[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] DNS over SCTP

To: Douglas Otis <dotis at mail-abuse.org>
Subject: Re: [Asrg] DNS over SCTP
From: Francis Dupont <Francis.Dupont at fdupont.fr>
Date: Sat, 30 May 2009 22:31:59 +0200
Cc: Anti-Spam Research Group - IRTF <asrg at irtf.org>, ietf at ietf.org
Delivered-to: asrg at core3.amsl.com
In-reply-to: Your message of Fri, 29 May 2009 17:24:54 PDT. <E6E4FD71-FAE4-482D-AAC4-FD4E24BB8CD2 at mail-abuse.org>
List-archive: <http://www.irtf.org/mail-archive/web/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Sender: Francis.Dupont at fdupont.fr

 In your previous mail you wrote:

=> I keep this because your answer is not about this...

   > I don't understand your argument: it seems to apply to UDP over SCTP  
   > but here we have SCTP over UDP.  BTW the easiest way to convert DNS  
   > over UDP into DNS over SCTP is to use an ALG (application layer  
   > gateway) which in the DNS is known as a caching server (such servers  
   > are already used to provide IPv4/IPv6 transport conversion).

   The goal is to apply the SCTP protocol as a means to better protect  
   DNS from source spoofing, resource exhaustion, reflected attack  
   exploitation, and increased latency.

=> not only this is very arguable (for instance about the resource
exhaustion) but no hop-by-hop/channel security, even something as
strong as TSIG, can provide what we need, i.e., end-to-end/object
security (*).

Regards

Francis.Dupont at fdupont.fr

PS (*): I use the common meaning of end-to-end, not Masataka Ohta's one.

Follow-Ups:
- Re: [Asrg] DNSSEC is NOT secure end to end
  - From: Masataka Ohta

References:
- Re: [Asrg] DNS over SCTP
  - From: Douglas Otis

Prev by Date: Re: [Asrg] rDNS discrimination
Next by Date: Re: [Asrg] DNSSEC is NOT secure end to end
Previous by thread: Re: [Asrg] DNS over SCTP
Next by thread: Re: [Asrg] DNSSEC is NOT secure end to end
Index(es):
- Date
- Thread