ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] RMX evaluation (was RE: Is there anything good enough? - Spoofing stats)

2003-05-09 05:00:48
from [Hadmut Danisch] [Permanent Link] 
On Fri, May 09, 2003 at 10:06:13AM +0100, Matt Sergeant wrote:


Please also check out the DMP (a.k.a. DS) proposal which does not 
require a new RR, and does not mean that the UDP size limit for DNS 
would be exceeded on a regular basis.

<http://www.pan-am.ca/draft-fecyk-dsprotocol-02.txt>

I don't recall seeing anyone respond to the size limit problem with RMX 
when asked about it, but then I also had to stop reading this list for 
a while.




I agree that this proposal does provide DNS answers with a better 
defined length and does not require a new RR type.

But I do not agree that this is a real problem of RMX. RMX uses
an indirection step, which keeps the RMX records small. 

And this proposal has a similar disadvantage like Paul Vixie's:
Whenever a provider changes the relay structure, it requires
immediate update of all zone tables. While in Paul Vixie's proposal
DNS names can be used and updates are required only if the 
number of relays grows, this proposal requires updates for every
single change. And if you really want to give a whole class-A network
permission, it requires 2^24 = about a million entries, still around 65000
entries for a class B network. This is a much more severe restriction
than the UDP packet size.

And you also have to keep in mind, that RMX, DMP and Paul Vixie's
proposal all fall into the same class, which is to store per-IP
authorization information in the sender address domain's DNS table.

If you take all the objections brought to this mailing list against 
RMX, these objections are not technical, not true or not arguable,
but however, if they apply, almost all of them apply to the whole
class of these DNS-based authorization methods. 

So moving to a different proposal doesn't contribute at this very
moment. It's a better step to move to the meta-layer and talk about
the whole class of these DNS-based methods. When this discussion is
finished then you can go back into the implementation details and
differences.

Hadmut

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Assume perfect knowledge by domain registry provisioners, so what?, Eric Brunner-Williams in Portland Maine
Next by Date:  Re: Consent (was Re: [Asrg] seeking comments on new RMX article ), Markus Stumpf
Previous by Thread:  Re: [Asrg] RMX evaluation (was RE: Is there anything good enough? - Spoofing stats), Matt Sergeant
Next by Thread:  [Asrg] RE: Request to mailing list Asrg rejected, Paul Judge
Indexes:  [Date] [Thread] [Top] [All Lists]