Re: Why People Should NOT Depend on "Root Servers"

["todd glassey" <todd.glassey at worldnet.att.net>]

Folks -
Paul Vixie is dead on here but the real problem is not DNS, but rather the
routing protocols that allow this type of address forgery to be propagated.
This is the subtle difference here and the biggest criminal here is that
even with a forged DNS service, the real issue is still Cisco and its
brethren for forcing the propagation of routing standards that are
insecurable and indefensible - the other bad-guy here is the IETF for not
being more in control or forcing issues of security to be ingrained into
their protocols that they have or are in the process of making as standards.

This is one of the greatest instances proving that the ICANN and the IETF
themselves with their current management and format, are incompetetent to
build or enforce standards. If they had done their job properly and allowed
external input or review of their efforts, then this never would have
happened.

Just my personal 2 cents here.
Todd Glassey



----- Original Message -----
From: "Jim Fleming" <JimFleming at ameritech.net>
To: "'The IETF'" <ietf at ietf.org>; <chandley at ntia.doc.gov>;
<nvictory at ntia.doc.gov>; <censslin at ntia.doc.gov>; <DEvans at doc.gov>
Cc: <yjpark at myepark.com>; <vivek at vivekdurai.com>; "Vittorio Bertola"
<vb at vitaminic.net>; "todd glassey" <todd.glassey at worldnet.att.net>; "Richard
Henderson" <richardhenderson at ntlworld.com>; "Kristy McKee" <k at widgital.com>;
<karl at cavebear.com>; "Joop Teernstra" <terastra at terabytz.co.nz>; "Joanna
Lane" <jo-uk at rcn.com>; <jefsey at jefsey.com>; <james.love at cptech.org>;
<j.oppenheimer at att.net>; <icheckemail at indiatimes.com>; <ellen at rony.com>;
"Elisabeth Porteneuve" <Elisabeth.Porteneuve at cetp.ipsl.fr>; "Alexander
Svensson" <alexander at svensson.de>; "Joe Baptista" <baptista at dot-god.com>
Sent: Tuesday, August 13, 2002 7:04 AM
Subject: Why People Should NOT Depend on "Root Servers"


> http://www.merit.edu/mail.archives/nanog/msg02459.html
> gentlemen, stop your engines
>
>   a.. From: Paul Vixie
>   b.. Date: Mon Aug 12 12:07:20 2002
>
> --------------------------------------------------------------------------
------
>
> after six reports that 192.5.5.241's address has been forged as the source
> of a tcp "fragmented scan" probe, i'm ready to have it stop.  but just in
> case it doesn't, this is fair warning to the community: F's address is in
> unlawful use by as-yet-unidentified third parties.
>
> re:
>
> ------- Forwarded Message
>
> From: ...
> To: "'abuse at VIX.COM'" <abuse at VIX.COM>
> Subject: Unauthorized Fragmented Scan
> Date: Mon, 12 Aug 2002 06:56:08 -0700
>
> To whom it may concern,
>
> The Security Information & Analysis Center has detected an
> unauthorized scan against one of our networks that has a possible origin
at
> 192.5.5.241.
>
> Please review the following initial information:
>
> IPHalfScan  08-11-2002 17:34:02 UTC 192.5.5.241:53
> xxx.xxx.xxx.xxx:53 TCP
> IPHalfScan  08-11-2002 17:28:00 UTC 192.5.5.241:53
> xxx.xxx.xxx.xxx:53 TCP
>
> Please take action to verify this address on your network
> and it's intent to scan our networks.  Thank you for your assistance.
>
> SECURITY INFORMATION AND ANALYSIS CENTER
> 1-877-...
>
> ------- End of Forwarded Message
>
>
> Modern DNS software finds the TLD Clusters, tracks them, and
> does not use ANY "root servers" (legacy or alt). People who rely
> on a dozen 32-bit IPv4 addresses to be coherently routed are fools,
> in my opinion. Any organization that promotes that type of structure
> and architecture as "secure" is perpetrating a fraud on unsuspecting
> users, who assume the system is stable and secure. Root servers are
> out of date, do not always track the TLD Cluster(s), do not support
> fail-over to back-up TLD Clusters, in cases of a major corporate
> failure. People continue to use them at their peril, yet clearly profit
> from telling people to use them.
>
> Jim Fleming
> 2002:[IPv4]:000X:03DB:...IPv8 is closer than you think...
> http://www.iana.org/assignments/ipv4-address-space
> http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt
>
>
>
>