[52972] in North American Network Operators' Group
Re: DNS issues various
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Oct 24 16:02:07 2002
To: nanog@merit.edu
In-Reply-To: Your message of "Thu, 24 Oct 2002 18:59:46 -0000."
<Pine.SOL.4.40.0210241845340.16177-100000@share1.wobnma1-dc1.genuity.net>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 24 Oct 2002 16:01:09 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-166183291P
Content-Type: text/plain; charset=us-ascii
On Thu, 24 Oct 2002 18:59:46 -0000, "Kelly J. Cooper" <kcooper@genuity.net> said:
> > You know, most bars have bouncers at the door that check IDs. Sure, they're
> > not perfect, but the bartender can usually be pretty sure the guy ordering a
> > beer is over 21. The average bar isn't run by a soooper-genius. But it's still
> > considered fashionable to let packets roam your network without an ID check at
> > the door.
>
> Yeah and how's that working so far?
Works a lot better than making an overworked bartender do it. And yes, that's
an intentional dig at the "but you can't filter at the core" crowd, and the
"but you can't backtrack spoofed traffic easily" crowd...
How well does it work? Well enough that you can drive by a bar and just *know*
that it's a dead night because there's no bouncer. And it's never a dead night
on the Internet.
> > soooper-genius solutions aren't going to help any when there's a lot of
> > address space that's managed by Homer Simpson....
>
> But there will always be address space managed by Homer Simpson.
Why? I'm asking a serious question here - why is it considered acceptable?
> All I'm advocating is breaking out of that pattern.
I bet a few good lawsuits alleging civil liability for contributory
negligence for allowing spoofed packets would do wonders for that problem.
I posit that there won't be any "sooper genius" solution that will actually
work as long as the prevailing model is small islands of clue awash in a
sea of Homer Simpsons.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-166183291P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE9uFGFcC3lWbTT17ARAqYuAKDL0WgOtGRFIijBAapKd1+q4OWpGACgmAcw
8GNH8fXO8K/nRnspWVe38cQ=
=4Ayi
-----END PGP SIGNATURE-----
--==_Exmh_-166183291P--
