in a standard
track RFC or simply unfeasible) or don't address the problems
(hop-by-hop security for instance, when end-to-end is needed).
Both TCP and SCTP are in the others today...

Regards

Francis(_dot_)Dupont(_at_)fdupont(_dot_)fr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS over SCTP, Paul Wouters
Next by Date:  Re: DNS over SCTP, Francis Dupont
Previous by Thread:  Re: [Asrg] DNS over SCTP (was: Re: DNS-based Email Sender Authentication Mechanisms: a Critical Review, SM
Next by Thread:  Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review, Florian Weimer
Indexes:  [Date] [Thread] [Top] [All Lists]