[49595] in North American Network Operators' Group
Re: DNS was Re: Internet Vulnerabilities
daemon@ATHENA.MIT.EDU (Paul Vixie)
Fri Jul 5 13:17:33 2002
From: Paul Vixie <paul@vix.com>
To: Nanog Mailing List <nanog@merit.edu>
In-Reply-To: Message from Randy Bush <randy@psg.com>
of "Fri, 05 Jul 2002 10:01:31 PDT."
<E17QWSZ-000Hly-00@rip.psg.com>
Date: Fri, 05 Jul 2002 10:15:26 -0700
Errors-To: owner-nanog-outgoing@merit.edu
> ... beyond that, security and anycast don't mix well without the data
> being authenticated, e.g. dnssec.
i won't disagree. anycast's cost:benefit analysis is compellingly against
its use in most situations. root name service may be one of them. now, if
the ops community can figure out a way to secure the edge->core boundary
such that packets heard by a DDoS victim will have reasonable IP source
addresses, then that would be better overall. however, in the 36 hours
since i last cleared the ipfw stats on c.root-servers.net, i see:
packets bytes rule
938231392 60808555788 pipe 1 udp from any to any 53 in
48248328 2919355408 deny ip from 192.168.0.0/16 to any in
34199691 2254707782 deny ip from 10.0.0.0/8 to any in
16030262 1061648337 deny ip from 172.16.0.0/12 to any in
and so i don't see much chance that IP source addresses will be believable
any time during the working lives of anyone now reading this. i also think
the likelihood of wide scale dnssec deployment within the next year or two
is two orders of magnitude lower than the likelihood of a DDoS against the
root server system. "more later."
