IRTF MAPRG agenda for IETF-112 (online)

Date: November 9, 2021, 14:30-15:30 UTC Webex link: https://meetings.conf.meetecho.com/ietf112/?group=maprg&short=&item=1

Overview & Status - Dave & Mirja (5 min)

IRTF Note-well: https://irtf.org/policies/irtf-note-well-2019-11.pdf

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS - Giovane C. Moura (15 mins)

Recommendations on using VPN over SATCOM access - Nicolas Kuhn (10 mins)

TBD

TBD


Abstracts

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS - Giovane C. Moura

The Internet’s Domain Name System (DNS) is a part of every web request and e-mail exchange, so DNS failures can be catastrophic, taking out major websites and services. This paper identifies TsuNAME, a vulnerability where some recursive resolvers can greatly amplify queries, potentially resulting in a denial-of-service to DNS services. TsuNAME is caused by cyclical dependencies in DNS records. A recursive resolver repeatedly follows these cycles, coupled with insufficient caching and application-level retries greatly amplify an initial query, stressing authoritative servers. Although issues with cyclic dependencies are not new, the scale of amplification has not previously been understood. We document real-world events in .nz (a country-level domain), where two misconfigured domains resulted in a 50% increase on overall traffic. We reproduce and document root causes of this event through experiments, and demostrate a 500× amplification factor. In response to our disclosure, several DNS software vendors have documented their mitigations, including Google public DNS and Cisco OpenDNS. For operators of authoritative DNS services we have developed and released CycleHunter, an open-source tool that detects cyclic dependencies and prevents attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k domain names. The TsuNAME vulnerability is weaponizable, since an adversary can easily create cycles to attack the infrastructure of a parent domains. Documenting this threat and its solutions is an important step to ensuring it is fully addressed.

Recommendations on using VPN over SATCOM access - Nicolas Kuhn

VPN are a secured tunnel that help service providers to exchange data over non-secured networks. There is a large variety of VPN solutions that have variable deployment impacts on the target architecture as well as performance limitations or opportunities. This technical report compares Wireguard and OpenVPN for various SATCOM deployment scenarios and topologies.