Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
On 28-Sep-2007, at 1516, Dean Anderson wrote:
Not widely supported in clients. Therefore, not a solution.
In fact, it's quite feasible in operating systems which can run a
local instance of (say) BIND9. It would be fair to say that
installing and configuring BIND9 on an average laptop is far beyond
the abilities of the average laptop owner, but that's presumably just
a matter of packaging.
VPN are another solution, although not mentioned in the I-D, may be
because it is obvious.
Maybe its not mentioned because its not a practical solution. But
whatever the reason it isn't mentioned, a 25 million user VPN is not
going to happen with 10/8.
Well, that depends on what you mean by "VPN". If you mean "a hub and
spoke topology of tunnels, all concentrated centrally" then yeah,
that sounds like a bit of a stretch. If you mean "use of AH in
queries sent towards a resolver which is configured somehow to
discard packets that are not authentic" then I suspect there are ways
to make that scale, even for quite large client populations.
(I might choose to incorporate anycast into such a design. You,
presumably, would not. :-)
A comcast person recently complained on PPML
that there wasn't enough RFC1918 space for their internal network.
I have heard such reports from Comcast in various forums. I have no
reason to doubt them. I do not think that is especially pertinent to
the question at hand, however.
Joe
_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
: <Pine.LNX.4.44.0709281512270.1991-100000 at citation2.av8.net>
References: <Pine.LNX.4.44.0709281512270.1991-100000 at citation2.av8.net>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <9E75FF64-3505-4728-9EF1-4AC7973B156B at ca.afilias.info>
Content-Transfer-Encoding: 7bit
From: Joe Abley <jabley at ca.afilias.info>
Date: Fri, 28 Sep 2007 17:08:42 -0400
To: Dean Anderson <dean at av8.com>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: dnsop at ietf.org, Paul Hoffman <paul.hoffman at vpnc.org>, ietf at ietf.org
Subject: Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil
(Preventing Use of Recursive Nameservers in
Reflector Attacks) to BCP
X-BeenThere: ietf at ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
<mailto:ietf-request at ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf at ietf.org>
List-Help: <mailto:ietf-request at ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
<mailto:ietf-request at ietf.org?subject=subscribe>
Errors-To: ietf-bounces at ietf.org
On 28-Sep-2007, at 1516, Dean Anderson wrote:
Not widely supported in clients. Therefore, not a solution.
In fact, it's quite feasible in operating systems which can run a
local instance of (say) BIND9. It would be fair to say that
installing and configuring BIND9 on an average laptop is far beyond
the abilities of the average laptop owner, but that's presumably just
a matter of packaging.
VPN are another solution, although not mentioned in the I-D, may be
because it is obvious.
Maybe its not mentioned because its not a practical solution. But
whatever the reason it isn't mentioned, a 25 million user VPN is not
going to happen with 10/8.
Well, that depends on what you mean by "VPN". If you mean "a hub and
spoke topology of tunnels, all concentrated centrally" then yeah,
that sounds like a bit of a stretch. If you mean "use of AH in
queries sent towards a resolver which is configured somehow to
discard packets that are not authentic" then I suspect there are ways
to make that scale, even for quite large client populations.
(I might choose to incorporate anycast into such a design. You,
presumably, would not. :-)
A comcast person recently complained on PPML
that there wasn't enough RFC1918 space for their internal network.
I have heard such reports from Comcast in various forums. I have no
reason to doubt them. I do not think that is especially pertinent to
the question at hand, however.
Joe
_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
Note Well: Messages sent to this mailing list are the opinions
of the senders and do not imply endorsement by the IETF.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
