<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
This is essentially an IP packet modification vulnerability and in order<br> to do these, you don't even need fragmentation. This might happen even<br> due to malfunctioning network adapter or other network device, not<br>
necessarily an "attack". One of the reasons for DNSSEC existence is to<br> prevent processing of "damaged" DNS data, with malicious origin or not.<br>
If you are concerned with improperly assembled IP packets, the DNS<br> community is the wrong place to ask for a fix. The DNS community can<br> only make sure "their" protocol takes care of such issues, and issues<br>
like this are totally addressed by technologies such as DNSSEC, TSIG<br> etc. But the fundamental "fix" for this issue has to happen in the<br> TCP/IP stack.</blockquote></div><div class="gmail_extra"><div><br>
</div><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">IP does not, and was not designed to, guarantee security - only best effort end-to-end delivery. The discussion was if Eastlake cookies can prevent the attacks: the example I showed was a legitimate way to apply IP fragmentation (which is a feature of IP - it is not a bug) to foil the protection offered by Eastlate cookies and to inject spoofed content into the DNS response (despite the use of Eastlake cookies for protection). This should be of interest to DNS community, unless you argue that the DNS community should rely on IP layer for security of DNS.</div>
<br></div><div><br></div>-- <br><div dir="ltr"><p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">Best Regards,</span></font></p><p style="margin:0cm 0cm 0.0001pt">
<font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">Haya Shulman</span></font></p><p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">Technische Universität Darmstadt</span></font></p>
<p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">FB Informatik/EC SPRIDE</span></font></p><p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">Mornewegstr. 30</span></font></p>
<p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">64293 Darmstadt</span></font></p><p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px">Tel. <a href="tel:%2B49%206151%2016-75540" value="+4961511675540" target="_blank">+49 6151 16-75540</a></span></font></p>
<p style="margin:0cm 0cm 0.0001pt"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.545454025268555px"><a href="http://www.ec-spride.de" target="_blank">www.ec-spride.de</a></span></font></p></div>
</div></div>