[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-dnsext-forgery-resilience-01.txt

To: Tony Finch <dot@dotat.at>
Subject: Re: draft-ietf-dnsext-forgery-resilience-01.txt
From: Wouter Wijngaards <wouter@NLnetLabs.nl>
Date: Tue, 13 Nov 2007 09:56:49 +0100
Cc: namedroppers@ops.ietf.org
In-reply-to: <Pine.LNX.4.64.0711121739450.24448@hermes-1.csi.cam.ac.uk>
References: <20071110214233.GB8260@laperouse.bortzmeyer.org> <87sl3biytx.fsf@mid.deneb.enyo.de> <20071112100506.GA15120@laperouse.bortzmeyer.org> <87y7d3hi37.fsf@mid.deneb.enyo.de> <Pine.LNX.4.64.0711121625530.24448@hermes-1.csi.cam.ac.uk> <87k5ona0ag.fsf@mid.deneb.enyo.de> <Pine.LNX.4.64.0711121739450.24448@hermes-1.csi.cam.ac.uk>
User-agent: Thunderbird 2.0.0.5 (X11/20070727)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Finch wrote:
> On Mon, 12 Nov 2007, Florian Weimer wrote:
>> Why are ID clashes a problem?
> 
> I'd expect them to cause in the most benign case delays because of
> retries. Or a server might be mistakenly marked as broken, or the client
> might get confused and return bogus data. It depends on how the client
> disambiguates replies to queries and how paranoid it is.

A quick calculation says that a busy resolver, talking to a
forwarder/cache, with 1000 queries per second, each query takes 500 msec
to be answered, that uses a plain random 16bit ID (no extra ports), has
85% chance of having a duplicate ID outstanding, and thus being unable
to disambiguate the reply. That is pretty high, I think the draft can
say something about avoiding these ID clashes.

Best regards,
   Wouter
PS. formula used, p = 1-exp(-n*n*H/2), with n=500, H=65536.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHOWbRkDLqNwOhpPgRAij/AKCza9IdLGdqVxppySQf0Dgs1j0XNACeKROj
Eim/a3PHTnw2WXf7LDMrWn8=
=qxye
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Paul Vixie <paul@vix.com>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Alex Bligh <alex@alex.org.uk>

References:
- draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Tony Finch <dot@dotat.at>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Tony Finch <dot@dotat.at>

Prev by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Previous by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Index(es):
- Date
- Thread