[166633] in North American Network Operators' Group
Re: Reverse DNS RFCs and Recommendations
daemon@ATHENA.MIT.EDU (Masataka Ohta)
Fri Nov 1 22:17:35 2013
Date: Sat, 02 Nov 2013 11:17:34 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
To: Alex Rubenstein <alex@corp.nac.net>, Mark Andrews <marka@isc.org>
In-Reply-To: <2D0AF14BA6FB334988BC1F5D4FC38CB82DD7B600E6@EXCHMBX.hq.nac.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
(2013/11/02 10:48), Alex Rubenstein wrote:
>>>> Not necessarily. When the CPE is configured through DHCP (or PPP?),
>>>> the ISP can send the secret.
>>>
>>> Which can be seen, in many cases, by other parties
>>
>> Who can see the packets sent from the local ISP to the CPE directly
>> connected to the ISP?
>
> The NSA, FBI, CIA, DHS.
>> If you mind wire tapping, you have other things to worry
>> about, which needs your access line encrypted (by a manually
>> configured password), which makes DHCP packets invisible.
> Or, the ISP, the ISP's employees, contractors, sub-contractors.
If you can't trust the ISP, you can't make rDNS operated
by the ISP secure.
> Or the phone company handling the PPPOE, L2TP, or whatever else.
>> If you mind wire tapping, you have other things to worry
>> about, which needs your access line encrypted (by a manually
>> configured password), which makes DHCP packets invisible.
> Or the WiFi sniffer on the street outside.
Does your CPE retransmit a received DHCP reply to Wifi?
Masataka Ohta
