ietf
[Top] [All Lists]

Re: Why People Should NOT Depend on "Root Servers"

2002-08-13 08:23:05
Folks -
Paul Vixie is dead on here but the real problem is not DNS, but rather the
routing protocols that allow this type of address forgery to be propagated.
This is the subtle difference here and the biggest criminal here is that
even with a forged DNS service, the real issue is still Cisco and its
brethren for forcing the propagation of routing standards that are
insecurable and indefensible - the other bad-guy here is the IETF for not
being more in control or forcing issues of security to be ingrained into
their protocols that they have or are in the process of making as standards.

This is one of the greatest instances proving that the ICANN and the IETF
themselves with their current management and format, are incompetetent to
build or enforce standards. If they had done their job properly and allowed
external input or review of their efforts, then this never would have
happened.

Just my personal 2 cents here.
Todd Glassey



----- Original Message -----
From: "Jim Fleming" <JimFleming(_at_)ameritech(_dot_)net>
To: "'The IETF'" <ietf(_at_)ietf(_dot_)org>; 
<chandley(_at_)ntia(_dot_)doc(_dot_)gov>;
<nvictory(_at_)ntia(_dot_)doc(_dot_)gov>; 
<censslin(_at_)ntia(_dot_)doc(_dot_)gov>; <DEvans(_at_)doc(_dot_)gov>
Cc: <yjpark(_at_)myepark(_dot_)com>; <vivek(_at_)vivekdurai(_dot_)com>; 
"Vittorio Bertola"
<vb(_at_)vitaminic(_dot_)net>; "todd glassey" 
<todd(_dot_)glassey(_at_)worldnet(_dot_)att(_dot_)net>; "Richard
Henderson" <richardhenderson(_at_)ntlworld(_dot_)com>; "Kristy McKee" 
<k(_at_)widgital(_dot_)com>;
<karl(_at_)cavebear(_dot_)com>; "Joop Teernstra" 
<terastra(_at_)terabytz(_dot_)co(_dot_)nz>; "Joanna
Lane" <jo-uk(_at_)rcn(_dot_)com>; <jefsey(_at_)jefsey(_dot_)com>; 
<james(_dot_)love(_at_)cptech(_dot_)org>;
<j(_dot_)oppenheimer(_at_)att(_dot_)net>; 
<icheckemail(_at_)indiatimes(_dot_)com>; <ellen(_at_)rony(_dot_)com>;
"Elisabeth Porteneuve" 
<Elisabeth(_dot_)Porteneuve(_at_)cetp(_dot_)ipsl(_dot_)fr>; "Alexander
Svensson" <alexander(_at_)svensson(_dot_)de>; "Joe Baptista" 
<baptista(_at_)dot-god(_dot_)com>
Sent: Tuesday, August 13, 2002 7:04 AM
Subject: Why People Should NOT Depend on "Root Servers"


http://www.merit.edu/mail.archives/nanog/msg02459.html
gentlemen, stop your engines

  a.. From: Paul Vixie
  b.. Date: Mon Aug 12 12:07:20 2002

--------------------------------------------------------------------------
------

after six reports that 192.5.5.241's address has been forged as the source
of a tcp "fragmented scan" probe, i'm ready to have it stop.  but just in
case it doesn't, this is fair warning to the community: F's address is in
unlawful use by as-yet-unidentified third parties.

re:

------- Forwarded Message

From: ...
To: "'abuse(_at_)VIX(_dot_)COM'" <abuse(_at_)VIX(_dot_)COM>
Subject: Unauthorized Fragmented Scan
Date: Mon, 12 Aug 2002 06:56:08 -0700

To whom it may concern,

The Security Information & Analysis Center has detected an
unauthorized scan against one of our networks that has a possible origin
at
192.5.5.241.

Please review the following initial information:

IPHalfScan  08-11-2002 17:34:02 UTC 192.5.5.241:53
xxx.xxx.xxx.xxx:53 TCP
IPHalfScan  08-11-2002 17:28:00 UTC 192.5.5.241:53
xxx.xxx.xxx.xxx:53 TCP

Please take action to verify this address on your network
and it's intent to scan our networks.  Thank you for your assistance.

SECURITY INFORMATION AND ANALYSIS CENTER
1-877-...

------- End of Forwarded Message


Modern DNS software finds the TLD Clusters, tracks them, and
does not use ANY "root servers" (legacy or alt). People who rely
on a dozen 32-bit IPv4 addresses to be coherently routed are fools,
in my opinion. Any organization that promotes that type of structure
and architecture as "secure" is perpetrating a fraud on unsuspecting
users, who assume the system is stable and secure. Root servers are
out of date, do not always track the TLD Cluster(s), do not support
fail-over to back-up TLD Clusters, in cases of a major corporate
failure. People continue to use them at their peril, yet clearly profit
from telling people to use them.

Jim Fleming
2002:[IPv4]:000X:03DB:...IPv8 is closer than you think...
http://www.iana.org/assignments/ipv4-address-space
http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt