Re: DNS over SCTP (was: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 In your previous mail you wrote:

   I thought TCP was the default when the UDP message size is not enough. 

=> with EDNS0 this is a bit more complex but IMHO this is the idea.
Note the recommended "connection management" (RFC 1025 4.2.2) suggests
multiple queries/responses too.

   That's, AFAIK, the only advantage of TCP over SCTP: it's already in 
   place and ready. (Yes, one needs to run firewalls and all that stuff.)
   
=> this is not a new idea but today no server or resolver implementation
supports DNS over SCTP.
I have a lot of sympathy for SCTP but for DNS we need a transaction
oriented transport, i.e., something more secure than simple stateless
query/response over UDP but without the overhead of opening and closing
TCP connections. This is a very old idea, cf. RFC 955, but as far as
I know this is still an open problem. If I am wrong (I'd like to be :-)
please request a BoF in the transport area ASAP!

   > A single SCTP connection can support thousands of simultaneous streams,
   
   I agree SCTP is better, and it's been around for nearly a decade now. 

=> IMHO it is far less than 10 years but arguing about this point is
out of topic.

   Yet, for those who miss it, good old TCP allows, say, a client to hold 
   a couple of connections to its favorite resolver in order to avoid 
   many of the threats illustrated by Kaminsky...
   
=> TCP is very expensive in terms of resources for the server and
TCP is still vulnerable to in-the-path attacks.

   > There is also OS support for UDP 
   > tunneling of SCTP when supporting legacy NATs and firewalls.  Until 
   > there is an significant incentive to make DNS more robust, use of SCTP 
   > is likely to remain just a good and under appreciated option.
   
   It seems that DNS over SCTP would solve 90% of the problems with 10% 
   of the efforts and resources required to implement DNSSEC. However, I 
   hear more often about the latter than the former. How come?
   
=> DNSSEC is the only available solution which solves the problems.
Others are not available (no specification published in a standard
track RFC or simply unfeasible) or don't address the problems
(hop-by-hop security for instance, when end-to-end is needed).
Both TCP and SCTP are in the others today...

Regards

Francis.Dupont@xxxxxxxxxx
_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]