Re: national security

On 7-dec-03, at 2:26, Paul Vixie wrote:

> > ... (Selecting the "best" path is pretty much an after thought in
> > BGP: the RFC doesn't even bother giving suggestions on how to do 
> > this.)
> congradulations, you're the millionth person to think that was an 
> oversight.
I don't think this is an oversight, I'm pretty sure this was 
intentional. However, since in practice the BGP best path selection 
algorithm boils down to looking at the AS path length and this has the 
tendency to be the same length for many paths, BGP is fairly useless 
for deciding the best path for even low ambition definitions of the 
word.
> > I don't have a problem with some controlled anycasting, but the root
> > operators shouldn't go overboard.
> i don't think you will ever meet a more conservative bunch of people, 
> so, OK.
Excellent.

> > For instance, the .org zone is only served by two addresses, which are
> > then anycast. There have been reports from people who were unable to
> > reach either of these addresses when there was some kind of 
> > reachability
> > problem. The people managing the .org zone are clearly lacking in
> > responsibility by limiting the number of addresses from which the 
> > zone is
> > available without any good reason.
> see the icann agreements to find out how much of this was ultradns's 
> choice.
Hm, nothing about this in http://www.icann.org/tlds/agreements/org/. In 
fact, it talks about a maximum of 13 servers in some places. Not that 
it matters much who's bright idea it was.
> > (And some IPv6 roots wouldn't be bad either.)
> there are several.  see www.root-servers.org.  (now if we can just 
> advertise.)
Just for fun, I cooked up a named.root file with only those IPv6 
addresses in it. This seems to confuse BIND such that its behavior 
becomes very unpredictable. And only 2 of the 4 v6 addresses are 
reachable as one isn't advertised at all and the other as a /48 which 
are heavily filtered.