[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt

To: DNSOP WG <dnsop at ietf.org>
Subject: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
From: Kevin Darcy <kcd at chrysler.com>
Date: Tue, 09 Sep 2008 20:41:05 -0400
Delivered-to: ietfarch-dnsop-archive at core3.amsl.com
Delivered-to: dnsop at core3.amsl.com
In-reply-to: <Pine.LNX.4.64.0809091951430.16160 at ryouko.imsb.nrc.ca>
List-archive: <http://www.ietf.org/pipermail/dnsop>
List-help: <mailto:dnsop-request@ietf.org?subject=help>
List-id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-post: <mailto:dnsop@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
References: <200809092347.m89Nl3QL010833 at drugs.dv.isc.org> <Pine.LNX.4.64.0809091951430.16160 at ryouko.imsb.nrc.ca>
Sender: dnsop-bounces at ietf.org
User-agent: Thunderbird 2.0.0.6 (X11/20070802)

William F. Maton Sotomayor wrote:
> On Wed, 10 Sep 2008, Mark Andrews wrote:
>
>   
>> In message <231A040F-13C4-4CC0-B202-D93A7E1A1445 at virtualized.org>, David Conrad
>> writes:
>>     
>>>> At his point, I will sit quietly for a while and let the WG comment
>>>> on whether they think that your proposed
>>>> alternative mitigation is adequate. On Friday, the WG chairs will
>>>> gauge consensus and I will take appropriate action.
>>>>         
>>> Given the stunningly successful implementation of BCP038 over the 8
>>> years since it has been published, I believe relying on it as a
>>> mitigation strategy against open resolver attacks is simply silly and
>>> discussing it largely a waste of time.
>>>       
>> While I encourage everyone to deploy BCP 38, wherever possible, I
>> don't believe we should be relying on BCP 38 deployment to prevent
>> recursive servers being abused.
>>     
>
> BCP 38 is one tool in the mitigation box, but it doesn't mean that it can 
> only be the *only* tool available.  So I agree with Mark.
>   
First layer of defense: BCP 38

Second layer of defense (because there are those who cannot or will not 
implement the first layer): Restrict recursive service by default

Third layer of defense (because there are those who cannot or will not 
implement the first or second layers): Reactively filter abusive 
recursors (as Dean suggested).

- Kevin


_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Follow-Ups:
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
  - From: Dean Anderson

References:
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
  - From: Mark Andrews
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
  - From: William F. Maton Sotomayor

Prev by Date: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Next by Date: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Previous by thread: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Next by thread: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Index(es):
- Date
- Thread