[141546] in North American Network Operators' Group
Re: Retraining "IT" on networking myths (the cloud to the rescue!)
daemon@ATHENA.MIT.EDU (Michael Sinatra)
Wed Jun 8 21:55:51 2011
Date: Wed, 08 Jun 2011 18:54:34 -0700
From: Michael Sinatra <michael@rancid.berkeley.edu>
To: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <D6AF03DE-8960-4987-AD50-51430F8258BF@puck.nether.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 06/08/11 18:32, Jared Mauch wrote:
> MYTHS:
>
> TCP/53 is only for zone transfers ICMP is a security risk/ddos
> avenue Internal networks must be secured with NAT A firewall is the
> only way to secure the perimiter
>
> In fact for IPv6, ICMP is more important vs less. Firewalls
> frequently harm and don't block data going out. TCP/53 is needed for
> EDNS.
tcp/53 is needed when EDNS is _not_ available and DNS message size
exceeds 512 bytes. UDP fragments are (sometimes) necessary for EDNS.
So, that adds to your MYTHS section:
Fragmented packets (like ICMP) are always a security risk and DDoS vector
michael
