draft-ietf-dnsop-cookies-06.txt   draft-ietf-dnsop-cookies-07.txt 
INTERNET-DRAFT Donald Eastlake INTERNET-DRAFT Donald Eastlake
Intended Status: Proposed Standard Huawei Intended Status: Proposed Standard Huawei
Mark Andrews Mark Andrews
ISC ISC
Expires: April 18, 2016 October 19, 2015 Expires: May 1, 2016 November 2, 2015
Domain Name System (DNS) Cookies Domain Name System (DNS) Cookies
<draft-ietf-dnsop-cookies-06.txt> <draft-ietf-dnsop-cookies-07.txt>
Abstract Abstract
DNS cookies are a lightweight DNS transaction security mechanism that DNS cookies are a lightweight DNS transaction security mechanism that
provides limited protection to DNS servers and clients against a provides limited protection to DNS servers and clients against a
variety of increasingly common denial-of-service and amplification / variety of increasingly common denial-of-service and amplification /
forgery or cache poisoning attacks by off-path attackers. DNS Cookies forgery or cache poisoning attacks by off-path attackers. DNS Cookies
are tolerant of NAT, NAT-PT, and anycast and can be incrementally are tolerant of NAT, NAT-PT, and anycast and can be incrementally
deployed. deployed.
skipping to change at page 6, line 22 skipping to change at page 6, line 22
answer forgery. answer forgery.
2.1 Denial-of-Service Attacks 2.1 Denial-of-Service Attacks
The typical form of the denial-of-service attacks considered herein The typical form of the denial-of-service attacks considered herein
is to send DNS requests with forged source IP addresses to a server. is to send DNS requests with forged source IP addresses to a server.
The intent can be to attack that server or some other selected host The intent can be to attack that server or some other selected host
as described below. as described below.
There are also on-path denial of service attacks that attempt to There are also on-path denial of service attacks that attempt to
saturate a server with DNS requests having correct souce addresses. saturate a server with DNS requests having correct source addresses.
Cookies do not protect against such attacks but successful cookie Cookies do not protect against such attacks but successful cookie
validation improves the probablity that the correct source IP address validation improves the probability that the correct source IP
for the requests is known. This facilitates contacting the managers address for the requests is known. This facilitates contacting the
of or taking other actions for the networks from which the requests managers of or taking other actions for the networks from which the
originate. requests originate.
2.1.1 DNS Amplification Attacks 2.1.1 DNS Amplification Attacks
A request with a forged IP source address generally causes a response A request with a forged IP source address generally causes a response
to be sent to that forged IP address. Thus the forging of many such to be sent to that forged IP address. Thus the forging of many such
requests with a particular source IP address can result in enough requests with a particular source IP address can result in enough
traffic being sent to the forged IP address to interfere with service traffic being sent to the forged IP address to interfere with service
to the host at the IP address. Furthermore, it is generally easy in to the host at the IP address. Furthermore, it is generally easy in
the DNS to create short requests that produce much longer responses, the DNS to create short requests that produce much longer responses,
thus amplifying the attack. thus amplifying the attack.
skipping to change at page 11, line 19 skipping to change at page 11, line 19
The Client Cookie SHOULD be a pseudo-random function of the server IP The Client Cookie SHOULD be a pseudo-random function of the server IP
address and a secret quantity known only to the client. This client address and a secret quantity known only to the client. This client
secret SHOULD have at least 64 bits of entropy [RFC4086] and be secret SHOULD have at least 64 bits of entropy [RFC4086] and be
changed periodically (see Section 5.5). The selection of the pseudo- changed periodically (see Section 5.5). The selection of the pseudo-
random function is a matter private to the client as only the client random function is a matter private to the client as only the client
needs to recognize its own DNS cookies. needs to recognize its own DNS cookies.
For further discussion of the Client Cookie field, see Section 5.1. For further discussion of the Client Cookie field, see Section 5.1.
For example methods of determining a Client Cookie, see Appendix A. For example methods of determining a Client Cookie, see Appendix A.
In order to provide minimal authentication, a client MUST send client In order to provide minimal authentication, a client MUST send Client
COOKIEs that will usually be different for any two servers at Cookies that will usually be different for any two servers at
different IP addresses. different IP addresses.
4.2 Server Cookie 4.2 Server Cookie
The Server Cookie SHOULD consist of or include a 64-bit or larger The Server Cookie SHOULD consist of or include a 64-bit or larger
pseudo-random function of the request source IP address, the request pseudo-random function of the request source IP address, the request
Client Cookie, and a secret quantity known only to the server. (See Client Cookie, and a secret quantity known only to the server. (See
Section 6 for a discussion of why the Client Cookie is used as input Section 6 for a discussion of why the Client Cookie is used as input
to the Server Cookie but the Server Cookie is not used as an input to to the Server Cookie but the Server Cookie is not used as an input to
the Client Cookie.) This server secret SHOULD have at least 64 bits the Client Cookie.) This server secret SHOULD have at least 64 bits
of entropy [RFC4086] and be changed periodically (see Section 5.5). of entropy [RFC4086] and be changed periodically (see Section 5.5).
The selection of the pseudo-random function is a matter private to The selection of the pseudo-random function is a matter private to
the server as only the server needs to recognize its own DNS cookies. the server as only the server needs to recognize its own DNS cookies.
For further discussion of the Server Cookie field see Section 5.2. For further discussion of the Server Cookie field see Section 5.2.
For example methods of determining a Server Cookie, see Appendix B. For example methods of determining a Server Cookie, see Appendix B.
In order to provide minimal authentication, a server MUST send server In order to provide minimal authentication, a server MUST send Server
COOKIEs that will usually be different for clients at any two Cookies that will usually be different for clients at any two
different IP addresses or with different client COOKIEs. different IP addresses or with different Client Cookies.
INTERNET-DRAFT DNS Cookies INTERNET-DRAFT DNS Cookies
5. DNS Cookies Protocol Specification 5. DNS Cookies Protocol Specification
This section discusses using DNS Cookies in the DNS Protocol. The This section discusses using DNS Cookies in the DNS Protocol. The
cycle of originating a request, responding to that request, and cycle of originating a request, responding to that request, and
processing the response are covered in Sections 5.1, 5.2, and 5.3. A processing the response are covered in Sections 5.1, 5.2, and 5.3. A
de facto extension to QUERY to allow pre-fetching a Server Cookie is de facto extension to QUERY to allow pre-fetching a Server Cookie is
specified in Section 5.4. Rollover of the client and server secrets specified in Section 5.4. Rollover of the client and server secrets
 End of changes. 6 change blocks. 
12 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/