On Mon, Mar 25, 2019 at 10:31 AM Patrick McManus <mcma...@ducksong.com> wrote:
> > > On Mon, Mar 25, 2019 at 9:37 AM Brian Dickson < > brian.peter.dick...@gmail.com> wrote: > >> >> >>> >>> \Other than blocking all-but-a-few (or all, or a few) DoT servers, I do >> not believe anyone has proposed explicit downgrade triggers. >> > > that's the downgrade I am referring to > > > >> Or do you mean, when a DoT connection is blocked by e.g. a firewall (or >> other network enforcement device), that an RST is generated? I believe the >> RST requires sequence number validation before it can be processed by the >> TCP stack, which means the entity doing the RST generally needs to be in >> the data path. Other than "lucky guess" or "high volume attempts", I don't >> believe RST to be a serious threat. >> > > path manipulation attacks are real. arp attacks.. bootp attacks.. rouge > access points. stingray. all kinds of things. unauthenticated network > packets are just that: unauthenticated. RST (or blackhole) is a good > indication that a path isn't going to work - its not a good indication of > who is expressing that policy (or whether it is a policy at all). > > Anyhow - I'm really not trying to amp up this thread.. I just felt that > there were a few relevant points to the discussion that had not been > introduced. > Okay, that's good to know, and I think we are in agreement (i.e. that inference is a poor substitute for declarations.) I think that this is an area that needs thought and mechanism development, possibly aligned with DoT/DoH operation, possibly not (or orthogonal to them). Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
