Re: DNS over SCTP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephane Bortzmeyer wrote:
On Thu, May 28, 2009 at 04:16:31PM +0200,
Alessandro Vesely <vesely@xxxxxxx> wrote a message of 14 lines which said:

The discussion was about how to get rid of the threats illustrated, e.g., in Kaminsky, D.: "It?s the end of the cache as we know it."

I know about Kaminsky bug, the WG "DNS operations" and "DNS
extensions" spent a lot of time on it. Please do not restate the
basics and explain why SCTP (or TCP) can be compared with DNSSEC
since, as I said, DNSSEC provides *object* security and TCP (or SCTP)
can only provide a limited *channel* security.

I don't trust the data because it is signed, I trust it because the signature proves that it originated from the authoritative server. Therefore, if I'm connected with the authoritative server over a trusted channel, I can trust the data even if it isn't signed. By induction, if a resolver only uses either signed data or trusted channels, I can trust it.

After all, cryptography just provides trusted channels of their own kind. The comparison involves the security features of those two kinds of channels.

The limitations in TCP or SCTP security stem from an attacker's ability to compromise one or more routers, so as to either tamper with the packets on the fly, or redirect them to some other host. That's much more difficult than forging the source address of an UDP packet, though.

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]