[Yeti DNS Discuss] ipv6 root name service discussed (gih blog)
Otmar Lendl
ol at bofh.priv.at
Mon Dec 12 10:05:33 UTC 2016
On 12.12.2016 10:23, Paul Vixie wrote:
>
> the state-retention cost's attack vector is the same as for TCP SYN
> flooding, where a packet with a spoofed IP source address can cause the
> victim to store too much information (too many TCP PCB's, in the SYN
> flood case; or too many fragmentation-necessary routing elements, in the
> ICMPv6 PTB case). the management of such overload could lead to crashes,
> or being unable to add new state for valid (non-attack)
> fragmentation-eligible flows, or causing high rates of LRU purges such
> that valid (non-attack) state is removed too soon to have the desired
> effect on the valid (non-attack) flows.
In the TCP case, the incoming ICMPv6 PTBs can be sanity-checked.
In the UDP case, it's not that simple. Check if the source port is still
an assigned port? That's pretty thin, and in the case of a DNS server
trivially true.
A quick search on this issue found surprisingly little. One is this
thread on the ietf ipv6 list:
https://www.ietf.org/mail-archive/web/ipv6/current/msg23811.html
The referenced rfc5927 seems to focus on forged TPBs on the TCP
implementation, and not on the number of routing elements.
Also https://tools.ietf.org/html/draft-ietf-6man-rfc1981bis-03 in its
Security Considerations is only focusing on degrading a single flow.
Who takes this concern to those authors? IMHO they should discuss this
in rfc1981bis.
otmar
--
-=- Otmar Lendl -- ol at bofh.priv.at -- http://lendl.priv.at/ -=-
More information about the discuss
mailing list