draft-ietf-dnsop-cookies-03.txt   draft-ietf-dnsop-cookies-04.txt 
INTERNET-DRAFT Donald Eastlake INTERNET-DRAFT Donald Eastlake
Intended Status: Proposed Standard Huawei Intended Status: Proposed Standard Huawei
Mark Andrews Mark Andrews
ISC ISC
Expires: December 31, 2015 July 1, 2015 Expires: December 31, 2015 July 1, 2015
Domain Name System (DNS) Cookies Domain Name System (DNS) Cookies
<draft-ietf-dnsop-cookies-03.txt> <draft-ietf-dnsop-cookies-04.txt>
Abstract Abstract
DNS cookies are a lightweight DNS transaction security mechanism that DNS cookies are a lightweight DNS transaction security mechanism that
provides limited protection to DNS servers and clients against a provides limited protection to DNS servers and clients against a
variety of increasingly common denial-of-service and amplification / variety of increasingly common denial-of-service and amplification /
forgery or cache poisoning attacks by off-path attackers. DNS Cookies forgery or cache poisoning attacks by off-path attackers. DNS Cookies
are tolerant of NAT, NAT-PT, and anycast and can be incrementally are tolerant of NAT, NAT-PT, and anycast and can be incrementally
deployed. deployed.
skipping to change at page 4, line 25 skipping to change at page 4, line 25
This document describes DNS cookies, a lightweight DNS transaction This document describes DNS cookies, a lightweight DNS transaction
security mechanism specified as an OPT [RFC6891] option. The DNS security mechanism specified as an OPT [RFC6891] option. The DNS
cookies mechanism provides limited protection to DNS servers and cookies mechanism provides limited protection to DNS servers and
clients against a variety of increasingly common abuses by off-path clients against a variety of increasingly common abuses by off-path
attackers. It is compatible with and can be used in conjunction with attackers. It is compatible with and can be used in conjunction with
other DNS transaction forgery resistance measures such as those in other DNS transaction forgery resistance measures such as those in
[RFC5452]. [RFC5452].
The protection provided by DNS cookies is similar to that provided by The protection provided by DNS cookies is similar to that provided by
using TCP for DNS transactions. To bypass the weak protection using TCP for DNS transactions. To bypass the weak protection
provided by using TCP requires. among other things, that an off-path provided by using TCP requires, among other things, that an off-path
attacker guessing the 32-bit TCP sequence number in use. To bypass attacker guessing the 32-bit TCP sequence number in use. To bypass
the weak protection provided by DNS Cookies requires such an attacker the weak protection provided by DNS Cookies requires such an attacker
to guess a 64-bit pseudo-random "cookie" quantity. Where DNS Cookies to guess a 64-bit pseudo-random "cookie" quantity. Where DNS Cookies
are not available but TCP is, falling back to using TCP is are not available but TCP is, falling back to using TCP is
reasonable. reasonable.
If only one party to a DNS transaction supports DNS cookies, the If only one party to a DNS transaction supports DNS cookies, the
mechanism does not provide a benefit or significantly interfere; but, mechanism does not provide a benefit or significantly interfere; but,
if both support it, the additional security provided is automatically if both support it, the additional security provided is automatically
available. available.
skipping to change at page 5, line 17 skipping to change at page 5, line 17
Section 7 discusses incremental deployment considerations. Section 7 discusses incremental deployment considerations.
Sections 8 and 9 describe IANA and Security Considerations. Sections 8 and 9 describe IANA and Security Considerations.
1.2 Definitions 1.2 Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
"Off-path attacker", for a particular DNS client and server, is "Off-path attacker", for a particular DNS client and server, is
defined as an attacker who cannot observe the DNS request and defined as an attacker who cannot observe the DNS request and
response messages between that client and server. response messages between that client and server.
"Soft state" indicates information learned or derived by a host which "Soft state" indicates information learned or derived by a host which
may be discarded when indicated by the policies of that host may be discarded when indicated by the policies of that host
but can be later re-instantiated if needed. For example, it but can be later re-instantiated if needed. For example, it
could be discarded after a period of time or when storage for could be discarded after a period of time or when storage for
caching such data becomes full. If operations requiring that caching such data becomes full. If operations requiring that
soft state continue after it has been discarded, it will be soft state continue after it has been discarded, it will be
automatically re-generated, albeit at some cost. automatically re-generated, albeit at some cost.
skipping to change at page 16, line 11 skipping to change at page 16, line 11
This mechanism can also be used to confirm/re-establish a existing This mechanism can also be used to confirm/re-establish a existing
Server Cookie by sending a cached Server Cookie with the Client Server Cookie by sending a cached Server Cookie with the Client
Cookie. In this case the response SHALL have the RCODE BADCOOKIE if Cookie. In this case the response SHALL have the RCODE BADCOOKIE if
INTERNET-DRAFT DNS Cookies INTERNET-DRAFT DNS Cookies
the Server Cookie sent with the query was invalid and the RCODE the Server Cookie sent with the query was invalid and the RCODE
NOERROR if it was valid. NOERROR if it was valid.
Servers which don't support the COOKIE option will normally send Servers which don't support the COOKIE option will normally send
FORMERR in response to such a query, though REFUSED and NOTIMP are FORMERR in response to such a query, though REFUSED, NOTIMP, and
also possible in such responses. NOERROR without a COOKIE option are also possible in such responses.
5.5 Client and Server Secret Rollover 5.5 Client and Server Secret Rollover
Clients and servers MUST NOT continue to use the same secret in new Clients and servers MUST NOT continue to use the same secret in new
requests and responses for more than 36 days and SHOULD NOT continue requests and responses for more than 36 days and SHOULD NOT continue
to do so for more than 26 hours. Many clients rolling over their to do so for more than 26 hours. Many clients rolling over their
secret at the same time could briefly increase server traffic and secret at the same time could briefly increase server traffic and
exactly predictable rollover times for clients or servers might exactly predictable rollover times for clients or servers might
facilitate guessing attacks. For example, an attacker might increase facilitate guessing attacks. For example, an attacker might increase
the priority of attacking secrets they believe will be in effect for the priority of attacking secrets they believe will be in effect for
 End of changes. 4 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/