Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-30 Thread Ólafur Guðmundsson
On Mon, Sep 28, 2015 at 9:53 PM, Mukund Sivaraman wrote: > Hi Paul > > On Mon, Sep 28, 2015 at 02:36:25PM -0400, Paul Wouters wrote: > > On Mon, 28 Sep 2015, Paul Vixie wrote: > > > > >those things should also be done in the short term. > > > > > >but it's the internet. it'll

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Mukund Sivaraman
Hi Paul On Mon, Sep 28, 2015 at 02:36:25PM -0400, Paul Wouters wrote: > On Mon, 28 Sep 2015, Paul Vixie wrote: > > >those things should also be done in the short term. > > > >but it's the internet. it'll outlive us all. we ought to have a long > >term plan as well. > > It's called DNSSEC. Zone

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Mukund Sivaraman
Hi Robert On Mon, Sep 28, 2015 at 02:20:04PM -0400, Robert Edmonds wrote: > Mukund Sivaraman wrote: > > Hi Robert > > > > On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote: > > > 16 bits is an awful lot of space for the ALGORITHM field. Compare to > > > the DNSSEC algorithm number

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Paul Wouters
On Tue, 29 Sep 2015, Mukund Sivaraman wrote: On the other hand, DNSSEC requires signatures for each RRset bloating messages Just like TLS is bloating HTTP? :) Anyway, I'll explain with an example why DNSSEC is not sufficient to protect against DNS message modifications. Assume a company

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Mukund Sivaraman
Hi Paul On Tue, Sep 29, 2015 at 01:33:57AM -0400, Paul Wouters wrote: > On Tue, 29 Sep 2015, Mukund Sivaraman wrote: > > >On the other hand, DNSSEC requires signatures for each RRset bloating > >messages > > Just like TLS is bloating HTTP? :) TLS and HTTP are irrelevant here, no? The bloat by

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Paul Vixie
Mukund Sivaraman wrote: > Hi Paul > > On Mon, Sep 28, 2015 at 10:39:04AM -0400, Paul Wouters wrote: >> On Sun, 27 Sep 2015, Mukund Sivaraman wrote: >> >>> UDP has a header checksum that can notice message modification when in >>> use. Sometimes this may be 0 if the sender host did not generate a

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Evan Hunt
On Mon, Sep 28, 2015 at 09:56:38AM -0700, Paul Vixie wrote: > so i think there's good cause to add a DNS-level checksum even as we add > DNS-level cookies. +1 I would prefer to use checksum and cookies in parallel rather than have the checksum option recapitulate cookie functionality, though.

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Paul Vixie
Robert Edmonds wrote: > ... > > I am also curious why a cryptographic hash function (SHA-1) is needed > for this. Is a fast non-cryptographic checksum not suitable (e.g., > CRC-32C, which can be computed in hardware on x86 CPUs)? in currently theorized attacks, the udp checksum is fooled by

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Mukund Sivaraman
Hi Robert On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote: > 16 bits is an awful lot of space for the ALGORITHM field. Compare to > the DNSSEC algorithm number field, which is only 8 bits. Do you suggest changing it to 8 bits too? Mukund pgpB1vCaaZvZT.pgp

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Paul Hoffman
On 28 Sep 2015, at 11:25, Paul Vixie wrote: Robert Edmonds wrote: ... I am also curious why a cryptographic hash function (SHA-1) is needed for this. Is a fast non-cryptographic checksum not suitable (e.g., CRC-32C, which can be computed in hardware on x86 CPUs)? in currently theorized

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Paul Wouters
On Mon, 28 Sep 2015, Paul Vixie wrote: those things should also be done in the short term. but it's the internet. it'll outlive us all. we ought to have a long term plan as well. It's called DNSSEC. Paul ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Robert Edmonds
Mukund Sivaraman wrote: > This is a new draft on DNS message checksums. I look forward to hearing > review comments. Hi, Mukund: 16 bits is an awful lot of space for the ALGORITHM field. Compare to the DNSSEC algorithm number field, which is only 8 bits. -- Robert Edmonds

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Robert Edmonds
Mukund Sivaraman wrote: > Hi Robert > > On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote: > > 16 bits is an awful lot of space for the ALGORITHM field. Compare to > > the DNSSEC algorithm number field, which is only 8 bits. > > Do you suggest changing it to 8 bits too? If you

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Paul Wouters
On Sun, 27 Sep 2015, Mukund Sivaraman wrote: UDP has a header checksum that can notice message modification when in use. Sometimes this may be 0 if the sender host did not generate a checksum. This draft adds one in the application layer alongside a nonce known to the client. Together they are

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-28 Thread Mukund Sivaraman
Hi Paul On Mon, Sep 28, 2015 at 10:39:04AM -0400, Paul Wouters wrote: > On Sun, 27 Sep 2015, Mukund Sivaraman wrote: > > >UDP has a header checksum that can notice message modification when in > >use. Sometimes this may be 0 if the sender host did not generate a > >checksum. This draft adds one

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-26 Thread Mukund Sivaraman
On Sun, Sep 27, 2015 at 12:45:52AM +0530, Mukund Sivaraman wrote: > > Abstract: > >This document describes a method for a client to be able to verify > >that IP-layer PDU fragments of a UDP DNS message have not been > >spoofed by an off-path attacker. The NONCE-COPY field seems

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-26 Thread Mukund Sivaraman
Hi Paul I'm CC'ing this reply to the dnsop@ list as it is relevant info for others to read too. So I've not quoted your email. UDP has a header checksum that can notice message modification when in use. Sometimes this may be 0 if the sender host did not generate a checksum. This draft adds one

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

2015-09-26 Thread Mukund Sivaraman
Hi everybody On Sat, Sep 26, 2015 at 12:10:09PM -0700, internet-dra...@ietf.org wrote: > > A new version of I-D, draft-muks-dns-message-checksums-00.txt > has been successfully submitted by Mukund Sivaraman and posted to the > IETF repository. > > Name: draft-muks-dns-message-checksums