On Mon, Mar 25, 2019 at 9:37 AM Brian Dickson <brian.peter.dick...@gmail.com> wrote:
> > >> >> \Other than blocking all-but-a-few (or all, or a few) DoT servers, I do > not believe anyone has proposed explicit downgrade triggers. > that's the downgrade I am referring to > Or do you mean, when a DoT connection is blocked by e.g. a firewall (or > other network enforcement device), that an RST is generated? I believe the > RST requires sequence number validation before it can be processed by the > TCP stack, which means the entity doing the RST generally needs to be in > the data path. Other than "lucky guess" or "high volume attempts", I don't > believe RST to be a serious threat. > path manipulation attacks are real. arp attacks.. bootp attacks.. rouge access points. stingray. all kinds of things. unauthenticated network packets are just that: unauthenticated. RST (or blackhole) is a good indication that a path isn't going to work - its not a good indication of who is expressing that policy (or whether it is a policy at all). Anyhow - I'm really not trying to amp up this thread.. I just felt that there were a few relevant points to the discussion that had not been introduced. >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop