idnits 2.17.1 draft-wkumari-dnsext-echo-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 27, 2012) is 4436 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.ietf-sidr-iana-objects' is defined on line 164, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2671 (Obsoleted by RFC 6891) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Kumari 3 Internet-Draft Google 4 Intended status: Informational R. Arends 5 Expires: August 30, 2012 Nominet 6 February 27, 2012 8 EDNS Echo. 9 draft-wkumari-dnsext-echo-00 11 Abstract 13 This document describes a DNS protocol extension to allow for 14 arbritry data to be inserted into a DNS Request and have that same 15 data be returned in a DNS Reply. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on August 30, 2012. 34 Copyright Notice 36 Copyright (c) 2012 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 53 2. Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.1. Increasing the size of the ID space . . . . . . . . . . . . 3 55 3. ECHO Option format . . . . . . . . . . . . . . . . . . . . . . 3 56 3.1. Presentation format . . . . . . . . . . . . . . . . . . . . 4 57 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 7.1. Normative References . . . . . . . . . . . . . . . . . . . 4 62 7.2. Informative References . . . . . . . . . . . . . . . . . . 5 63 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . . 5 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5 66 1. Introduction 68 RFC2671 [RFC2671] specifies an extension mechanism for DNS. This 69 document describes an EDNS option to allow for arbritry data to be 70 inserted into a DNS Request and have that same data be returned in a 71 DNS Reply. This functionality can be used to increase the effective 72 size of the ID field [RFC1035, Section 4.1.1 [RFC1035]] and to aid in 73 diagnostics. 75 1.1. Requirements notation 77 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 78 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 79 document are to be interpreted as described in [RFC2119]. 81 2. Use cases 83 2.1. Increasing the size of the ID space 85 The Header section of the DNS Message format contains a 16-bit ID 86 field (see [RFC1035, Section 4.1.1 [RFC1035]). This field is used to 87 match replies to their queries. If an attacker is able to predict 88 this field he may be able to spoof a reply and perform a DNS cache 89 poisining attack. By inserting arbritary data into the ECHO OPTION- 90 DATA in a query (and checking that the same data is returned in the 91 response), an iterative resolver can protect itself against this type 92 of attack. Note that the resolver needs to add additional steps to 93 protect against a downgrade attack. This technique does not protect 94 against a man in the middle attack. 96 To avoid maintaining additional state for each query, the sender can 97 algorithmically generate the ECHO OPTION-DATA. As an example it 98 could generate this data field by calculating a hash over the 99 concatenation of various fileds (such as the QNAME and the ID field) 100 and a secret. 102 3. ECHO Option format 104 The OPTION-CODE for the ECHO option is TBD. 106 The OPTION-DATA for the ECHO option is an opaque byte string, the 107 semantics of which are deliberately left outside the protocol. 109 The OPTION-DATA only has meaning to the sender. The software that 110 generates the response or any intermediate device SHOULD NOT try and 111 infer anything from the data. 113 3.1. Presentation format 115 User interfaces MUST read and write the contents of the ECHO option 116 as a sequence of hexadecimal digits, two digits per payload octet. 117 The ECHO payload is binary data. Any comparison between ECHO 118 payloads MUST be a comparison of the raw binary data. Copy 119 operations MUST NOT assume that the raw payload is null-terminated. 121 4. IANA Considerations 123 The IANA is requested to assign a value from the "DNS EDNS0 Options" 124 registry, setting the name to be "ECHO" and referencing this 125 document. 127 The code for the option should be TBD. 129 5. Security Considerations 131 A common form of denial of service attack is the reflected DNS 132 amplification attack. In this attack an attacker spoofs DNS requests 133 from the victim that will result in a much larger reply (the 134 amplification factor). While the attacker could include a large 135 amount of data in the ECHO payload of the spoofed DNS requests, this 136 doesn't create any amplification. 138 The ECHO option could be used for DNS tunneling and exfiltration of 139 data. 141 6. Acknowledgements 143 The authors wish to thank some folk. 145 7. References 147 7.1. Normative References 149 [IANA.AS_Numbers] 150 IANA, "Autonomous System (AS) Numbers", 151 . 153 [RFC1035] Mockapetris, P., "Domain names - implementation and 154 specification", STD 13, RFC 1035, November 1987. 156 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 157 Requirement Levels", BCP 14, RFC 2119, March 1997. 159 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 160 RFC 2671, August 1999. 162 7.2. Informative References 164 [I-D.ietf-sidr-iana-objects] 165 Manderson, T., Vegoda, L., and S. Kent, "RPKI Objects 166 issued by IANA", draft-ietf-sidr-iana-objects-03 (work in 167 progress), May 2011. 169 Appendix A. Changes / Author Notes. 171 [RFC Editor: Please remove this section before publication ] 173 Changes from $undefined to -00. 175 o Initial document generation. 177 Notes / references: 179 o rfc2671.txt - Extension Mechanisms for DNS (EDNS0) 180 o rfc5001.txt - DNS Name Server Identifier (NSID) Option 182 Authors' Addresses 184 Warren Kumari 185 Google 186 1600 Amphitheatre Parkway 187 Mountain View, CA 94043 188 US 190 Email: warren@kumari.net 192 Roy Arends 193 Nominet 194 Minerva House, Edmund Halley Road 195 Oxford OX4 6LB 196 UK 198 Email: roy@nominet.org.uk