On Mon, Aug 25, 2008 at 01:41:40PM +0200,
W.C.A. Wijngaards wrote
a message of 14 lines which said:

> I've submitted a draft with the resolver side mitigations that I
> envision for Unbound.
>
> http://www.ietf.org/internet-drafts/...igation-00.txt


> o source address randomisation
>
> If the resolver has multiple public IP addresses these can be used
> to randomise with.


With IPv4, this would add only one or two bits of entropy.

But, with IPv6, there is a huge potential for randomisation, may be 64
bits of entropy if the resolver has a full /64.

However, it has implications for the router's Neighbor Discovery
cache. Did anyone tried aggressive source address randomisation with
IPv6 to see until where the router and/or server OS can go?

> Specifically, they must not put the costs of the solution with 3rd
> parties.


That's a noble goal but it is impossible to follow completely. For
instance:

> o Authority queries for nameserver addresses, A and AAAA.
>
> Same idea, like NS query above. You ask for A or AAAA records
> directly at the authoritative server.


This would increase the load of the authoritative servers and
therefore would put a part of the cost (an acceptable one, IMHO) on
third parties.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: