[11551] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Michael Dillon)
Fri Aug 1 12:18:28 1997
In-Reply-To: <199708010404.XAA08340@enteract.com>
Date: Fri, 1 Aug 1997 09:17:49 -0700
To: nanog@merit.edu
From: Michael Dillon <michael@priori.net>
>This is not a valid answer. People who think that the entire Internet can
>be globally configured to prevent packet forgery from occurring in tone he
>first place are deluding themselves, and I think we, as Internet
>professionals with an understanding of how these protocols work,
>understand that.
>
>Unfortunately, a bizarre faction of people have decided that the best way
>to address problems that are made difficult to repair by the design of
>legacy software is to deny that they A.) exist or B.) are fixeable.
>
>"Wait for IPsec" and "Wait for DNSsec" are, in my opinion, inadequate
>answers. "Prevent packet forgery from happening" seems ludicrous.
Thomas, you seem to have a misconception about the audience you are
addressing here. The people on this list are network operators. We operate
backbone networks with national or international scope. We operate regional
networks. And we operate networks in large organizations such as
universities. We are not protocol designers and we are not programmers.
Some of us are indeed capable of both protocol design and programming but
that is not the hat we wear in this group. Here we are concerned with the
nuts and bolts of keeping IP packets flowing through are networks and
through the gateways we maintain with other networks using tools such as
routers and switches. Since we are operators, we mainly concern ourselves
with things that we can implement in the field in fullscale production
networks right now. If we have any horizon into the future it is short,
perhaps 6 months at the most. If a topic does not concern equipment or
configurations that we can use withing 4-6 months, there is no point in
discussing it here. If we were really interested in that sort of thing we
would join the appropriate IETF working group or read it in USENET.
So, rather than discuss what attacks people *COULD* mount on our networks
and how they would build exploit tools to mount these attacks, if you would
explain the things that we could do to protect ourselves from these attacks
or to track down these attacks then we would be more receptive I think. In
fact, I think that the discussion to dat regarding possible DNS attacks has
led us all down the wrong path. If this sort of attack did occur there is
not much that a network operator can do to harden themselves against it.
However there is probably a *LOT* that could be done to track down the
source of the attacks so that the FBI, RCMP, Interpol, etc. can solve the
real problem.
I certainly am not denying that problems exist but whenever someone claims
to have the real solution to a problem I always ask myself whether they are
solving the right problem and whether the context of the situation was
considered when making the problem statement.
********************************************************
Michael Dillon voice: +1-415-482-2840
Senior Systems Architect fax: +1-415-482-2844
PRIORI NETWORKS, INC. http://www.priori.net
"The People You Know. The People You Trust."
********************************************************
