[101836] in North American Network Operators' Group
Re: request for help w/ ATT and terminology
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri Jan 18 23:31:41 2008
From: Roland Dobbins <rdobbins@cisco.com>
To: NANOG <nanog@merit.edu>
In-Reply-To: <3c3e3fca0801182012y48f0ab6dw3d111023876aa8d@mail.gmail.com>
Date: Sat, 19 Jan 2008 12:25:04 +0800
Errors-To: owner-nanog@merit.edu
On Jan 19, 2008, at 12:12 PM, William Herrin wrote:
> For renumbering purposes, you could reasonably expect the firewall
> to perform the translations once when rebooted or reset, after which
> it would use the discovered IP addresses.
You can do that now with most firewalls and ACLs on most routers -
there's generally a configuration setting which allows/disallows live
lookups of hostnames when config files are updated containing same. I
don't like it due to the load it puts on the resolving box, plus the
auditing issue, but some folks do it.
> This would only fail where the firewall was being operated by
> someone in a different
> administrative domain that the engineer who has to renumber... And
> those scenarios are already indicative of a security problem.
'Renumbering' happens all the time due to multiple A records for a
single FQDN, DNS-based load-balancing setups, etc. And remember, in
many cases, there are hosts in firewall rules/ACLs which are not part
of the operator's own administrative domain, but which are external to
it.
> Unfortunately, we're all ignoring the big white elephant in the
> room: spam filters. When a large flow of email suddenly starts
> emitting from an address that didn't previously send significant
> amounts of mail, a number of filters squash it for a while based
> solely on the changed message rate. This can be very traumatic for the
> engineer trying to renumber and it is 100% outside of his realm of
> control. And of course, you lose all of the private whitelists that
> you talked your way on to over the years where you no longer have a
> valid point of contact.
With regards to antispam systems which are configured to behave in
such a manner, this is (or ought to be) a BCP issue, obviously.
> Renumbering is a bad bad thing.
Renumbering in a world in which EIDs and locators are conflated and in
which the EID is in any case vastly overloaded from a policy
perspective is indeed very painful, and not just for the renumbering
party, but for many others, as well.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
