[dns-operations] on fragmentation attacks
Colm MacCárthaigh
colm at stdlib.net
Fri Sep 13 20:17:05 UTC 2013
You write that it takes 3x RTTs to exchange a question and an answer over
TCP. I think it takes 2x RTTs, simple as that. FIN plays no role in answer
termination; clients don't wait on a FIN to decide that an answer is
usable. You go on to write that servers following the specification don't
unilaterally close the connection, but that's at odds with your description
of the sequence of packets. (and even that "incorrect" sequence would not
require 2x RTTs, since the server could dispatch its FIN without waiting).
Although i think it is valid to argue that DNS TCP requires 3x RTTs if you
want to count the original question over UDP + the TC=1 response. But I
don't think that's what you are saying in the article. Am I interpreting it
wrong?
On Fri, Sep 13, 2013 at 12:17 PM, Paul Vixie <paul at redbarn.org> wrote:
> fyi.
>
>
>
> -------- Original Message -------- Subject: [ratelimits] "on the time
> value of security features in dns"Date: Fri, 13 Sep 2013 11:30:27 -0700From:
> Paul Vixie <vixie at fsi.io> <vixie at fsi.io>To: ratelimits at lists.redbarn.org
> <ratelimits at lists.redbarn.org> <ratelimits at lists.redbarn.org>
>
> http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
>
>
> --
> Paul Vixie
> Farsight Security
> _______________________________________________
> ratelimits mailing listratelimits at lists.redbarn.orghttp://lists.redbarn.org/mailman/listinfo/ratelimits
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
--
Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130913/f6453196/attachment.html>
More information about the dns-operations
mailing list