TCP for DNS security considerations

Slides:



Advertisements
Similar presentations
73rd IETF meeting, November 16-21, 2008
Advertisements

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
Some insights about the recent TCP DoS (Denial of Service) vulnerabilities Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference.
Transmission Control Protocol (TCP)
On the implementation of TCP urgent data (draft-gont-tcpm-urgent-data) Fernando Gont & A. Yourtchenko 73rd IETF meeting, November 16-21, 2008 Minneapolis,
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Chapter 7 – Transport Layer Protocols
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
Results of a security assessment of the TCP and IP protocols and common implementation strategies Fernando Gont project carried out on behalf of UK CPNI.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
July 18th, th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
Security Assessment of the Transmission Control Protocol (TCP) (draft-ietf-tcpm-tcp-security-02.txt) Fernando Gont project carried out on behalf of UK.
Sockets process sends/receives messages to/from its socket
RTCWEB Considerations for NATs, Firewalls and HTTP proxies draft-hutton-rtcweb-nat-firewall- considerations A. Hutton, T. Stach, J. Uberti.
Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.
EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.
Chapter 7: Transport Layer
UDP Socket Programming
Executive Director and Endowed Chair
Chapter 9: Transport Layer
Port Scanning James Tate II
Introduction to TCP/IP networking
Instructor Materials Chapter 9: Transport Layer
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Carles Gomez Universitat Politècnica de Catalunya (UPC)/Fundació i2cat
draft-ietf-simple-message-sessions-00 Ben Campbell
IP Router-Alert Considerations and usage
Cryptography and Network Security Chapter 16
PART 5 Transport Layer Computer Networks.
76th IETF meeting, November 8-13, 2009
TCP Transport layer Er. Vikram Dhiman LPU.
Magda El Zarki Professor, ICS UC, Irvine
Working at a Small-to-Medium Business or ISP – Chapter 7
draft-bagnulo-tcpm-generalized-ecn-00 M. Bagnulo & B. Briscoe IETF97
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
ND-Shield: Protecting against Neighbor Discovery Attacks
Overview of Networking & Operating System Security
Client-Server Interaction
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
Working at a Small-to-Medium Business or ISP – Chapter 7
The IP, TCP, UDP protocols
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
November 7-12, Beijing,China.
Working at a Small-to-Medium Business or ISP – Chapter 7
Computer Networking TCP/IP Part 2
IS 4506 Server Configuration (HTTP Server)
Transport Protocols An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)
CSC Advanced Unix Programming, Fall 2015
PART V Transport Layer.
PART 5 Transport Layer.
Binary Floor Control Protocol BIS (BFCPBIS)
project carried out on behalf of
draft-ietf-taps-transports-usage-03
Transport Layer 9/22/2019.
TCP Connection Management
TCB Control Block Sharing: 2140bis draft-ietf-tcpm-2140bis-00
TCP Maintenance and Minor Extensions (TCPM) Working Group Status
Presentation transcript:

TCP for DNS security considerations Fernando Gont project carried out on behalf of UK CPNI 76th IETF meeting, November 8-13, 2009 Hiroshima, Japan

What are the issues? TCP may be needed for DNS as a fall-back transport protocol when the answer to the query is large. Relying on TCP for DNS is going from stateless to stateful This opens the door to a number of Denial of Service vulnerabilities that are typical for a connection-oriented protocol: Connection-flooding attacks: Naptha, FIN-WAIT-2 flooding, etc. Send buffer issues: Netkill, closed windows, etc Receive buffer issues: holes in the data stream Blind attacks: that depend on predictable ISNs, ephemeral ports, etc. Overhead issues arising from connection establishment/teardown

Background needed to understand them “Security Assessment of the Transmission Control Protocol (TCP)”, published by UK CPNI, available at: http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf An IETF I-D version of the document is currently a TCPM WG item: draft-ietf-tcpm-tcp-security (but you probably want to look at draft-gont-tcp-security instead)

What alternatives exist? Go with larger UDP responses – this might lead to fragmentation… and fragmentation brings a lot of other issues (see draft-ietf-opsec-ip-security) Use some other connection-oriented protocol – probably with the same issues as TCP… (and additional issues for NAT traversal). A DNS-specific transport protocol? (e.g., draft-barwood-dnsext-dns-transport) Use a tuned/hardened TCP – i.e., configure TCP settings so that the aforementioned issues are less of an issue (better if much of the resiliency machinery is “built-in”).

Choices that need to be made If connection establishment/teardown is a concern, some might think (actually, *have* thought) about “persistent connections” (as in HTTP) Do they really make sense?? To minimize state at the DNS server, the client could be required to perform the active close. Otherwise (e.g., idle connection) the server resets (RST) it. How “liberal” we are with respect to the client behavior? Number of concurrent connections Idle-connections Connections in, e.g., FIN-WAIT-2 state, TIME-WAIT state, etc. Timing issues: RTO, closed windows, etc.

Possible way forward TCP for DNS tuning document? (in DNSEXT or DNSOP?) Update Section 4.2.2 (“TCP usage”) in RFC 1035 in a DNSEXT document? draft-ietf-dnsext-dns-tcp-requirements currently has *some* text on the subject Others?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.