[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dns-0x20.txt

To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: dns-0x20.txt
From: David Dagon <dagon@cc.gatech.edu>
Date: Wed, 12 Mar 2008 11:11:26 -0400
Cc: Paul Vixie <paul@vix.com>, namedroppers@ops.ietf.org, dagon@cc.gatech.edu
In-reply-to: <a06240800c3fcfa414ee0@[130.129.23.164]>
References: <69903.1204047792@sa.vix.com> <a06240800c3fcfa414ee0@[130.129.23.164]>
User-agent: Mutt/1.5.15 (2007-04-06)

[ Moderators note: Post was moderated, either because it was posted by
   a non-subscriber, or because it was over 20K.  
   With the massive amount of spam, it is easy to miss and therefore 
   delete relevant posts by non-subscribers. 
   Please fix your subscription addresses. ]

On Tue, Mar 11, 2008 at 11:12:44PM -0400, Edward Lewis wrote:
>  An off-hand comment, this doesn't do a whole lot for the reverse map. 
>  (Unless I am missing something.)  It doesn't hurt though.  Probably a 
>  mention in the security section on that topic.

Thanks for this note.  My original thinking focused on plain vanilla
IN A poisoning, but attacking the reverse of course has uses for
.rhosts mischief and gaming anti-spam rule engines.  I've been
measuring the average distribution of [A-Za-z] in A, NS, MX, etc., to
see how much entropy DNS-0x20 gains, more or less.  To this, I'll add
the fixed values for reverse.  Thanks for the suggestion.

You're correct, the benefits can be modest--just a few bits in the
worst case.  However, the upside of course is that each [A-Za-z]
character in a label increases the search space for poisoning based on
random guessing.  [Insert here the usual disclaimer about
attackers-doing-better-than-guessing and weak sources of random
numbers, etc.]  If one uses both the ID field and port field, < 2^{32}
(if reserved ports are excluded), each additional 0x20 bit doubles the
search space for the attacker.  (Again, this assumes an equally strong
random source is used for all three sources of entropy.)

The question "When is there enough entropy to be safe?" always has a
subjective answer, and I think we'd all like something much larger
than 2^{40ish}.  Exponential growth is punishing above a threshold and
DNS-0x20, while not the cure, does get one closer.

We do have the incongruous result where "important" domains (or
however we describe them) are "weaker" (or however we characterize it)
than less important domains.  But for every "Entropy(licensing.disney.com) 
>> Entropy(irs.gov)" example, you'll find several .museum domains that 
are better off than .tv domains because of DNS-0x20.  And so maybe 
there's some justice after all.  :)

Re: the lack of harm: I'm not aware of any applications monitoring
recursive-to-authority traffic that would be negatively affected by
0x20 flipping.  (And if such IDS or mark protection equipment
triggered on anomalous variations in upper/lower case, I think we can
say they made bad assumptions.)  I am interested in hearing otherwise,
if anyone comes across an example.

-- 
David Dagon              /"\                          "When cryptography
dagon@cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: dns-0x20.txt
  - From: Florian Weimer <fweimer@bfk.de>

References:
- dns-0x20.txt
  - From: Paul Vixie <paul@vix.com>
- Re: dns-0x20.txt
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

Prev by Date: Re: conjoining dns-forgery-resilience with dns-0x20; also, rtt banding
Next by Date: Re: conjoining dns-forgery-resilience with dns-0x20; also, rtt banding
Previous by thread: Re: dns-0x20.txt
Next by thread: Re: dns-0x20.txt
Index(es):
- Date
- Thread