Todd and all assembly members, stakeholders or other interested parties,
todd glassey wrote:
Folks -
Paul Vixie is dead on here but the real problem is not DNS, but rather the
routing protocols that allow this type of address forgery to be propagated.
Well Paul may not participate on here any longer for his long ago
already stated reasons. But I don't believe he is dead! >;)
As far a the rest of your comments/observations, I could not agree
with you more Todd...
BTW, this was discussed in brief today in Waco at the Presidents
Economic Conference... I will have more for you on that to put up on
ICANNWatch if you wish later...
This is the subtle difference here and the biggest criminal here is that
even with a forged DNS service, the real issue is still Cisco and its
brethren for forcing the propagation of routing standards that are
insecurable and indefensible - the other bad-guy here is the IETF for not
being more in control or forcing issues of security to be ingrained into
their protocols that they have or are in the process of making as standards.
This is one of the greatest instances proving that the ICANN and the IETF
themselves with their current management and format, are incompetetent to
build or enforce standards. If they had done their job properly and allowed
external input or review of their efforts, then this never would have
happened.
Just my personal 2 cents here.
Todd Glassey
----- Original Message -----
From: "Jim Fleming" <JimFleming(_at_)ameritech(_dot_)net>
To: "'The IETF'" <ietf(_at_)ietf(_dot_)org>;
<chandley(_at_)ntia(_dot_)doc(_dot_)gov>;
<nvictory(_at_)ntia(_dot_)doc(_dot_)gov>;
<censslin(_at_)ntia(_dot_)doc(_dot_)gov>; <DEvans(_at_)doc(_dot_)gov>
Cc: <yjpark(_at_)myepark(_dot_)com>; <vivek(_at_)vivekdurai(_dot_)com>;
"Vittorio Bertola"
<vb(_at_)vitaminic(_dot_)net>; "todd glassey"
<todd(_dot_)glassey(_at_)worldnet(_dot_)att(_dot_)net>; "Richard
Henderson" <richardhenderson(_at_)ntlworld(_dot_)com>; "Kristy McKee"
<k(_at_)widgital(_dot_)com>;
<karl(_at_)cavebear(_dot_)com>; "Joop Teernstra"
<terastra(_at_)terabytz(_dot_)co(_dot_)nz>; "Joanna
Lane" <jo-uk(_at_)rcn(_dot_)com>; <jefsey(_at_)jefsey(_dot_)com>;
<james(_dot_)love(_at_)cptech(_dot_)org>;
<j(_dot_)oppenheimer(_at_)att(_dot_)net>;
<icheckemail(_at_)indiatimes(_dot_)com>; <ellen(_at_)rony(_dot_)com>;
"Elisabeth Porteneuve"
<Elisabeth(_dot_)Porteneuve(_at_)cetp(_dot_)ipsl(_dot_)fr>; "Alexander
Svensson" <alexander(_at_)svensson(_dot_)de>; "Joe Baptista"
<baptista(_at_)dot-god(_dot_)com>
Sent: Tuesday, August 13, 2002 7:04 AM
Subject: Why People Should NOT Depend on "Root Servers"
http://www.merit.edu/mail.archives/nanog/msg02459.html
gentlemen, stop your engines
a.. From: Paul Vixie
b.. Date: Mon Aug 12 12:07:20 2002
--------------------------------------------------------------------------
------
after six reports that 192.5.5.241's address has been forged as the source
of a tcp "fragmented scan" probe, i'm ready to have it stop. but just in
case it doesn't, this is fair warning to the community: F's address is in
unlawful use by as-yet-unidentified third parties.
re:
------- Forwarded Message
From: ...
To: "'abuse(_at_)VIX(_dot_)COM'" <abuse(_at_)VIX(_dot_)COM>
Subject: Unauthorized Fragmented Scan
Date: Mon, 12 Aug 2002 06:56:08 -0700
To whom it may concern,
The Security Information & Analysis Center has detected an
unauthorized scan against one of our networks that has a possible origin
at
192.5.5.241.
Please review the following initial information:
IPHalfScan 08-11-2002 17:34:02 UTC 192.5.5.241:53
xxx.xxx.xxx.xxx:53 TCP
IPHalfScan 08-11-2002 17:28:00 UTC 192.5.5.241:53
xxx.xxx.xxx.xxx:53 TCP
Please take action to verify this address on your network
and it's intent to scan our networks. Thank you for your assistance.
SECURITY INFORMATION AND ANALYSIS CENTER
1-877-...
------- End of Forwarded Message
Modern DNS software finds the TLD Clusters, tracks them, and
does not use ANY "root servers" (legacy or alt). People who rely
on a dozen 32-bit IPv4 addresses to be coherently routed are fools,
in my opinion. Any organization that promotes that type of structure
and architecture as "secure" is perpetrating a fraud on unsuspecting
users, who assume the system is stable and secure. Root servers are
out of date, do not always track the TLD Cluster(s), do not support
fail-over to back-up TLD Clusters, in cases of a major corporate
failure. People continue to use them at their peril, yet clearly profit
from telling people to use them.
Jim Fleming
2002:[IPv4]:000X:03DB:...IPv8 is closer than you think...
http://www.iana.org/assignments/ipv4-address-space
http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt
---------------------------------------------------------------------
To unsubscribe, e-mail:
atlarge-discuss-unsubscribe(_at_)lists(_dot_)fitug(_dot_)de
For additional commands, e-mail:
atlarge-discuss-help(_at_)lists(_dot_)fitug(_dot_)de
Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup - (Over 127k members/stakeholders strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1(_at_)ix(_dot_)netcom(_dot_)com
Contact Number: 214-244-4827 or 972-244-3801
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208