Lately, I have been thinking about whether IPv6 can help to prevent cache poisoning.
A resolver running IPv4 can have one source IPv4 address to use whereas one riding on IPv6 can have up to 2^64 addresses to use within a basic network segment. Each time, the IPv6-enabled resolver sends out a query, a random IPv6 address within the assigned prefix should be selected. This way, the chance of cache poisoning will be a factor 16 bit transaction ID, 16 bit random port number plus 64 bit source IPv6 address. That says, the chance of poisoning is 1 in 2^96 which is not a problem at all.
However, the reality is that not all authoritative name servers are IPv6-enabled. If the Internet world had implemented IPv6 much earlier, cache poisoning should have been resolved and DNSSEC would not be necessary.
A resolver running IPv4 can have one source IPv4 address to use whereas one riding on IPv6 can have up to 2^64 addresses to use within a basic network segment. Each time, the IPv6-enabled resolver sends out a query, a random IPv6 address within the assigned prefix should be selected. This way, the chance of cache poisoning will be a factor 16 bit transaction ID, 16 bit random port number plus 64 bit source IPv6 address. That says, the chance of poisoning is 1 in 2^96 which is not a problem at all.
However, the reality is that not all authoritative name servers are IPv6-enabled. If the Internet world had implemented IPv6 much earlier, cache poisoning should have been resolved and DNSSEC would not be necessary.
2 comments:
"DNSSEC would not be necessary". Your proposed increase in entropy seems likely relatively easily to fix what may well be the current worst use case for DNS compromise. I say relatively easily because the world of DNS recursive resolvers plus DNS content servers seems likely to be IP6 upgradable much sooner than all the DNS clients. But other DNS compromises are possible.
e.g.1 malware e.g. compromised flash or other downloaded executable malware operating within a firewall which might change the dynamic host configuration understanding of the DNS resolver address.
e.g.2 a rogue admin operating a DNS recursive resolver for customers of a large ISP.
DNSSEC is designed to secure against all DNS compromises external to the DNS client making the enquiry, by creating a signed content response all the way from the DNS content server to the client.
Hello. ( quinntars23wilson @yahoo.com )
I was very impressed to your profile and i feel to have a good friendship with you, my name is quinntars, i hope you are doing good, i like making new friends so feel free to contact me mail at(quinntars23wilson @yahoo.com) so that i can send you a picture and tell you more about me, thanks. I will be waiting for your respond at my private mail address quinntars23wilson @yahoo.com
$$$$$$$$$$$:..o0:::.O*
_$_________$::*:.....o:.
_$_________$..o*:.0:...*
_$_________$_$$$$$$$$$$$
_$111111111$_$_________$
_$111111111$_$_________$
_$111111111$_$_________$
__$1111111$__$111111111$
___$11111$___$111111111$
____$111$____$111111111$
_____$®$______$1111111$
______$________$11111r$
______$_________$111j$
______$__________$®$
______$___________$
______$___________$
______$___________$
_____$$$__________$
__$$$$$$$$$_______$
__________________$
Post a Comment