ietf
[Top] [All Lists]

Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

2007-09-28 09:43:43

On 28-Sep-2007, at 1136, Paul Hoffman wrote:

> It is not "obvious", at least to some of the people I have spoken
> with. It is also not obvious to VPN vendors; otherwise, they would
> have easy-to-use settings to make it happen.

I'm surprised by that comment.

I'm not. As it happens I've used three different VPN services in the past few
years and I will soon be forced to switch to a fourth. In each case the IT
folks managed to jury-rig things so that DNS queries got redirected, but I've
been told in some cases it required quite a bit of effort. And it is also my
understanding that requiring this significantly limited our our options in
choosing VPN solutions.

I think it's a common use case that organisations who deploy VPNs
have split DNS; that is, namespaces available through internal
network resolvers that do not appear in the global namespace.

Yes, we have this in spades at Sun. Can't say it works all that well, but this
is really a separate issue.

In my experience, it is normal for:

  - VPN client software to use IP addresses rather than names to
establish a secure tunnel with the home network

I'm sure this is done, but I think it is more common to use DNS entries. You
have to validate the server's certificate or whatever anyway, so all direct use
of IP address does is limit certain denial of service attacks but at the cost
of a significant loss in flexibility.

  - Local resolver settings on the VPN client's machine to be re-
written to use internal home network nameservers while the VPN
session is active

Yeah, that's what the client ends up doing. I don't know the specifics of how
this has been implemented in the various clients I've had to use, but it has
tended to be quite fragile - on numerous occasions things have failed in such a
way that my DNS settings were completely trashed and I had to go in and reset
them manually. I eventually wrote a little script I can run to force things
back to where they're supposed to be with a single command.

Perhaps if this the need for this were called out more specifically more
attention would be paid to making this work well.

This is certainly how the cisco VPN client supplied to me by my
employer (and the subsequent versions I've downloaded directly from
cisco) work, for example. I was under the impression that cisco had
fairly significant market share in this area.

Since I don't really know who or what's responsible for the many problems I've
seen with this I'm not going to provide specifics regarding the clients I've
used. However, I will say that I think you've had a fair bit of luck here.

This is not to say that the topic doesn't deserve mention in the
draft at hand. However, your logic in the last sentence above seems
suspect to me.

FWIW, I am in full support of Paul and John's position here.

                                Ned

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf