Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
Dean Anderson <dean@av8.com> Mon, 10 December 2007 14:15 UTC
Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1jPz-0006yN-0I; Mon, 10 Dec 2007 09:15:35 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1jPx-0006yH-9x for dnsop@ietf.org; Mon, 10 Dec 2007 09:15:33 -0500
Received: from cirrus.av8.net ([130.105.36.66]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1J1jPw-0004r4-OM for dnsop@ietf.org; Mon, 10 Dec 2007 09:15:33 -0500
Received: from [130.105.12.10] ([130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id lBAEFRGI028021 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 10 Dec 2007 09:15:32 -0500
Date: Mon, 10 Dec 2007 09:15:26 -0500
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
In-Reply-To: <a0624080fc37ba787c4f6@[130.129.67.81]>
Message-ID: <Pine.LNX.4.44.0712100857150.18281-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 32b73d73e8047ed17386f9799119ce43
Cc: dnsop@ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org
On Tue, 4 Dec 2007, Edward Lewis wrote: > http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt > > 1) (Somewhat jokingly) I would strike the first word ("Recently") as > the attacks were almost two years ago now. Yes. And those attacks seemed to be contrived at the time. Perhaps the attack described isn't (as I previously argued) a genuine concern. "generation of massive amounts of traffic" is also a misnomer. None of the attacks generated very large amounts of traffic in comparison with other types of DOS attacks. Perhaps 'generation of a significant amount of traffic' The draft still asserts incorrectly that DNS authoritative servers which do not provide recursion to clients can also be used as amplifiers; however, the amplification potential is greatly reduced when authoritative servers are used. The exact same traffic can be generated with authority servers. Authority abuse traffic is much more difficult to mitigate, and so is a much worse problem that recursor traffic. The draft should state the facts, otherwise it is misleading. > In the spirit of "sending text" it might be more appropriate to start > with "Once upon a time...". I disagree. IETF Documents should have a serious subject, and a serious tone. > 2) I guess I should get over the fact that "are-evil" is part of the > the file name and that will go away when this document gets out of > the RFC Editor. I think the tone of the document is right as is, > recommending ways to have name servers not offer free and unchecked > services unless the owner is aware. I'm not sure this should be ignored. Anyone who looks up the document history will find that name. It doesn't ever really go away. While there are no official requirements on document names, I think they should avoid religious and unprofessional terms. If nothing else, it reflects both on the author, and on the IETF because the IETF accepted to work on the document with the offensive name. I think this is a good reason to oppose this document. > 3) I was a bit troubled by the discussion in the room on Monday. > Parts of the discussion were hard to hear (the acoustics plus my > aging ears) and I my laptop was off (no jabber for me). It sounded > like someone (not present) claimed that they required open resolvers > for roaming. The discussion seemed to criticize that comment because > it is not generalizable, but I think that wasn't the intent. I > thought the comment was offered as a reason why a blanket prohibition > against open resolvers was a bad idea. > > I would be against a campaign to cajole people into closing open > resolvers. One reason is that I don't believe that the problem is > the open resolvers but the inherent nature of UDP involved. Two is > that it is up to operators to decide how to responsibly operate their > network (and it is up to the IETF to give them the educational > materials they need). > > I think the document is a good balance. It recommends closing access > to resolvers but does not berate those that leave them open. (Unless > I missed something.) It lists approaches to selective openness. I > apologize if I lost the train of thought of the mic discussion. I think the document needs to include discussion of the more serious attack vectors using authority servers. Even though this has been discussed, and is more difficult to mitigate, and a more serious problem that administrators may need guidance in how to handle, this is completely ignored. This document is just an 'open relays are bad' document, couched in DNS terms. I am strongly opposed to this document, so long as it contains incorrect and misleading claims. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-ar… Internet-Drafts
- [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.t… Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Matt Larson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Peter Koch
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- [DNSOP] Re: draft-ietf-dnsop-reflectors-are-evil-… Stephane Bortzmeyer
- Re: [DNSOP] Re: draft-ietf-dnsop-reflectors-are-e… Dean Anderson
- Re: [DNSOP] Re: draft-ietf-dnsop-reflectors-are-e… Edward Lewis
- [DNSOP] Recursors are no longer evil? (Was: I-D A… Stephane Bortzmeyer