RE: [fw-wiz] DNS UDP packets > 512 bytes
From: Loomis, Rip (GILBERT.R.LOOMIS@saic.com)
Date: 02/20/03
- Previous message: Volker Tanger: "Re: [fw-wiz] Query on OS hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Loomis, Rip" <GILBERT.R.LOOMIS@saic.com> To: firewall-wizards@honor.icsalabs.com Date: Thu, 20 Feb 2003 09:16:20 -0500
> > This means that a firewall that drops UDP packets > 512 bytes
> > is *not* "perfectly compliant". Hopefully the firewall implementors
> > are starting to be aware of this...
>
> Yes, EDNS0 exists, but AFAIK it's not an Internet Standard
> (feel free to prove me wrong, I'll happily accept being corrected).
> It's in the standards track, but it's not to be found at
> http://www.rfc-editor.org/rfcxx00.html
> with data as of Feb 19, 2003. Therefore, firewalls that don't
> support can indeed claim to be "perfectly compliant with the
> Official Internet Protocol Standards", at least as far as this issue goes.
There's actually been some recent relevant discussion on one of the
two primary IETF mailing lists for DNS (namedroppers) about what it
means to be "standards compliant". To summarize, RFC 2400 was the last
version that included the terms "Elective", "Recommended" and "Required"
when describing the minimum set of protocols that need to be implemented
for "compliance" (the current version of that RFC is 3300...) Without
that delineation, it's perhaps not all that easy to delineate what it
means to be a "perfectly compliant" device--not just for DNS, but for IETF
standards in general. It's almost like picking from a buffet menu--except
that from a secure design perspective, the designer would rather have one
clear and strict set of standards, and throw away any packets that fall
outside those standards.
For EDNS0, if a firewall simply blocks UDP packets with source port 53 and
size > 512 bytes, then the failure mode will be ugly (essentially denial
of DNS resolution between two specific hosts, but only for specific
responses
that contain "too much" data).
> However, since there appears to be an installed base of software that
> supports it, perhaps firewall developers should indeed extend their
> DNS-handling code appropriately.
Agreed. There are several assumptions common to many firewalls
which need to be re-examined--"TCP is only required for zone transfers"
is the other major one, as I think someone recently stated on fw-wiz.
Providing secure DNS through/at firewalls is a complex problem, and
figuring out exactly what standards should be implemented (and to what
extent) is non-trivial. To me, that was all the more reason why I didn't
want to let your original statement go by entirely without comment.
--Rip
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: R. DuFresne: "[fw-wiz] [Full-Disclosure] New version of ike-scan (IPsec IKE scanner) available - v1.1 (fwd)"
- Previous message: Volker Tanger: "Re: [fw-wiz] Query on OS hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
