Thus spake "todd glassey" <todd(_dot_)glassey(_at_)worldnet(_dot_)att(_dot_)net>
Folks -
Paul Vixie is dead on here but the real problem is not DNS, but rather the
routing protocols that allow this type of address forgery to be propagated.
Please explain what routing protocol deficiency is responsible for ISPs not
configuring anti-spoofing filters.
This is the subtle difference here and the biggest criminal here is that
even with a forged DNS service, the real issue is still Cisco and its
brethren for forcing the propagation of routing standards that are
insecurable and indefensible - the other bad-guy here is the IETF for not
being more in control or forcing issues of security to be ingrained into
their protocols that they have or are in the process of making as standards.
The IETF responds to its customers' demands. If ISPs wanted a securable and
defensible routing system (and such a system were possible), we would have one.
This is one of the greatest instances proving that the ICANN and the IETF
themselves with their current management and format, are incompetetent to
build or enforce standards. If they had done their job properly and allowed
external input or review of their efforts, then this never would have
happened.
Last I checked, the IETF was an open standards body that allowed input from
anyone. If you're unhappy with its products, you're free to write something
better and submit it.
S